Enormous Security Flaw In IOS 4.1

This is one for the record books. The password on your iPhone is not nearly as safe as you may like to think it is. A new vulnerability has been found that allows anyone to bypass that lock and get full access to your phone, contacts list, and even photos.

The way it works is like this. Let your phone lock to where you need to put in your passcode to unlock it. Swipe your finger to bring up the passcode screen. Press "Emergency Call." Now type in any numbers, stars or pound signs work too. This is the important part, press the call button and immediately press the sleep button on the top of the phone. You should be taken immediately to the Phone app, where you can access your phone numbers, voicemail, and full contact list. In order to see photos, go to your contact list and press on someone. Now press "Share Contact" followed by "MMS." You will now be taken to a text message screen, where you can press on the little image of a camera and get to the photos on your phone.

Needless to say, this is a HUGE security hole, which can be used to access your personal information. We can only hope that Apple will be coming out with a security update soon to address this issue, considering the amount of internet media attention it has been receiving. The bug find is credited to Salomão Filho, who posted this video of himself giving a step by step tutorial on how to exploit it.

I have personally tested this on several of my friends' iPhone 3GS and iPhone 4 running iOS 4.1, and found that it is just as easy as it looks to break into a phone using this method.

Facebook phishing worm compromises thousands of accounts

A very effective phishing worm has been targeting Facebook users and has been compromising their accounts by luring them with the offer of seeing a video.

The victim would receive a instant message from a contact asking "Is this you?" and supposedly offering a link to the video, but actually providing a link to a malicious Facebook application which loads a phishing page into an iframe:


The Kaspersky researcher that spotted the worm was curious and poked around the server to access some common directories so that he could discover more information about the worm's activity, and he found one containing Apache access logs.

"When analyzing the content of the log file I saw that someone was trying to access a file named acc.txt," says the researcher. "I downloaded acc.txt and saw that the file contained stolen accounts: in the first version of acc.txt which I downloaded I saw that the attacker had collected over 3000 accounts! I downloaded the acc.txt at 5-minute intervals, and within 20 minutes, the number of stolen accounts went from 3000 to over 6000."

He immediately notified Facebook, and the malicious page was taken down. Users who think their account has been compromised are advised to change their passwords and to terminate any active session that might be found in the Account Security section in the Account Settings.

Increase in Halloween malware attacks

There's an increase in the number of Trojans circulating in the pre-Halloween period this year, according to GFI Software. Eight of the top 10 threat detections currently spreading on the internet are Trojans, up from six during October last year.

Furthermore, three of the top 10 threat detections from last year’s Halloween season are still on the list, highlighting the lasting impact of this type of malware long after the holiday is over.

Consumers should be on the lookout for new iterations of the following common types of attack:

• Halloween Tweets, “likes” and posts on various social media sites that can be used to lure users to malicious websites.
• Search engine optimization (SEO) poisoning, in which links to malicious Web sites show up in search engine results for holiday items.
• Halloween-themed attachments posing as invitations, greeting cards or documents. Clicking on these creates a significant risk of downloading rogue security products or other malware.
• “Typo attacks” which take advantage of the increased Holiday traffic to commonly misspelled URLs. Malware writers set up spoofed infected sites and download locations to trap unsuspecting web users who misspell URLs and end up in the wrong place.
• Sites that offer contests attempting to get visitors to subscribe to questionable subscription services that are billed to their cell phone monthly.

New 0-day flaw in Flash Player exploited in the wild?

Bad news just keep piling on Adobe - it looks like there is a new zero-day vulnerability in their Flash Player that is being exploited in the wild.

Its existence is still to be confirmed by Adobe, but security researcher Mila Parkour from the Contagio Malware Dump blog seems to think it may be the real deal. According to her, the vulnerability is exploited via a malicious .pdf document sent as an attachment, and two files are dropped - and executed - on the system: nsunday.exe and nsunday.dll.

They are both components of a variant of Wisp - an information-stealing and downloader Trojan and, according to Softpedia, it is currently detected by 15 of the 42 AV solution used on VirusTotal.

If the flaw and its use in the wild is confirmed, Adobe will have to scramble to put out a patch way ahead of the selected date for the next security update. In the meantime, users could prevent becoming victims by disabling Flash support in Adobe Reader.

UPDATE: Apple has confirmed the existence of the vulnerability and plans to issue a patch for Flash Player around November 9 and patched up versions of Adobe Reader and Acrobat around November 15.

Think your Twitter Direct Message is private? Think again

Twitter has established itself as a means of broadcasting information to wide group of people all at once. But, for those times where you want to talk more intimately, Twitter also has the ability to send a Direct Message (DM) that is private between the two parties. Well, it's supposed to be private, but the reality is perhaps not as secretive as one might expect.

While the DMs are ostensibly private, the reality is that any apps that have been approved to access your Twitter account can also see those "private" messages.

There are only two types of account access authorisations: read-only, or read-and-write. In either case, the fact that the app has been granted permission to access the account at all means that all Twitter messages, including DMs are accessible to the app. In the event of read-and-write approval, the app could also delete your messages, or send messages out on your behalf.

Perhaps you should think twice next time before blindly approving some random app to access your Twitter feed. You can find out which apps have access to your Twitter messages by logging in to your account on the Twitter site. Click on Settings, then Connections. The fine print for each entry displays the type of access authorized (read-only or read-and-write), and a link is provided to "Revoke Access" for any that seem shady or unwarranted.

It may be a tad paranoid to worry about whether the admin of a given app is abusing the privilege you have granted and is sifting through your private DMs. But, just to be safe you should exercise some discretion with the apps you grant that authority to, and remember that your DMs may not be as private as you might think.

MySpace apps send user IDs to advertisers

In the wake of the discovery that some third party Facebook applications transmit users' ID to ad agencies and Internet tracking companies, The Wall Street Journal has revealed that MySpace and some of the game applications on it are doing exactly the same thing.

This is not the first time MySpace has been found "oversharing" - at the time, they said they were working on a method to obfuscate the ID information sent to ad agencies via "HTTP referrers".

An extenuating circumstance is the fact that - unlike Facebook - MySpace doesn't require of or encourage its users to make an account in their real name, so knowing a user ID doesn't immediately mean that usable information can be harvested. On the other hand, many users simply don't think of creating an online persona to protect their privacy.

Three popular MySpace applications - TagMe, GreenSpot and RockYou Pets - have been found transmitting the information, a thing that is against the rules set by the social network.

"It has recently come to our attention that several third-party app developers may have violated these terms and we are taking appropriate action against those developers," a MySpace spokesman said.

Apple resolves FaceTime security flaw

A flaw in the beta version of Apple's FaceTime for Mac which was presented on Wednesday, has apparently allowed potential hackers to gain access to and modify a user's iTunes account settings from the software - without asking for a password.

Even though the exploitation of the flaw would have been possible only to people who had physical access to the (unattended) system, Apple has moved to close the hole almost immediately. According to InformationWeek it did so by disabling the ability of the user to view those settings from FaceTime.

It is definitely a good move for the time being, and I expect the flaw to be permanently fixed when beta testing is completed. As the number of Mac users rise with the proliferation of iPhones and iPads, it is laudable to see Apple react quickly to potentially dangerous security vulnerabilities.

Google 'spied' on British emails and computer passwords

In what could be called a major security breach, Internet search engine 'Google' has admitted spying on computer passwords and entire emails from households across Britain.

The California-based company has, however, apologized for downloading personal data from wireless networks when its fleet vehicles drove down residential roads taking photos for its Street View project, 'The Sunday Telegraph' reported.

"It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs (web addresses) were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologise again for the fact that we collected it in the first place," Alan Eustace, Google's Vice-President of engineering and research, was quoted as saying.

Millions of Internet users have potentially been affected.

The Information Commissioner's Office, the privacy watchdog, said it would be looking into Google's admission.

Images for Street View were gathered by vehicle-mounted panoramic cameras starting in 2008.

In May this year, Google confessed the vehicles had also been gathering information about the location of wireless networks, the devices which connect computers to the tele-communications network via radio waves.

Firefox extension makes social network ID spoofing trivial

A simple-to-use Firefox plugin presented yesterday at Toorcon in San Diego has hit the security world with the realization that squabbles about Facebook's changing privacy settings and various privacy breaches simply miss the point.

"When it comes to user privacy, SSL is the elephant in the room," said Eric Butler, the developer of the extension in question, dubbed Firesheep. By installing and running it, anyone can "sniff out" the unencrypted HTTP sessions currently allowing users on that network segment to access social networks, online services and other website requiring a login, and simply hijack them and impersonate the user.


"As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed," explains Butler. "Double-click on someone, and you're instantly logged in as them."

It is not that this was impossible to do before the advent of Firesheep, but it included the use of some knowledge that average Internet users didn't have. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win," says Butler.

Whether he will succeed in pointing out the need of full end-to-end encryption and spur websites into action, it remains to be seen. Among the websites whose cookies Firesheep can identify are Facebook, Flickr, Amazon.com, bit.ly, Google, Twitter, Yahoo, WordPress, and many others.

As I write this, the extension has been downloaded some 8,000 times, and the number is rising by the second. Wouldn't it be amazing that an action such as this could bring about the realization of a more secure Internet?

Researchers hack toys, attack iPhones at ToorCon

SAN DIEGO--From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this weekend showed how easy it can be to poke holes in software and hardware with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched. The iPhone had an app installed that allowed it to process credit card numbers, which could then be stolen if this were an attack in the wild.

Read more here.

Zynga sued in privacy breach controversy

218 million “class members” probably won’t settle for Farmville dollar.

A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status. (Story in The Register of the UK here. )

The action follows by three days an investigative story by The Wall Street Journal that found a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars – leaked the user IDs of Facebook players and their friends to outside companies. (Story here.)

Users’ privacy on the Internet has been a dicey proposition (some say non-existent) for most of the net’s history. Social engineering techniques early on became about as refined as cryptographic algorithms.

The compromise of personal information from breached company, university and government systems made high-profile headlines. That resulted in security standards and laws that required notification of those whose information was compromised (California’s breach notification law, HIPPA, etc.)

The rise of spyware took the issue to entirely new levels and created a whole anti-spyware component of the anti-virus industry.

The most recent controversy over social media exposures (especially by young people) and persistent tracking cookies just refined the concern.

The central question in all of this for the Internet user should be: “will there be some new technology in the future that will circumvent all existing safeguards and compromise my personal information yet one more time?”

If Internet history is any guide, answer is “yes.” There has been a long chain of innovative methods for extracting personal data from any place it is stored and it appears that will never end.

Hackers and virus writers solved the problem years ago. They use pseudonyms (and more than one in known cases.) We haven’t heard of any widespread use of pseudonyms by the average user on social media sites, but we predict it isn’t far off. And it’s not like we’re suggesting it, but changing accounts every few months on things like web email and social media sites and using false personal data like dates of birth would sure play havoc with tracking systems. It will probably give you a whole new selection of spam too.

Hey, on the Internet no one has to know you’re a dog (or your real DOB.)

UK to monitor all cyber communications

The British coalition government intends to forge ahead with the previous Labor government's plans to intercept web communications, inviting protests by civil liberties groups.

The latest action by the government comes despite pre-election pledges from the Conservatives and the Liberal Democrats to reduce surveillance of citizens.

The plan would have all internet and cell phone carriers' record and log every call, email or website visit that goes on in the UK. The data would then be stored for at least a year.

The proposal to commence nationwide communication monitoring was reportedly set out in the government's Strategic Defense and Security Review, with particular emphasis placed on utilizing new technology.

The government will "introduce a program to preserve the ability of the security, intelligence and law enforcement agencies to obtain communication data and to intercept communications within the appropriate legal framework", said the review.

The review also went on to claim that "this program is required to keep up with changing technology and to maintain capabilities that are vital to the work these agencies do to protect the public".

The previous Labor government devised a plan to have ISPs, social-networking sites and other communications service providers gather traffic data on all web communications under the Interception Modernization Program.

Their scheme aimed to collect information on the sender, recipient, timing and location of every email and other message sent via the web. The data would then be stored in such a way as to allow law enforcement and intelligence agencies to track any individual and to see with whom they were communicating and when.

The British coalition government claims that the so-called 'security plans' are necessary to combat terrorism and organized crime. However, critics insist that it amounts to an invasion of privacy and violating civil liberties.

Good news for Mac users!

As Mac usage grows and becomes a more popular platform, the threat of viruses increases right with it. This week, Panda Security released a new version of its antivirus suite geared specifically for Mac computers. This is in compliment to their line of Windows based antivirus solutions.

The majority of Mac users are as interested in anti-virus software as they are in running Internet Explorer. This is mostly because people like to think that by not running Windows, they are impervious to viruses, malware, spyware, and those other nasty things you find while surfing the internet. This is unfortunately not the case. Various viruses and worms have been found to affect Macs as easily as any other operating system. It is for this reason that Panda Security has released its new antivirus software for Mac computers. This is by no means the first program of its type on this platform, with companies such as Symantec and Kaspersky (known for their Windows solutions) also offering mac versions of their security software.

From the Panda Security website, "Malware is not just designed for PCs any more. The more popular Mac computers and devices become, the bigger and more enticing targets they are for hackers and cybercriminals. And universal web connectivity just makes it easier for them to reach their targets. Panda Antivirus for Mac is comprehensive, powerful protection against viruses, spyware, and other malware intended for the Mac OS." They claim that this security suite will protect files from "viruses, worms, Trojans, spyware, keyloggers, bots, and other malware" designed for Mac systems, but also for Windows and *nix systems to prevent you from spreading things to your friends and coworkers. On top of this, there are a bevy of additional protections, such as email and instant messenger scanners, an anti-phishing filter, and what looks like a firewall even thought they don't come right out and say it. You are also able to scan your iOS devices by attaching them via USB tether.

I am not saying that mac users should or shouldn't run antivirus software on their computers, but there is no denying that Mac is vulnerable to security risks just as any OS is. It is good to see that more companies are investing the resources required to make such security software for what is generally seen as a "virus-proof" platform.

Bogus Adobe employees sell fake PDF program

A series of e-mails purportedly sent by Adobe Acrobat Reader Support employees in which the users are urged to activate their "new Adobe PDF Reader" have been hitting inboxes worldwide.

According to Softpedia, the embedded link (www.adobe-download-center.com) redirects the users to another URL (www.pdf-new-2010-download.com), where a bogus program by the name of PDF Pro 2010 is offered on sale.

A hint that this might not be a legitimate offer comes from the fact that users are encouraged to download the file with a promise to receive a free copy of "the best ALL-IN-ONE Office Solution for Your PDF Files!". It is safe to say that any company is unlikely to offer free PDF software along its paid one.

Also, it seems that a variant of this e-mail has been sent out for weeks now. An entry on Adobe's forum posted in late September indicates that a similar message - with the subject line Adobe PDF Reader software upgrade notification - links to a site that tries to install various malware on the users' system.

Don't be fooled by these messages, because Adobe would never send you unsolicited e-mails, even if they want you to patch your software. And even if you are subscribed to one Adobe's mailing lists, if always pays to be extra careful and check the offered link by rolling over it first.

Kaspersky download site hacked, redirecting users to fake AV

Kaspersky's USA download site was hacked.

For three and a half hours on Sunday, it has been providing download links that redirected users to a malicious web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution.
The fact was noted by various users on three separate forums. Among those was Kaspersky's own forum, and judging by the comment left by someone with the username "Micha" who appears to be an employee of the security firm stationed in Japan, the problem was solved.

According to ITPro, the incident was first denied, then confirmed by Kaspersky. They say that they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for website administration and that customer details contained on company servers were not compromised.

“Kaspersky Lab takes any attempt to compromise its security seriously. Our researchers are currently working on identifying any possible consequences of the attack for affected users, and are available to provide help to remove the fake antivirus software,” they stated in the statement for the press.

Compromising legitimate pages is a favorite tactic used by malware peddlers, since they are usually better positioned in search results than brand new ones. Whether this instance of compromising a website of a security firm will mark the beginning of a trend, only time can tell.

The rise of Java exploits

Sifting through the data collected and analyzed in order to compile the latest Microsoft Security Intelligence Report, senior program manager Holly Stewart came to an interesting conclusion: Java exploits have become way more popular with hackers than the Adobe-related ones:


This enormous jump is, according to Stewart, due to the fact that three particular vulnerabilities are being constantly exploited. Brian Krebs offers his own explanation: Java exploits have been incorporated into a number of popular exploit packs (Eleonore, Crimepack, SEO Sploit Pack, Blackhole).

These vulnerabilities have been patched for a while, but the problem is that users fail to update Java on their system. "Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?" says Stewart.

Given that Oracle has recently issued a Java security update that patches nearly 30 vulnerabilities, this would be a good time for all users to update the program or check for its existence on their systems and then update it. And while they're at it, they could configure the built-in updater to check for new versions every week.

South Korea's Power Structure Hacked, Digital Trail Leads to China

South Korean intelligence claims China-based hackers stole confidential material from the country's diplomatic and security services throughout 2010. If a new report is correct, hackers inside the People's Republic of China gained access to personal computers and PDAs belonging to much of South Korea's power structure.

South Korea's primary intelligence agency is claiming that China-based hackers stole confidential material from the country's diplomatic and security services throughout the past year. If the new report by the National Intelligence Service is correct, hackers inside the People's Republic of China gained access--via malware--to personal computers and PDAs belonging to much of South Korea's power structure.

The booty? Sweet, sweet defense documents.

Read more info here.

Facebook Adds Extra Layer Of Security

Facebook, the giant of the social media networks, has added extra security to user accounts. This security comes in the form of three new features that are available now for most users.

According to Jake Brill in The Facebook Blog, the first feature that has been introduced is an option to receive a one time use, temporary password for your account. According to Brill, "Simply text "otp" to 32665 on your mobile phone (U.S. only), and you'll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you'll need a mobile phone number in your account." I can see this being useful in the case that your account has been compromised and your password has been changed by whoever accessed it. You would then be able to get into your account to create a new password that only you know. Of course, in the case of a lost or stolen phone, this policy works against you.

This next feature I am actually glad for. It is a remote sign-out feature that lets you sign off your account from any computers it is active on. It can also show you where you account is being accessed from, so you can tell if someone who shouldn't be on your account is. This is a feature that has been available for other services, such as Gmail, for a long time now, and I'm glad Facebook has finally caught up.

Finally, Facebook will begin prompting you more often for security updates. From Brill, "when people log in to Facebook we will regularly prompt them to keep their security information updated. If you ever lose access to your account, having this information helps us verify who you are and get you back into your account quickly." This is nice for the people who have a hard time remembering to update this kind of information frequently enough.

Overall, I see these new features as two steps forward, and one step back for Facebook security. The step back is only in the case that your phone is lost or stolen, as whoever is in possession of your phone is now in possession of your Facebook account.

Ubuntu 10.10 desktop, netbook and server editions released

Ubuntu 10.10, codenamed "Maverick Meerkat", is now available for download.

Ubuntu 10.10 introduces an array of online and offline applications to Ubuntu Desktop Edition with a particular focus on the personal cloud. Ubuntu Netbook Edition users will experience an all-new desktop interface called ‘Unity’ - specifically tuned for smaller screens and computing on the move.

Ubuntu One, the personal cloud service for Ubuntu users, includes new services and expanded features, significant performance enhancements and interoperability with other operating systems including Google’s Android, Apple’s iPhone and Microsoft Windows.

Already one of the most popular operating systems on Amazon EC2, Ubuntu 10.10 Server Edition gets kernel upgrades, more configuration options at boot time, and the ability to run the AMI (Amazon Machine Image) off-line on a KVM-virtualised machine. The latter feature means users can test and develop on local servers before pushing to the public cloud - true hybrid cloud computing.


Ubuntu 10.10 extends ‘CloudInit’, a configuration tool that allows users of Ubuntu on the cloud to set a default locale, set the hostname, generate and set up SSH private keys, and set up mount points. Users can also run custom commands and scripts on initial startup or on each reboot. The technology was recently adopted by Amazon itself.

Additionally in Ubuntu 10.10, Ubuntu Enterprise Cloud adds virtio support, a new interface for administrators, eased deployment for developers and the ability to run UEC from a USB stick. Eucalyptus 2.0, the latest version of the core cloud technology in UEC, has been included.

GlusterFS and Ceph have been integrated into the core product and the groundwork has been laid for many cloud-focused enterprise-scale applications to be introduced over the life cycle of Ubuntu 10.10 and the current LTS version (10.04) of Ubuntu Server

RIM averts BlackBerry ban in UAE

Research In Motion and the United Arab Emirates have reached an agreement to call off a BlackBerry ban that was scheduled to start Monday.

Today's press release (Google Translate version) from the Telecommunications Regulatory Authority (TRA), which regulates telecommunications for the UAE, confirmed that all BlackBerry services will continue as usual and not be suspended on October 11.

The agency said that BlackBerry services are now compatible with the UAE's regulatory framework and added that RIM had cooperated in offering a compatible solution. Beyond that, the agency offered no details as far as specific actions or measures that RIM may have taken to avert the ban.

In a response to news of the agreement with the UAE, a RIM spokesperson e-mailed CNET the following statement dated today:

"RIM cannot discuss the details of confidential regulatory matters that occur in specific countries, but RIM confirms that it continues to approach lawful access matters internationally within the framework of core principles that were publicly communicated by RIM on August 12."

A UAE BlackBerry ban would have affected around 500,000 customers in the region and hit both local residents and foreign visitors.

In early August, the UAE announced that it would shut down e-mail, instant messaging, and Web browsing for BlackBerry devices on the October 11 deadline due to RIM's failure to meet the emirates' regulatory requirements. The UAE had been putting pressure on the BlackBerry maker to open up the security on its networks so that local officials could monitor and access customer data for what they see as national security reasons.

RIM had run into similar problems with India and Saudia Arabia, both of which were also demanding access to the corporate data flowing over the company's networks. On its end, the company had insisted from the start that the information on its networks is encrypted and that it does not hold the encryption keys, therefore it can't comply with regulations to make that data available.

With international pressure mounting, RIM fought back at first. At one point, the company's co-CEO Michael Lazaridis said in a Wall Street Journal interview that if these countries can't deal with the Internet, then they should shut it off. More recently, the company's other CEO, Jim Balsillie, suggested that governments that need to monitor BlackBerry corporate data should ask the corporations themselves for access since they're the ones that hold the keys.

But faced with potential bans from multiple countries, RIM was forced to compromise. In August, the company was able to strike agreements with both India and Saudi Arabia to avert their announced bans. The accords reached in those two cases reportedly involved setting up local BlackBerry servers in those countries through which the governments will be able to access their data directly.

Free iPhone rogue applications on Facebook

Sophos is warning Facebook users about messages currently circulating on the social network claiming that friends have received free iPhones.


These messages, which have been spreading widely since Sunday, invite others to participate in the scheme, however the messages are being sent by rogue applications that users have allowed to access their profiles and post messages to their walls.

Messages appear as status updates and many read:

“Just testing Facebook for iPhone out :P Received my free iPhone today, so happy lol... If anyone else wants one go here:

Or:

“Anyone want my old phone? Claimed my free iPhone today, so happy lol... If anyone else wants one go here:”

Facebook users who click on the link advertised by their friends are then asked if they want to “Allow” this application to access their basic information. Participants who allow this are then redirected to a web page which will earn commission for the spammers behind the scam.

“If you’ve fallen for this trick, I wouldn’t hold your breath waiting for a new iPhone,” said Graham Cluley, senior technology consultant at Sophos. “Facebook users need to learn to think before they “like” and “share” suspicious pages on Facebook. Just because something appears on a friend’s wall, it doesn’t mean that it is from a reliable source, and by giving unknown applications access to your Facebook page, you could unknowingly continue to help to spread scams and earn cash for the spammers.”

Impacted users should delete references to the free iPhone scam from their wall, and remove the offending application from Account/Application Settings.

Privacy concerns as some Apple iPhone apps transmit UDIDs

Some two thirds of popular iPhone apps transmit users UDIDs, leading to potential security concerns, a new study has warned.

Eric Smith, Assistant Director of Information Security and Networking at Bucknell University in Lewisburg, Pa., discovered 68 percent of the 57 top applications in the App Store sent out UDID information, back to a remote server, owned either by the application developer or an advertising partner.

Those popular iPhone applications tested included those from Amazon, Chase Bank, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America, Wells Fargo, Fidelity and American Express.

UDIDs, or unique device identifiers, are a 40-digit sequence of letters and numbers, and can be used to identify users and transmit sensitive information, unencrypted and to third parties.

Smith warned that popular applications such as those from Amazon, Facebook or Twitter inherently have the ability to tie a UDID to a real-world identity. “Most iPhone application vendors are collecting and remotely storing UDID data, and some of these vendors also have the ability to correlate UDID to a real-world identity,” Smith said.

“For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner.”

Smith noted in conclusion: “Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible—and technically, quite simple—for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies.”

“Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information.”

Apple’s mobile platform is not alone in being open to potential abuse. Researchers at Duke University, Pennsylvania State University and Intel Labs discovered only last week that many applications on Google’s rival Android platform were sending information, such as users GPS location and phone numbers, without the knowledge or permission of the user.

Smith’s full study, iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs), is available as a PDF.

Smith, author of the study, is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving hacking contest several years in a row.

Adobe plugs 23 holes in Reader, Acrobat

As expected, Adobe released updates for Reader and Acrobat today that fix 23 holes in the popular PDF-viewing programs, including two that are actively being exploited in attacks that could allow someone to take control of the computer.

One of the critical vulnerabilities is being used in attacks against Reader and Acrobat; the other, fixed in an emergency update late last month, targets Flash Player.

The updates affect Adobe Reader 9.3.4 for Windows, Macintosh, and Unix; Adobe Acrobat 9.3.4 for Windows and Macintosh; and Adobe Reader 8.2.4 and Acrobat 8.2.4 for Windows and Macintosh to resolve issues in Reader, Acrobat, and Flash Player. Details are in the latest security advisory.

The next quarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.

CYBER BANKING FRAUD: Global Partnerships Lead to Major Arrests

Just when you thought you could get away with cyber crime just becoz of anonymity online? Think again.

Law enforcement partners in the United States, the United Kingdom, Ukraine, and the Netherlands announced the execution of numerous arrests and search warrants in multiple countries in one of the largest cyber criminal cases ever investigated.

Using a Trojan horse virus known as Zeus, hackers in Eastern Europe infected computers around the world. The virus was carried in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the malicious software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.

The hackers used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.

On 30 Sept 2010, New York office arrested 10 subjects related to the case, and they are seeking 17 others. Those arrested are charged with using hundreds of false-name bank accounts to receive more than $3 million from victimized accounts.

In all, the global theft ring attempted to steal some $220 million, and was actively involved in using Zeus to infect more computers.

More details here:
http://www.fbi.gov/page2/oct10/cyber_100110.html

Remote Linux desktop for your iPad

Great news for Apple iPad users who want to administrate Linux machines remotely.

iLIVEx is a fast, secure and fault-tolerant X11 client that turns the Apple iPad into an X terminal for Linux and Unix. It allows iPad users to connect to Unix and Linux desktops and applications hosted on remote Unix and Linux servers.

iLIVEx features an ultra-thin data transfer protocol allowing for LAN-like performance, even over 3G connections. Its connections also run over securely encrypted SSH tunnels. Built-in session persistency allows users to reconnect to their remote desktops should the iPad get disconnected, turned off or the user temporarily switches to another iPad app.

iLIVEx is also designed to provide non-Linux users the ability to run a remote desktop. With their purchase of iLIVEx, StarNet provides a free Linux desktop account on a StarNet-hosted Linux server. On their remote desktop users gain a number of capabilities not currently available on iPads. These include:

Viewing Flash – By way of Firefox on their remote Linux desktop, iLIVEx enables iPad users to work with flash-based web sites and applications.

True multi-tasking – iLIVEx users can work on multiple office applications (wordprocessor, email, spreadsheet, etc.) simultaneously, even copy and paste data between them.

Persistency – Users can reconnect to their remote Linux/Unix desktop at any time, even after the iPad has disconnected from the network. No work is lost due to a disconnect.

Desktop switching – Users can seamlessly switch their remote desktops between iPads, Windows, Linux and Macintosh PCs.

iTunes Store Spam Campaign

Right after LinkedIn Spam Campaign, we saw a brand new Spam Campaign impersonating iTunes Store.

The e-mail appears to arrive from on behalf of iTunes Store and is an exact copy of the official iTunes Store Receipt e-mail.

The whole purpose of the email is not to show what you have purchase from iTune Store, but to let you to click “Report a Problem” and lead you to a fake Adobe Flash installer.

Read more about this spam campaign here.

Microsoft To Unveil Windows Phone 7 Devices In October

Jefferies & Co. expects Microsoft Corp. to announce the launch of Windows Phone 7 devices on Oct. 11 in New York City. The brokerage reiterated its "buy" rating on shares of the software giant with a price target of $33.

"Microsoft also has an event scheduled in London on Oct. 4, so the launch may even be as early as next week. New devices from at least five [device manufacturers] -- Asus, Dell, HTC, LG and Samsung -- are likely to be available first in Europe, and later in the United States. We expect the initial wave to support only GSM. CDMA versions might become available in early 2011," said Egbert.

More details here.