Use Dropbox? Worried about security? Read this!

Read this even if you are not worried about security.

But do you store passwords, logon details, personal details on your computer?

Hmmm, then perhaps you should still read this article posted on the TechRepublic site.
—————————————————————————————————————————————-

DropSmack: Using Dropbox to steal files and deliver malware

By Michael Kassner

April 15, 2013, 7:46 AM PDT

Takeaway: Michael P. Kassner interviews a digital forensic scientist who uses Dropbox to compromise targeted networks — something the bad guys probably figured out as well.

I use Dropbox, and so do some 50 million other people. That’s remarkable, considering Dropbox suffered through a few embarrassing speed bumps related to user file security. It seems it’s going to take more than those kind of oops for us to consider giving up the convenience afforded by Dropbox.A digital addiction like that begs the question: what kind of “issue” would it take to convince someone (me for instance) to stop using Dropbox?When I asked that question at a security seminar, little did I realize a digital investigator slash pen tester would provide the perfect speed bump that will have all 50 million of us asking ourselves, “Is using Dropbox worth the risk?”

What issue?

I was perusing the seminar briefing website from this year’s Black Hat EU, fishing for potential article topics, when I came across a briefing note titled “DropSmack: How cloud synchronization services render your corporate firewall worthless.” Feeling a nibble, I read the briefing. Right away, I knew I hooked a keeper:

“The contributions of this presentation are threefold. First, we show how cloud-based synchronization solutions in general, and Dropbox in particular, can be used as a vector for delivering malware to an internal network.”

The other two contributions were as eye-opening:

• Show how the Dropbox synchronization service can be used as a Command and Control (C2) channel.
• Demonstrate how functioning malware is able to use Dropbox to smuggle out data from exploited remote computers.

I’d like to introduce Mr. Jacob Williams (@MalwareJake). Jake is a highly skilled pen tester and digital forensic scientist employed by CSR Group. He’s the guy who gave the Black Hat presentation, and he’s the one who is going to cause significant angst among Dropbox users as well as corporate-security types.

The events as they unfolded

As the story goes, Jake was hired to perform a “no holds barred” penetration test on a corporate network. Nothing Jake tried worked, even social engineering the employees. Then Jake found a crack — the company CIO. He obtained a personal email address and a way to spear-phish the CIO.

He just had to wait until the CIO used his work notebook away from the corporation’s highly secure network. In less time than one would expect (scary actually), Jake owned the notebook.

While snooping around on the CIO’s computer, Jake couldn’t believe his luck; he found corporate documents quietly sitting in a Dropbox synchronization folder. Jake told me, “I knew I could use Dropbox as a conduit into the inner corporate sanctuary. What I didn’t know was how.”

That’s because Dropbox databases are encrypted; and reverse engineering the Dropbox software in order to read the databases would take longer than Jake had. Not to be denied, Jake and his cohorts eventually discovered a way in. It seems massive quantities of beer played a vital role (from Jake’s Black Hat presentation).

The epiphany

By design, Dropbox would allow Jake to send files to all the devices associated with the CIO’s Dropbox account, but that’s not enough. Jake needed a way to infiltrate further into the company network, install malware, and find specific documents as part of the pen-test requirements.

Figuring out how to accomplish all that was Jake’s epiphany, and like any good pen tester wanting to get unstuck, Jake created a tool called DropSmack to perform the above steps.

Next step was getting it loaded. Jake realized all he had to do was get the CIO to open a file infected with DropSmack in his Dropbox folder, and it would install. Here are the steps:

• Embed DropSmack in a file already synchronized by Dropbox.
• Add some macro goodness.
• Load file back on the compromised computer.
• File automatically synchronizes.
• Wait for the victim to open the file on the internal network.

I thought I had a gotcha; I asked Jake, “What about Windows 7 and needing admin rights to get by the UAC?” Jake told me something I should have known, but didn’t, “Dropbox does not need admin rights to load, because it installs into the user’s profile directory. So we did the same thing with DropSmack — nice and simple.” Something else I didn’t understand: “Now that DropSmack is installed, how do you tell it what to do?” Jake explained:

DropSmack is designed to monitor the Dropbox synchronization folder. We create a file using a .doc extension, put a legitimate file header on the first line, and add the desired commands. Our files won’t open in Word (they say the file is corrupted); but that’s good, it makes the file less prone to investigation by a snoopy user.

We then place the doctored file in the owned computer’s Dropbox folder. Dropbox does it magic synchronizing all associated Dropbox folders. DropSmack detects the file meant for it, and executes the command.

I then asked Jake for a few examples of what DropSmack was capable of doing:

Once you infect a remote machine with DropSmack, it can be used to perform arbitrary actions on the machine. This includes pivoting to other machines in the remote network (such as a file server). Using the PUT command, you can upload any new tools you may need to the remote machine. The EXEC command allows you to execute those tools. The GET command allows you to retrieve output from any commands that was written to an output file.

To get remote shares mounted to a machine, you’d just upload a batch script containing the “net use” command that outputs to an output file, EXEC the script, and retrieve the output file. I demonstrated this live at the Black Hat EU conference, capturing a listing of the user’s home directory, IP configurations, and the Program Files directory (to see what software was installed on the machine).

Jake beat me to the punch on my next question. I wondered if the notifications Dropbox created would seem odd to the user.

So, for now, Jake makes sure the name of the command file relates to the files already in Dropbox.

Countermeasures

Next, Jake and I discussed how to foil DropSmack. Jake didn’t have much regard for normal antimalware methods: such as IDS, firewalls, antivirus apps, or DLP software. He felt whitelisting software was the only for sure way to prevent DropSmack from loading.

More importantly, Jake suggested that security managers think long and hard before allowing Dropbox or any file-synchronization application, no matter how convenient they are. Besides the more obvious reasons for disallowing file-synchronizing apps, Jake alluded to the “can of worms” companies can find themselves in regarding privacy laws. He explained:

Many general counsels are more than a little worried about the appearance of authorizing us to pen test what could end up being be home machines. That’s becoming a sticky issue with pen-testers these days as people open spear phishing emails delivered to the corporate email addresses on machines that may be privately owned.

Jake also pointed out:

The Computer Fraud and Abuse Act doesn’t allow the corporation to authorize testing of an employee’s personal assets. Usually penetration testers solve this problem (and avoid breaking the law) by only acting on malware from machines in the corporation’s public IP range.

The liability issue resulting from privacy laws affects more than just pen testers; companies allowing file synchronization apps are apt to get embroiled in issues similar to the legal implications of BYOD.

Final thoughts

Jake and I felt it important to mention that Dropbox is by far the most secure of all file synchronization applications that Jake looked at. In fact, he uses Dropbox personally (at least he did before finding the issue). Jake also wanted me to make sure and mention that Dropbox was not compromised in order to accomplish his pen-testing goal. It was just a conduit.

A few more interesting tidbits from Jake:

• More often than not, Dropbox is loaded on corporate networks whether it is approved or not — most of the time it’s not.
• It’s a good bet the bad guys know this technique, and are already using it.

The article may make it seem that DropSmack is more of a corporate concern, but that is not necessarily so. Once DropSmack or similar malware becomes mainstream in bad-guy circles, it’s everyone’s concern.

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

About Michael Kassner

Michael Kassner is currently a systems manager for an international company. Together with his son, they run MKassner Net, a small IT publication consultancy.

• See all of Michael’s content

Good ‘Ole Facebook to charge for messages?

It has been quietly doing it already in the USA and the UK.

Australia to follow???
——————————————————-

Facebook to charge Aussies for messages?

April 8, 2013, 4:20 pm Miles Godfrey, AAP Social Media Reporter AAP

NEWS

AAP ©

 Facebook has extended an experiment with paid-for messaging in the UK, raising the possibility that Australian users could face similar charges to contact celebrities or strangers in the future.

Facebook quietly began charging some UK users in late March, with fees of up to STG10 ($14.89) to send a private, high-priority message to popular celebrities like Olympic diver Tom Daley or rapper Snoop Lion.

It’s part of a trial, first launched in the US in late 2012, which Facebook says should reduce spam.

The prices have reportedly been set on a sliding scale, with lesser fees to send messages to minor celebrities and a flat rate of 71 pence ($1.05) to send messages to ordinary people who aren’t friends.

At the moment, private messages sent between strangers on Facebook generally land in the recipients’ `other’ inbox – a folder some users are either unaware of or rarely check.

But in the trial, a limited number of paid-for messages are being channelled directly to the recipient’s main inbox, making them more likely to be read.

Contact between friends and close associates on the site remains free under the UK and US trials.

A Facebook spokesman did not say if the fees will be trialled in Australia, where according to a November report by the Australian Communications and Media Authority (ACMA) there are 11.36 million users.

“We are testing an option that allows people to pay to have their messages routed to someone’s Inbox instead of their Other folder, even if they’re not connected to them on Facebook,” the spokesman told AAP on Monday.

“We are testing a number of price points in the UK and other countries to establish the optimal fee that signals importance.”

Facebook has previously dismissed rumours about blanket fees to use the website and boasts on its homepage: “It’s free and always will be”.

But after listing on the US stock market in May 2012, experts say the company is under pressure to exploit revenue streams.

Laura Demasi, from marketing firm IPSOS Australia, says users will be cynical about the fees.

“I think that this one will be met with a fair amount cynicism and eye-rolling from everyday users, who are already well aware of the fact that Facebook is looking for ways to make money out of them,” she said.

“They also need to be careful about just how rapidly they roll out these things.

“Consumers in our research often complain about not being able to keep up with the constant updates and changes to Facebook.

“One week it’s a new addition to privacy settings, the next it’s a weird fee like this one.”

If you think Facebook is slow now, read this!

Preparations begin for damaging solar storms

Date

April 5, 2013 – 10:47AM

Mariette Le Roux

Zoom in on this story. Explore all there is to know.

• International Space Station
• Earth
• Juha-Pekka Luntama
• Quebec

An M9-class solar flare erupting on the Sun’s northeastern hemisphere. Photo: NASA

Europe launched its first space weather coordination centre on Wednesday to raise the alarm for possible satellite-sizzling solar storms that also threaten astronauts in orbit, plane passengers and electricity grids on Earth.

Though impossible to predict, a worst-case scenario mega-storm can happen at any time, leaving the world without internet, telephones, television, electricity and air and rail transport for days on end.

In the worst case, what could happen is that the transformers in the power grid are damaged and in that case, replacement of the transformers can take weeks or months.

Limited precautions can be taken, but early warning is key, say experts at the European Space Agency (ESA) which runs the centre from Brussels.

“A pilot can always land a plane… because they have alternatives [to satellites] for navigation, but if they get the disturbance without warning, at the wrong time, that can be dangerous,” Juha-Pekka Luntama, head of ESA’s space weather division said at the launch.

Even a slight satellite glitch can put navigation out by 100 metres – enough to miss a runway.

Earth’s atmosphere and magnetosphere protect the planet from radiation released during solar flares and geomagnetic storms – some of the most severe forms of space weather.

Smaller eruptions usually have little noticeable effect – perhaps slight problems with car navigation systems or mobile phones.

But a major solar storm on the scale of an event in 1859 that crippled global telegraph systems could have severe impacts today.

A “coronal mass ejection” – which sends electromagnetic radiation flying towards Earth at a speed of some 2500 kilometres per second and plays havoc with long transmission lines – caused surges on telegraph lines so strong in 1859 that offices caught fire and operators received electric shocks.

Such a storm today could claim about 50 to 100 satellites – 10 per cent of the total in orbit, according to ESA.

But probably the biggest threat to Earth lies in electric power grid surges.

“In the worst case, what could happen is that the transformers in the power grid are damaged and in that case, replacement of the transformers can take weeks or months,” said Luntama.

Even if only a small part of the grid is damaged, overloading in neighbouring systems can lead to more blackouts that spread domino-like, such as the nine-hour power blackout in Quebec in Canada in 1989.

Astronauts orbiting Earth on the International Space Station (ISS), closer to the source of the radiation, could be at high risk of a severe solar storm, as could plane crews and passengers flying over the polar regions.

Precautions would include turning off satellites to lessen the risk, reducing the load on power grids, astronauts taking cover in well-shielded part of the ISS, and planes being diverted or even grounded if communications become unreliable.

Once witnessed by space weather watchers, the fallout from a solar storm takes between 17 and 48 hours to reach Earth, depending on its severity.

The coordination centre, a central point for space weather enquiries, will draw on the expertise of dozens of European universities, research institutions and private companies.

A similar service already exists in the United States.

For the moment, the ESA service — funded by 14 member states — is free.

The centre started operating six months ago and is expected to be fully operational by 2020 – part of wider, multi-billion euro ESA system that also tracks objects in space that pose a collision threat.

AFP

Read more: http://www.theage.com.au/technology/sci-tech/preparations-begin-for-damaging-solar-storms-20130405-2hare.html#ixzz2PYrtvygI

The Age of the Universe Bullshit!

I have never, not even for one single solitary second, given the primitive, evolutionary stage that they, our ‘scientists’, and the rest of mankind, are at, ever believed, that in my lifetime, anyone, would know the real age of the universe!

My mind boggles, that our primitive minds, could be so arrogant, as to assume, and, put a date on, the creation of the universe.  

There will continue to be new discoveries, that will produce more data, that will make our 13.8 billion years estimate laughable. As laughable as the similarity that can be drawn to creationist thinking, that according to the bible, the universe is 5,000 years old.

And this also applies to my acceptance of the ‘Big Bang Theory’! What a load of crap! I can though, believe in how the universe may have evolved, as explained in that theory. But how it started? No way!

So much for my sermon from the mount. Or in my case, the sermon from the riverside. 🙂
———————————————————————-

‘Infant’ universe, born before we knew

Date

March 22, 2013 – 11:13AM

This image allows astronomers to look back to the foundations of the universe, writes Dennis Overbye.

Big Bang map shows oldest light

Analysis of the best ever map of the earliest light reveals the shape of the universe a fraction of a second after the Big Bang.

• Autoplay ONOFF
• Video feedback
• Video settings

Astronomers released the latest and most exquisite baby picture yet of the universe on Thursday, one that showed it to be 80 million to 100 million years older and a little fatter, with more light and dark matter than previously thought, and perhaps ever so slightly lopsided.

Recorded by the European Space Agency’s Planck satellite, the image is a heat map of the cosmos as it appeared only 380,000 years after the Big Bang, showing space speckled with faint spots from which galaxies would grow over billions of years.

It shows the seeds from which the current universe grew.

Marc Kamionkowski, Johns Hopkins University

The map, the Planck team said is in stunning agreement with the general view of the universe that has emerged during the past 20 years, of a cosmos dominated by dark energy that is pushing it apart, and dark matter that is pulling galaxies together. It also shows a universe that seems to have endured an explosive burp known as inflation, which was the dynamite in the Big Bang.

A view of the cosmic microwave background collected by the European Space Agency?s Planck satellite. The heat map of the cosmos was imprinted on the sky when the universe was just 380,000 years old. Photo: ESA

In a statement issued by the European Space Agency, Jean-Jacques Dordain, its director-general, said, “The extraordinary quality of Planck’s portrait of the infant universe allows us to peel back its layers to the very foundations, revealing that our blueprint of the cosmos is far from complete.”

Marc Kamionkowski, an astrophysicist at Johns Hopkins University who commented on the work at a news teleconference sponsored by NASA, called Planck “cosmology’s human genome project”.

“It shows the seeds from which the current universe grew,” he said.

A map of relic radiation (microwave sky) from the Big Bang. Photo: ESA

David N. Spergel, a Princeton University cosmologist, described the new results as “beautiful”, adding that “the standard cosmological model looks even stronger today than yesterday. The universe remains simple and strange.”

Within the standard cosmological framework, however, the new satellite data underscored the existence of puzzling anomalies that may yet lead theorists back to the drawing board. The universe appears to be slightly lumpier, with bigger and more heat spots on one side than on the other, for example, and there is an unexplained cool spot in the middle of the map.

Those anomalies had shown up on previous maps by NASA’s Wilkinson Microwave Anisotropy Probe, or WMAP, satellite, but some had argued that they were because of a bad analysis or contamination from the Milky Way.

The evolution of satellites designed to measure ancient light left over from the Big Bang: From left: NASA’s Cosmic Background Explorer, or COBE, 1989; the Wilkinson Microwave Anisotropy Probe, or WMAP, 2001; Planck, 2009. Photo: ESA

Now cosmologists will have to take them more seriously, said Max Tegmark, an expert on the early universe at the Massachusetts Institute of Technology, who was not part of the Planck team and who called the new results “very exciting”.

It could be, he said, that “the universe is trying to tell us something”.

George Efstathiou of Cambridge University, one of the leaders of the Planck project, said in the European Space Agency news release: “Our ultimate goal would be to construct a new model that predicts the anomalies and links them together. But these are early days; so far, we don’t know whether this is possible and what type of new physics might be needed. And that’s exciting.”

The Planck satellite was launched in 2009 and has been scanning the sky ever since, recording the faint variations in a haze of radio microwaves that fill the sky. Those microwaves are believed to be the cooled-off remains of the fires of the Big Bang, shown 380,000 years later, when the first hydrogen atoms formed.

The microwaves were discovered by accident in 1965 by a pair of Bell Labs radio astronomers, Arno Penzias and Robert W. Wilson, who later won the Nobel Prize in Physics. Using balloons, a U-2 spy plane and a series of satellites like the WMAP, astronomers have been teasing out the detailed features of this radiation.

Analysing the relative sizes and frequencies of spots and ripples has allowed astronomers to describe the birth of the universe so precisely that it would make the philosophers weep.

The new data have allowed astronomers to tweak their model a bit. It now seems the universe is 13.8 billion years old, instead of 13.7 billion, and consists by mass of 4.9 per cent atoms, 27 per cent dark matter and 71 per cent dark energy.

The biggest surprise here, astronomers said, is that the universe is expanding slightly more slowly than previous measurements had indicated. The Hubble constant, which characterises the expansion rate, is 67 kilometres per second per megaparsec — the units astronomers use — according to Planck. Recent ground-based measurements combined with the WMAP data gave a value of 69, offering enough of a discrepancy to make cosmologists re-run their computer simulations of cosmic history.

The fact that astronomers once would go to war with one another over a factor of two in measurements of this parameter shows how cosmology has progressed over the past 20 years.

Pressed for a possible explanation for the discrepancy, Martin White, a Planck team member from the University of California, Berkeley, said it represents a mismatch between measurements made at the beginning of time and those made more recently. He said it could mean that dark energy, which is speeding up the expansion of the universe, is more complicated than cosmologists thought. He termed the possibility “pretty radical”, adding, “That would be pretty exciting.”

The data also offered striking support for the notion of inflation, which has been the backbone of Big Bang theorising for 30 years.

Under the influence of a mysterious force-field during the first fraction of a second, what would become the observable universe ballooned by 100 trillion trillion times in size from a subatomic pinprick to a grapefruit in less than a violent eye-blink, according to the story first enunciated by Alan Guth of MIT.

Submicroscopic quantum fluctuations in this force-field are what would produce the hot spots in the cosmic microwaves, which in turn would grow into galaxies. According to Planck’s measurements, those fluctuations so far fit the predictions of the simplest model of inflation, invented by Andrei Linde of Stanford, to a tee.

Dr Tegmark of MIT said, “We’re homing in on the simplest model.”

Cosmologists still don’t know what might have caused inflation, but the recent discovery of the Higgs boson has provided evidence that the kinds of fields that can provoke such behaviour really exist.

Dr Tegmark and others said that another clue to the nature of inflation could come from the anomalies in the microwave data, which tend to happen on the largest scales in the universe. By the logic of quantum cosmology, they were the first patterns to be laid down on the emerging cosmos — that is to say, when inflation was just starting.

He compared it to walking in someplace and encountering a fight. If the fight had been going on for a while, he said, it is impossible to tell who started it or who was hurt first. But if you come in only a few seconds after it started, you have a better chance of figuring out who did what to whom.

“It may be,” he said, “we’re coming in early to the cosmic brawl.”

New York Times

Read more: http://www.theage.com.au/technology/sci-tech/infant-universe-born-before-we-knew-20130322-2gjru.html#ixzz2OHRWtpiJ

This is no surprise!!!

Teddles Ballyhoo’s government has been all about massive funding cuts to;
Hospitals
Police Forces
Education
Lollipop People
CFA (Country Fire Authority)
Emergency Systems’ development
SES (State Emergency Services)
Nurses
Mental Health Services
and many more!!!

Make no mistake! Cuts to all of the above services have been HUGE, while the inept, incompetent, and uncaring government of Teddles Ballyhoo, has been busy applying these cuts to feather the nests of his cronies! Ted Bailleu should be charged for criminal activity!!!
———————————————————————————————

‘Jobs for mates’ crosses Parliament

Date

February 3, 2013    Farrah Tomazin

Illustration: Matt Golding.

THE state government has appointed dozens of Coalition backers and former MPs – including one of Ted Baillieu’s relatives – to plum positions on boards and agencies around the state.

Despite Mr Baillieu slamming the former Labor government every time a so-called ”jobs for mates” scandal emerged, little appears to have changed since the Coalition came to office two years ago.

An analysis of appointments in health – where Victoria and Canberra continue to trade blows over hospital funding – shows many positions have been given to former ministers, MPs, political staffers and party officials.

For instance, Kennett government minister Mark Birrell was made the deputy chairman of VicHealth, former health minister Robert Knowles was appointed to the Royal Children’s Hospital board, former Caulfield MP Helen Shardey was made chairwoman of The Alfred hospital, and former Nationals MP Noel Maughan was appointed chairman of Goulburn Valley Health.

The water industry is similar. Former Kennett government treasurer Alan Stockdale is chairman of City West Water, former minister Geoff Coleman is on the board of Westernport Water, and former upper house MP John Vogels is on the Wannon Water board.

Mr Baillieu’s brother-in-law Graeme Stoney – a former MP – was granted a role on the board of VicForests, while some of the Premier’s former top aides have also received government roles.

They include Michael Kapel, Mr Baillieu’s friend and former chief of staff, who is now based in San Francisco as the Commissioner for the Americas, and Di Rule, who was a key adviser to Mr Baillieu in his early years as opposition leader, and is now on the board of the Victorian Registration and Qualifications Authority.

The appointments are among dozens in the past two years given to government associates. Mr Baillieu’s spokeswoman Kate Walshe insisted that all were made after an ”extensive selection process to identify qualified, skilled and experienced individuals for the position, unlike the previous Labor government who unashamedly made partisan appointments without regard to their ability or experience to perform the duties of the role”.

Opposition scrutiny of government spokesman Martin Pakula rejected this claim, accusing the government of blatant hypocrisy. ”Having once been horrified by jobs for the boys, Mr Baillieu has now made an art form of it,” he said. ”If you have ever been a Liberal MP, candidate or staffer, you’re pretty much home and hosed for a cushy government gig.”

Appointing party ”mates” has long been an issue at Spring Street. Former Labor premier Steve Bracks came under fire early in his first term for appointing an old friend, Jim Reeves, to head the Urban and Regional Land Authority.

Mr Baillieu was then opposition planning spokesman and a vociferous critic of the decision, citing it as an example of ”special access” for government mates. A decade later, his government picked Liberal Party stalwart Peter Clarke – Mr Baillieu’s close friend – to lead planning authority Places Victoria.

■ftomazin@fairfaxmedia.com.au

Read more: http://www.theage.com.au/victoria/jobs-for-mates-crosses-parliament-20130202-2drfb.html#ixzz2Jkgz419o

And in line with my previous post, More good news! NOT!!!

‘This definitely falls into the scary category’: researchers warn of 50 million exposed devices

Date

January 29, 2013 – 10:49PM

Jim Finkle

Photo: Mayu Kanamori

Bugs in widely used networking technology expose tens of millions of personal computers, printers and storage drives to attack by hackers over the regular internet, researchers with a security software maker said.

The problem lies in computer routers and other networking equipment that use a commonly employed standard known as Universal Plug and Play or UPnP. UPnP makes it easy for networks to identify and communicate with equipment, reducing the amount of work it takes to set up networks.

The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems.

Security software maker Rapid7 said in a white paper released on Tuesday in the US that it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems that the firm’s researchers have identified with the UPnP standard.

The long list of devices includes products from manufacturers including Belkin, D-Link, Cisco’s Linksys division and Netgear.

Representatives for Belkin, D-Link, Linksys and Netgear could not be reached for comment on Monday evening US time.

Chris Wysopal, chief technology officer of security software firm Veracode, said he believed that publication of Rapid7’s findings would draw widespread attention to the still emerging area of UPnP security, prompting other security researchers to search for more bugs in UPnP.

“This definitely falls into the scary category,” said Wysopal, who reviewed Rapid7’s findings ahead of their publication. “There is going to be a lot more research on this. And the follow-on research could be a lot scarier.”

Rapid7 has privately alerted electronics makers about the problem through the CERT Coordination Centre, a group at the Carnegie Mellon Software Engineering Institute that helps researchers report vulnerabilities to affected companies.

“This is the most pervasive bug I’ve ever seen,” said HD Moore, chief technology officer for Rapid7. He discussed the research with Reuters late on Monday US time.

Moore, who created a widely used platform known as Metasploit that allows security experts to simulate network attacks, said that he expected CERT to release a public warning about the flaw on Tuesday. A spokesman for the CERT Coordination Centre declined to comment.

A source with a networking equipment maker confirmed they had been alerted that CERT would issue an advisory on Tuesday and that companies were preparing to respond.

Taking control

The flaws could allow hackers to access confidential files, steal passwords, take full control over PCs as well as remotely access devices such as webcams, printers and security systems, according to Rapid7.

Moore said that there were bugs in most of the devices he tested and that device manufacturers will need to release software updates to remedy the problems.

He said that is unlikely to happen quickly.

In the meantime, he advised computer users to quickly use a free tool released by Rapid7 to identify vulnerable gear, then disable the UPnP functionality in that equipment.

Moore said hackers have not widely exploited the UPnP vulnerabilities to launch attacks, but both Moore and Wysopal expected they may start to do so after the findings are publicized.

Still, Moore said he decided to disclose the flaws in a bid to pressure equipment makers to fix the bugs and generally pay more attention to security.

People who own devices with UPnP enabled may not be aware of it because new routers, printers, media servers, web cameras, storage drives and “smart” or web-connected TVs are often shipped with that functionality turned on by default.

“You can’t stay silent about something like this,” he said. “These devices seem to have had the same level of core security for decades. Nobody seems to really care about them.”

Veracode’s Wysopal said that some hackers have likely already exploited the flaws to launch attacks, but in relatively small numbers, choosing victims one at a time.

“If they are going after executives and government officials, then they will probably look for their home networks and exploit this vulnerability,” he said.

Rapid7 is advising businesses and consumers alike to disable UPnP in devices that they suspect may be vulnerable to attack. The firm has released a tool to help identify those devices on its website.

Reuters

• Follow IT Pro on Twitter

Read more: http://www.theage.com.au/it-pro/security-it/this-definitely-falls-into-the-scary-category-researchers-warn-of-50-million-exposed-devices-20130129-2djav.html#ixzz2JMwtzIzt

Free Peoples of the World Should Never Let this Happen!

Why would allegedly free democratic governments, have a need to gather data on its citizens? To what end, do these governments need this information, if not to control its citizens? 

As democratic governments collect this information, they become EXACTLY like oppressive regimes of governments that have tortured, murdered, and in many other ways, reduced its citizens to terrified beings. 

Have we not learned anything from history? Have we not seen the parallels as written in George Orwell’s terrifying book ‘1984‘ with what has proven to exist now, in these modern times, in countries like Libya, Iraq, Iran, Afghanistan, China, Indonesia, and many many others.

We cannot let Government’s have this control over our lives! Information leads to knowledge, and knowledge is power! And it SHOULD NEVER BE A ONE WAY STREET!

We must protect our rights to be free! Millions of our soldiers, our sons and daughters, and fathers and mothers, have died, just so that we could be free! That is why we have Remembrance Day, and that is why we have Anzac Day! To honour our service men and women who died, or suffered horrific physical and mental injuries, so that we could all be free!

Do not EVER, let their deaths have been in vain! Their lives wasted! 

We should let our government representatives, the PEOPLE WE ELECTED, know that certain things are simply unacceptable!

To let Governments, and other organisations to gather information, that would enable them to CONTROL us, would be a crime against humanity!
———————————————————-

Web inventor warns against data storage

Date

January 30, 2013

Stephen Hutcheon

A moment with Sir Tim Berners-Lee

Sir Tim Berners-Lee, inventor of the World Wide Web sits down to talk about the web today.

THE founder of the world wide web has sounded a warning about the dangers posed by governments intent on increasing the level of monitoring and filtering of the online activity of citizens.

Sir Tim Berners-Lee said that while it was important to fight serious organised crime and for a state to defend itself against cyber attack, there were enormous negatives associated with excessive government oversight of digital activity.

He believes that stored information is so dangerous, it can be likened to dynamite.

Web founder Sir Tim Berners-Lee. Photo: Brendan Esposito

”The whole thing seems to me fraught with massive dangers and I don’t think it’s a good idea,” he said in reply to a question about the Australian government’s data retention plan.

Sir Tim was speaking in Sydney at the launch of the CSIRO’s $40 million Digital Productivity and Services Flagship, a research facility focused on the digital economy and exploiting the full potential of the National Broadband Network.

Under the data retention proposal, internet service providers and telecommunication operators would be required to capture the online data of all Australians and store it for up to two years.

”That [stored] information is so dangerous, you have to think of it as dynamite,” he said.

He said while it was possible for a government to set up a watchdog to ensure that the stored information was not used, he was not yet aware of any government that had successfully introduced such a system.

During his hour-long talk Sir Tim also raised a red flag about web filtering.

“I have a worry that a government is liable to take too much control; maybe to spy, maybe to block,” he said. “So beware of a government that has the ability to control what you see on the web.”

His comments were made at the same event where Communication Minister Stephen Conroy, the architect of a controversial web filtering plan, had spoken earlier. The plan was officially put on the back burner late last year.

The CSIRO centre will assist the public and private sectors to develop and deliver more efficient and innovative digitally enhanced services by harnessing data.

Read more: http://www.theage.com.au/national/web-inventor-warns-against-data-storage-20130129-2dixg.html#ixzz2JMixbfbC

Facebook owned Instagram attempted privacy breach backfires!

Instagram follows right on from facebook where changes to policy are instigated without care or concern for its users!
———————————————–

1 in 4 Instagram users abandoned app

Date

December 31, 2012 – 10:17AM

Insta-backlash… changes to privacy policy enraged users. Photo: AFP

Facebook’s Instagram lost almost a quarter of its daily users a week after it rolled out and then withdrew policy changes that incensed users who feared the photo-sharing service would use their pictures without compensation.

Instagram, which Facebook bought for $US715 million this year, saw the number of daily active users who accessed the service via Facebook bottom out at 12.4 million as of Friday, versus a peak of 16.4 million the week before, according to data compiled by online tracker AppData.

The popular app, which allows people to add filters and effects to photos and share them over the internet or smartphones, experienced the drop over the brief, often-volatile holiday period.

Other popular apps also saw slippage in usage, and some were more pronounced. Recommendation site Yelp, for instance, saw daily active users – again via Facebook – slide to a weekly low of half a million on Thursday, from a high of 820,000 one week ago.

Instagram disputed the AppData survey, which was compiled from users that have linked the photo service to their own Facebook accounts, historically between 20 and 30 per cent of Instagram members.

“This data is inaccurate. We continue to see strong and steady growth in both registered and active users of Instagram,” a spokeswoman said in an emailed statement on Friday.

Looking out over a broader timeframe, Instagram’s monthly active users edged up to 43.6 million as of Friday, an increase of 1.7 million over the past seven days, according to AppData.

“We’ll have to monitor the data over the coming weeks to gain perspective on trends in Instagram’s performance,” AppData marketing manager Ashley Taylor Anderson said in an email.

Attention seeking

The sharp slide in activity highlighted by AppData was bound to draw attention on the heels of the controversial revision to Instagram’s terms of service that, among other things, allowed an advertiser to pay Instagram “to display your username, likeness, photos (along with any associated metadata)” without compensation.

The subsequent public outrage prompted an apology from Instagram founder Kevin Systrom. In December, a California Instagram user sued the company for breach of contract and other claims, in what may have been the first civil lawsuit to stem from the controversial change.

Instagram subsequently reverted to some of its original language.

The move renewed debate about how much control over personal data users must give up to live and participate in a world steeped in social media.

Analysts say Facebook, the world’s largest social network, was laying the groundwork to begin generating advertising revenue, by giving marketers the right to display profile pictures and other personal information, such as who users follow in advertisements.

According to Business Insider Intelligence, Facebook already controls nearly one-fifth – or 18.4 per cent – of mobile display advertising revenue in the US.

Reuters

Read more: http://www.theage.com.au/technology/technology-news/1-in-4-instagram-users-abandoned-app-20121231-2c216.html#ixzz2GaZRot2D

Facebook at it again!!!

Facebook photo ‘Armageddon’

Date    December 5, 2012 – 4:14PM

Jerrie Dema

Facebook photo ‘Armageddon’

The new feature that could spell doomsday for your privacy rights.

• Facebook users’ privacy goes to a vote

Facebook’s latest feature has social network experts forecasting online Armageddon for photo privacy, concerned that users are allowing the new photo sync capability without knowing what they’re using.

Facebook App users will soon be asked whether they want to ‘get started’ using the new feature.

Smartphone Facebook App users will soon see this on their screens.

Lecturer of Internet Studies at Curtin University Dr Tama Leaver says there are reasons for concern.

“We have a nasty tendency to click on things and try them without knowing what they do,” he said.

It does mean that we’re often giving away the rights to our own private information and sharing it with a company who might look like a communication tool but at the end of the day they’re a corporate and their job is to try and figure out how to make money by using the private data that we share.”

With the recent purchase of Instagram the directors of Facebook are clearly well aware of the snowballing popularity of photo sharing, and photo sync takes picture sharing to an all new level.

By turning on the feature you enable automatic syncing, which means the 20 most recent photos taken on your smartphone are uploaded to Facebook – and then every photo you take after that.

The photos are not automatically made public, they sit in a new private storage centre similar to Mac’s iCloud where you can go through and select which photo’s your followers can see.

What’s raised concerns though is the fact that anything you upload, regardless of whether your friends can see it or not, is then property of Facebook.

And it’s not just the photo that they own, but also all the data that relates to it.

Dr Leaver says it records your location, places nearby, the date time and even who’s in the photo.

“It will record the exact geographic co-ordinates of where you stand when you take the photo,” he said.

“Then there are the things that Facebook engineers can say but we can’t; like advanced facial recognition that helps them really clearly work out who’s in it so they can access their information.

“So that’s an awful lot of data being generated when you just hit the little camera icon.”

A spokesperson for Facebook released a statement last week saying they will “only utilise photo data after users decide to share them to Facebook”.

However, Dr Leaver says that’s not an adequate safeguard.

“It’s happened in the past so it’s not inconceivable that six months after we all start using this synchronisation tool and are really enjoying it suddenly it stop going into our hidden account and starts going straight into our timeline or something like that,” he said.

“So there are definitely things to worry about and we will definitely have to be attentive if Facebook start to change their settings again.

It wouldn’t be the first time Facebook has been caught out for leaking user data accidentally, with popular apps like Farmville selling on user identifications to advertising networks in the past.

With the permanency of online data, Dr Leaver advises users to approach with caution.

“I think everyone has to make an educated decision and I think you need to understand how it works before you turn it on,” he said.

“Personally I wouldn’t be using it.

“I do upload photos to Facebook and I’m quite happy to save them on my phone and decide which ones I want to upload from there, I think that’s probably a safer way to avoid problems in the future.

Read more: http://www.watoday.com.au/digital-life/digital-life-news/facebook-photo-armageddon-20121205-2av06.html#ixzz2EA7GFsp0

The future of Internet Shopping?

We must be on guard, for these practices.

I would suggest posting online, the names of online websites that pursue these practices!

And there is no worry about defamation, or libel, if what would be posted is true!
——————————————————————-

Why pay more? Because they know where you click

Date  November 24, 2012

Brad Howarth

Variable pricing is “a mistake” … Jeff Bezos, CEO of Amazon.com. Photo: AP

While Australians rushed online to snare a bargain during this week’s botched Click Frenzy, in the future our ability to save dollars net shopping might have more to do with who we are, where we live and what we buy.

A website can now raise prices for a shopper from a wealthier suburb, or one who spends a lot.

The next evolution of the web, called ”adaptive web”, is personal. It allows for the tailoring of web pages based on a shopper’s online habits.

Common practice … Eddie Machaalani, co-founder and CEO of BigCommerce. Photo: Marco Del Grande

Adaptive content has been most commonly used to display personalised recommendations based on a customer’s online behaviour but it also allows retailers to personalise pricing.

The co-founder and chief executive of the e-commerce technology company BigCommerce, Eddie Machaalani, said variable pricing was more common than people realised.

“It hasn’t hit the mainstream, but definitely a lot of retailers have done it. It is also a very dangerous topic, and a lot of larger players have shied away from it because of the public outrage that it gets,” he said. “With social media, forums and people communicating online, word spreads, and you as a merchant would look really bad and lose a lot of clout with your customers.”

In August The New York Times reported how supermarket chains Safeway and Kroger were experimenting with different discounts based on the shopper’s habits. And CNN has reported that as far back as 2000 Amazon was raising its prices for a regular customer.

Earlier this year the Wall Street Journal reported that the online travel agency Orbitz found Apple users spent as much as 30 per cent more on hotels than Windows visitors so it started showing them more expensive travel options.

Amazon’s chief executive, Jeff Bezos, said it was ”a mistake” to experiment with charging different customers different prices for the same products.

A common ploy is for websites to use data that users generate online to tune prices, such as whether the shopper has already searched for a particular item.

Nigel Peach, the sales director of the specialist data company Servian, said some flight-booking sites did this.

“If you try and book a plane, the next time you look, the price will have gone up,” he said.

The chief executive of the Australian National Retailers’ Association, Margy Osmond, said this behaviour was unlikely in Australia due to the already heated nature of discussions about online retailing.

But many international website operators, especially technology companies, already make discriminatory pricing decisions based on the IP address of a shopper’s browser (which provides a guide to where they are). This stops Australians from purchasing cheaper items from international sites.

The practice has been the subject of a federal parliamentary inquiry and in June an analysis conducted by Choice found that, without accounting for tax, Australian consumers paid an average of 50 per cent more for PC games and 52 per cent more for iTunes music.

Consumer IP addresses are not overly accurate beyond the country of origin, but less-scrupulous site operators might also capture address details that a user has entered into a legitimate website and sell them on to other site operators.

The collection of customer data can work in a consumer’s favour too. Some websites issue discount coupons to encourage buyers to complete abandoned transactions, provided they have the would-be buyer’s email address.

• Follow IT Pro on Twitter

Read more: http://www.theage.com.au/it-pro/business-it/why-pay-more-because-they-know-where-you-click-20121123-29yus.html#ixzz2D7Is6S5P