Daily News Courier

iPad Hacker Could Be Jailed After Exposing Security Hole

BGR writes today about the case of two hackers from Goatse Security , one of who could face jail, despite trying to do good. The hackers found a way to harvest emails and data from iPads via a security hole in AT&T?s website. They then made their discovery public, in order to warn other iPad users about AT&T?s site. In no way did the hackers expose the emails they obtained, or try and make money from what they had found. Even so, LiveScience.com reports, via BGR, that one of the hackers, Andrew Auernheimer, could still be jailed as a result of what he did. The reason for this is because Auernheimer is accused of breaking the Computer Fraud and Abuse Act of 1986. Apparently being so old, the law doesn?t take into account hackers that are actually trying to do good. The case will either be ruled on this week, or failing that it could go to the Supreme Court, and could possibly become a precedent-setting hacking case that could help to define future laws.

Source: AT&T iPad email hacker: Jail time a possibility | BGR

Security Guru Pledges to Strengthen Critical Computers

Computer-security researcher Eugene Kaspersky says he is testing control software that won

Android 4.2 brings new security features to scan sideloaded apps

Talking about malware on a mobile platform is a tough thing to do right. Some of what you hear is real, and needs addressed responsibly, but so much of it is just FUD from folks trying to sell you something or get you to change your choice of device. We try to do the former, without downplaying the serious issues, but we also depend on users to be a little bit savvy and not do the things that lead to getting malware on the phone in the first place.

Thankfully, Google has stepped up and taken the reigns here. As ComputerWorld's JR Rapheal has pointed out, starting with Android 4.2 users now have the option to have every application that is being sideloaded scanned before installation. This uses the same technology as Google Play's Bouncer, and is designed to scan for and find malware — both known cases and suspicious applications. If an app's fingerprint matches known malware, you'll be blocked from installing the application. If the app shows anything that the canner feels is suspicious, you're warned that it may be harmful and given the choice whether or not to install. The service is entirely opt-in, and your choice can be changed at any time through the device security settings. 

We're big proponents of responsible reactions to and prevention of mobile security issues. In a time where companies release blurbs in the press that exaggerate the amount of malware (Android VP of engineering Hiroshi Lockheimer notes that actual dangerous malware is extremely rare on the Android platform) and push users to use their products, we're glad to see Google taking this sort of action. There is no substitute for common sense, but Android 4.2's new security scanning feature sounds like the right way forward.

Droid RAZR HD and MAXX HD receiving small security patch OTA

It looks like the Droid RAZR HD and MAXX HD are receiving an extremely small OTA update — about 6MB — according to Verizon support documentation. There's just one bullet point to this update, "Updated Google Security Patch has been added.", which is pretty obscure. Rooted users beware, this may be closing up an exploit hole that you used. Better wait and see what the final implications of this update are.

That aside, it's always good to see updates coming out, even the small bug fixes like this.

Source: Verizon Support; PDF; Thanks everyone who sent this in!

More: Verizon Droid Forums

Huawei and ZTE a risk to national security, says U.S. Congressional report

Chinese electronics firms Huawei and ZTE represent a potential threat to U.S. national security, according to a draft congressional report. The report from the U.S. House of Representatives' Intelligence Committee follows an 11-month investigation into the firms. A draft seen by Reuters suggests that the companies may be  subject to the influence of the Chinese government, thus representing a possible espionage threat.

Much of the panel's conclusions are drawn from Huawei and ZTE's failure to deliver documents relating to their interactions with the Chinese government. The panel said it also received evidence from "industry experts and current and former Huawei employees" suggesting corruption, bribery and copyright infringement at Huawei in particular.

The document states that Huawei and ZTE "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems," and that "U.S. network providers and system developers are strongly encouraged to seek other vendors for their projects."

Speaking on CBS's "60 Minutes," committee chairman Mike Rogers said U.S. companies should "find another vendor if you care about your intellectual property; if you care about your consumers' privacy and you care about the national security of the United States of America."

In addition to Android smartphones, both ZTE and Huawei produce networking equipment such as routers. Though the U.S. represents a small quantity of their overall business, the companies are looking to rapidly expand within the U.S., particularly where smartphones are concerned. The Reuters report does not specifically mention whether networking equipment alone is suspected, or whether smartphones, too, could make up part of the alleged espionage threat.

In statements given to Reuters today, Huawei and ZTE deny the committee's allegations. Huawei dismissed the accusations as "baseless" and a "dangerous political distraction," while ZTE says it "profoundly disagrees" with the panel's conclusions.

The full report is due to be released later this morning.

Source: Reuters

Microlatch and Apple Said to be Working on Fingerprint Security

AppleInsider reports today that according to The Australian, start-up company Microlatch has inked a deal with Apple to develop fingerprint ID technology. The information comes from David Murray, who is a lead investor for the company, although unfortunately he was not prepared to divulge much more on the matter. AppleInsider explains that Microlatch is the owner of a patent for ?self-registering? fingerprint biometrics that fulfil banking security standards and do not require processing or storage. AppleInsider posits that Apple seems to be looking into a biometric security solution to work alongside NFC to enable secure digital payments. This follows on from Apple?s acquisition of fingerprint sensor maker AuthenTec in July for $356 million, presumably so that Apple would now have access to AuthenTec?s Smart Sensor fingerprint reader. It seems that Apple is still a long way off implementing such technology, however, as people are understandably wary of such payment methods unless they know that they are completely secure.

Source: Rumor: Apple strikes deal with Australian start-up Microlatch for fingerprint security tech

Major security vulnerability in Samsung phones could trigger factory reset via web page

A major security vulnerability has been discovered in some TouchWiz-based Samsung smartphones, including the Galaxy S3. The bug, was first demonstrated by security expert Ravi Borgaonkar at the Ekoparty security conference. It can be triggered via a single line of code in a malicious web page, immediately triggering a factory reset without prompting the user, and without allowing them a way to cancel the process. Even more serious is the possibility that this could be paired with a similar glitch that can render the user's SIM card inoperable. As the malicious code is in URL form, it can also be delivered via NFC or QR code.

We've confirmed that the malicious code does indeed trigger an immediate factory reset on our Verizon Galaxy S3 running Ice Cream Sandwich. Presumably, because the built-in browser is common to all S3 models, other versions will also be affected. Others have reported that the Galaxy S2, Galaxy Ace and Galaxy Beam are susceptible, too. As far as we can tell, though, the vulnerability does not seem to affect Samsung phones running stock Android, like the Galaxy Nexus. Similarly, Google Chrome on Samsung handsets is not susceptible to the bug, nor are other browsers we tested.

The vulnerability is the result of the way native Samsung browser and dialer app handle USSD codes and telephone links. USSD codes are special codes that can be entered in the keypad to perform certain functions, like enabling call forwarding, or accessing hidden menus on the device. On Samsung phones, there's also a USSD code for resetting the phone (and presumably another for nuking your SIM). That, combined with a glitch in the browser which allows phone numbers to be automatically dialed, results in a particularly nasty issue for anyone unfortunate enough to run by a malicious web page.

There are, of course, other applications of this glitch for vulnerability. The ability to automatically run numbers through the dialer could be used to call premium-rate phone numbers, for example.

But the fact that just visiting a web site could trigger your phone to factory reset itself, and nuke your SIM in the process, is a very serious issue. Until it's addressed, we'd recommend switching to Google Chrome immediately, and as an added precaution, disabling the built-in "Internet" app through Settings > Apps > All, if you're using an affected Samsung phone.

We've reached out to Samsung for comment on this issue, and we'll keep you updated with any information they provide.

Source: @Paul Olvia; via SlashGear

Google improves Chrome Android browser security with latest update

With mobile devices becoming more and more popular, it is no surprise to see malicious adware and viruses continue to pop-up through apps and web browsing.

Chrome for Android updated with stability and security fixes

Google Chrome for Android has been updated over Google Play, the first such update since Google's mobile browser exited beta at Google I/O back in June. There are no major feature additions in the new version 18.0.1025308, but there is a selection of fixes for "medium"-rated security issues, as well as stability fixes.

The new Chrome also seems a tad speedier on image-heavy sites like Android Central — let us know in the comments if you're noticing the same effect.

If you're already running Chrome, head to the "My Apps" menu in the Google Play Store to grab the new update. If you're not, you can use the Google Play link above to jump straight to the latest version. Note that you still need to be on Android 4.0 Ice Cream Sandwich or 4.1 Jelly Bean to install Chrome.

Source: Google Chrome Releases

Verizon partners with Asurion and McAfee to launch Mobile Security App

In order to help protect their customer’s Android smartphones, Verizon Wireless recently launched a Mobile Security Android app in the Play Store.