NSA whistleblower Edward Snowden is no stranger to the press. He’s appeared in dozens of interviews with major media outlets as well as an Oscar nominated documentary called Citizen Four.

But HBO funnyman John Oliver provided what is no doubt the toughest interview yet for Snowden. Granted there was plenty of light banter, such as if the NSA can intercept your “dick picks”, but there were a number of sharp, pointed questions on whether Snowden’s mass disclosure of documents was well-warranted whistleblowing or reckless behavior.

John Oliver – Edward Snowden interview

“How many of those documents have you actually read?” Oliver asked.

“I’ve evaluated all the documents that are in the archive,” Snowden responded.

Pressed he elaborated further: “I do understand what I turned over.”

But for Oliver that wasn’t good enough.

“There’s a difference between understanding what’s in the documents and reading what’s in the documents. Because when you’re handing over thousands of NSA documents the last thing you’d want to do is read them,” Oliver said. “So The New York Times took a slide, didn’t redact it properly, and in the end it was possible for people to see that something was being used in Mosul on al Qaeda.”

“That is a problem,” Snowden replied.

“Well, that’s a fuckup,” said Oliver.

The interview is hard hitting and well worth the watch. Check it out in the video embedded above.

The post John Oliver Grills Edward Snowden on ‘Last Week Tonight’ appeared first on VR World.

Dropping out of a perfectly good airplane — that’s something than only those with a few screws loose can do. While I may be quoting the guys from Band of Brothers a bit, the fact remains; it’s hard to mentally justify such a thing and only the brave men and women in the military world are performing such tasks on a weekly basis.

Canada had hosted a military exercise called the Maple Flag a few weeks ago. Established in 1978, Maple Flag is one of the largest of such exercises in the world, as it makes use of the extensive Cold Lake Air Weapons Range (CLAWR) which is co-existent with Canadian Forces Base Cold Lake. Occurring annually, the military exercise takes place during a four-week period, where the Royal Canadian Air Force takes up their mission status readiness type drills, together with different allied nations from around the world.

It is yet unclear who screwed up in this jump. While the region mostly forested, there was a big patch of clear fields visible in the video. But as military parachutes are somewhat difficult to navigate with, its no wonder that, in combination with the prop blast, heavy winds and onset air flow above the landing area, all resulted in this scary situation. Luckily, the paratrooper has utilized his training well. Affording him a safe landing, except revealing to the world that even Canadians can curse in such situations. Check out the complete drop right below.

Image: Canadian Air Force Hercules C-130 Photo By BriYYZ

The post Watch A Canadian Paratrooper Land In A Dense Forest appeared first on VR World.

Every year at the CanSecWest security conference in Vancouver, Hewlett-Packard (NYSE: HPQ) runs the Pwn2Own hacking competition where big cash prizes are delivered for browser exploits.

This year no browser proved to be unhackable. The big winner of the contest was South Korean security researcher JungHoon Lee, who developed exploits for Internet Explorer and Chrome on Windows as well as Safari on OSX. For that, he walked away with $225,000 in cash.

Lee’s attack on Chrome exploits a buffer overflow race condition in Chrome, then uses an info leak and race condition in two Windows kernel drivers to get SYSTEM access according to HP’s Security Research blog. This attack bypasses the anti-exploit mechanisms included in Chrome, such as sandbox and address space layout randomization which has made the browser one of the more secure browsers.

“With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000,” Pwn2Own organizers wrote in a blog post. “To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration.”

Lee also demonstrated a viable Internet Explorer 11 attack. This attack bypassed Internet Explorer’s sandbox through something called a time-of-check to time-of-use (TOCTOU) vulnerability, which allows for elevated execution of Java Script. This earned Lee another $65,000.

Finally, Lee demonstrated an exploit for Safari with a use-after-free (UAF) vulnerability in an uninitialized stack pointer in the browser and bypassed the sandbox for code execution.

Firefox was hacked on the first day of the contest using via a out-of-bounds read/write vulnerability leading to medium-integrity code execution vulnerability.

All of the exploits were disclosed to the vendors after the conference. The vendors will be given time to patch the exploits before the code is released to the public.

The post No Browser Was Safe at Pwn2Own 2015 appeared first on VR World.

Whether you like it or not, the B-2 bomber is probably the only stealth bomber that will stay that way for a long, long time.

Even though we’re seeing plenty of stealth technology being implemented, the sheer scale and size of the B-2 is overwhelming. It has the capacity to carry close to 40,000 lbs of ordnance. This includes the B61 and B83 nuclear bombs; the AGM-129 ACM cruise missile was also intended for use on the B-2 platform. Some people may argue that newer Russian bomber designs will have similar capabilities, I wouldn’t agree. Not for the fact that Russian bombers wont be able to provide the same (or greater) amount of stealth or carry the similar ordnance packages, the deployment of stand-off weapons like cruise missiles is what Russian air-force is putting a big emphasis on these days.

The B-2 is capable of all-altitude attack missions up to 50,000 feet (15,000 m), with a range of more than 6,000 nautical miles (11,000 km) on internal fuel and over 10,000 nautical miles (19,000 km) with one midair refueling. The last part is the main theme of this video, ensuring the public stays rather profoundly interested in these air-planes, somebody at U.S. DoD released a rather interesting showcase of the bomber’s capabilities.

As stealth is the main aspect of this airplanes, the retractable fuel cover that seemingly vanishes into pin-point precision alignment with the rest of the bomber’s exterior skin is simply staggering. It seems like the bomber is alive and the part once open to receive a bunch of fuel – simply joins with its exterior shell almost without a single line being seen. To see how this thing works, please take a look at the video shown below.

Images: First B-2 Image by U.S. Air Force photo/Staff Sgt. Bennie J. Davis III, second B-2 image by USAF

The post Stealth Is Non-Negotiable With the B-2 Bomber appeared first on VR World.

Since cryptographers from the IMDEA, IRIA and Microsoft Research found a serious vulnerability in the SSL/TLS security standards that are used to keep passwords and other sensitive information safe in modern browsers, security researchers have been scrambling to uncover the range of everything that has been affected as a result.

Since then, it has been discovered that Microsoft’s (NASDAQ: MSFT) server software was vulnerable, along with a host of sensitive websites, including those of Facebook (NASDAQ: FB), American Express (NYSE: AXP), the NSA, the White House, and others. Additionally, many and most popular web browsers were vulnerable to the exploit: the extent was, on the whole, very impressive.

Parties using vulnerable computers could quickly find themselves on the receiving end of man-in-the-middle attacks, that could be used to steal payment information, passwords, and other extremely sensitive data. Webmasters fared even worse, as the vulnerability could be used to inject malicious code onto server and web buttons.

Companies were quick to roll out patches and fixes for the attack, but this whole mess could have been mitigated, and definitely should not have happened in the first place.

Who is responsible for the FREAK SSL exploit?

Who is to blame for a flaw in the most commonly used security protocol in the world, that managed to affect more than one-third of websites offering SSL?

According to cryptographer at John Hopkins university Matthew Green, the flaw was built into SSL from the very start. “The SSL protocol itself was deliberately designed to be broken,” Green wrote on his blog.

Back in the 1990s, when (it is fair to say) computers were significantly slower than they are today, and the World Wide Web was still in its infancy, cryptography was not very strong by modern standards. After Netscape revealed it’s new SSL technology, the U.S government was quick to regulate the standard. U.S versions of the browser came with 1024 bit public keys, but these keys could not be exported to other countries. The International edition was significantly weaker, with 512 bit public keys.

Since the government made this rule in the interests of being able to break into other nations’ SSL, the standard was quite literally designed to be broken.

Since the 1990s, of course, computers have moved on, and so have politics. The U.S has relaxed its laws about international encryption, and in 2013, a broad push was made to introduce 2048-bit SSL encryption, which is now the standard across the Internet.

So why, fifteen years later, are we being haunted by SSL’s poor security?

Because of the varying degrees of encryption offered by servers and browsers, ‘cipher suites’ were used to negotiate the strongest available encryption standards between a client and a host. While this is barely used nowadays, the option still exists in the clockwork behind operating systems and browsers. The essence of the FREAK attack is, therefore, very simple: interrupt a vulnerable client, and downgrade its encryption from standard RSA to ‘export RSA’.

The resultant encryption is so weak by today’s standards that it can be cracked in a manner of hours using Amazon Web Services.

FREAK never needed to be an issue, and it’s the classic result of companies failing to keep up with rapidly deprecating technology standards.

Fixing the FREAK SSL vunerability

Here are three ways to prevent another FREAK attack from occurring:

1. The government should not try to regulate Internet security standards. The government should be involved in security, and it should certainly regulate the security of its own systems: but laws should not be in place that will hamper the development of security technologies in the private sector. Criminals will continue innovating, and computers will only get faster. The government cannot shut down the Internet, or control its rate of progress, and it shouldn’t try. When it does, bad things happen.
2. Software and web developers – especially larger ones, like Microsoft and Facebook – must actively curate its software for deprecated standards, and disable it. It can be a pain, and a hassle to keep changing systems when old ones are in place that worked in the past. But a little pain in the present could prevent massive disasters down the road.
3. Consumers must be willing to let go of old, familiar technologies and upgrade to ones that are newer and safer on a consistent basis. Individuals – and especially companies – who insist on keeping software solutions that are deprecated in terms of decades must dedicate the time and money to keep up with the changing environment of threats and dangers by upgrading. At the very least, if they must keep the old solutions, they must seek ways to actively improve and safeguard them from potential exploits (similar to what the active Windows XP community is doing now).

This isn’t a novelty, and it isn’t rocket science. This is common sense, and it’s what people should be doing in the first place.

The post How the FREAK SSL Flaw Could Have Been Prevented appeared first on VR World.

Recently security consultancy Bluebox Labs reported on some major security flaws found in the latest Xiaomi Mi 4 phone. Xiaomi didn’t take this criticism lying down, and has prepared a lengthy rebuttal to Bluebox’s claims.

While Xiaomi had already called the report “inaccurate” in a statement to VR World, Hugo Barra, Xiaomi’s VP International responded to Bluebox Labs by saying the phone purchased by the company in China had been tampered with. It’s important to note that Bluebox had already tested the device to make sure that it was authentic and not a knockoff.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc,” Barra said in his statement. “Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”

If Barra’s claim holds true, this brings up the very worrying issue of supply chain security, as Bluebox points out. If these — authentic — phones are modified by the retailer, or someone else in the supply chain, that’s incredibly concerning for device security and brand reputation.

Barra says that customers should only purchase Xiaomi phones from the official online store to ensure authenticity and “reputable retailers”. But what makes a “reputable retailer”? If the one Bluebox purchased its phone from — and it went to great lengths to ensure authenticity — isn’t reputable than which ones are? After all, China is home to fake Xiaomi stores (and fake Apple as well as Samsung stores too).

If indeed what Barra says is true, this is largely a lesson in supply chain security. All vendors need to ensure that the China side of their supply chain isn’t compromised by a man-in-the-middle attack. Because clearly even local companies aren’t immune.

UPDATE: March 9 2015 11:00 AM China Standard Time

Xiaomi emailed VR World further statements to expand upon what it told Bluebox Labs. Here’s the statement in full.

There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours.

With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. 

Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.

Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India. 

In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.

The post Updated: Xiaomi Hits Back Hard at Bluebox Labs’ Claims appeared first on VR World.

Xiaomi devices have taken Asia by storm, providing fierce competition to established players such as Samsung (KRX: 005930). Recently Xiaomi has been under the microscope for security issues, as it has been alleged that these devices serve as a conduit that allows Chinese intelligence services to siphon user’s data. However a new report by security consultancy Bluebox Labs shows that the real threat might come from sloppy coding.

The device tested by Bluebox researchers was the Xiaomi Mi 4. Like many smartphones from Chinese vendors, it ships with a forked (non official) version of Android branded as MIUI. Forked versions of Android do not undergo the same security vetting procedures from Google (NASDAQ: GOOGL) as official versions do.

Being a forked version of Android means that Google services are not available on the device. For example, the phone ships with a Google Play alternative called Mi Market. However the researchers found that this version of Android appeared to be a combination of 4.4.4 and older versions. Doing a deep dive into the OS the researchers found some conflicts at the API level. The devices contains a mixture of API keys from Android 4.4 and Android 4.2 that are both test-keys (not for public use) and release-keys. As test-keys are not finalized they ship with more security bugs than their final counterparts. However the combination of both test and release keys could be incredibly problematic as bugs will no doubt arise just by combining the two.

Bluebox researchers did on the device was a scan for suspicious apps — malware, spyware or adware. They found three apps considered to be risky. The most problematic of which was an app called Yt Service as it disguises its developer package to make it look like it came from Google — which is not the case. Next up were apps called PhoneGuardService which was identified as a Trojan and AppStats which is classified as riskware.

Bluebox gives the device a low trustable score of 2.6. By virtue of the fact that it runs a forked version of Android, Xiaomi devices ship with security flaws that have been long ago patched by Google.

For its part Xiaomi has not responded to Bluebox’s attempts for responsible disclosure — approaching the vendor first before going public.

Bluebox told VR World that it did not accept outside funding for this study.

Update 4:50 China Standard Time:

Xiaomi sent in this response:

“We are investigating this matter now. There are glaring inaccuracies in the Bluebox blog post, as official Xiaomi devices do not come rooted and do not have any malware pre-installed. It is likely that the Mi 4 that Bluebox obtained has been tampered with.”

The post Bluebox Labs: Xiaomi Phones a Major Security Risk appeared first on VR World.

The Superfish that swam into many user’s PCs is proving to be a nightmare for Lenovo (HKG:0992).

The PC giant is facing two lawsuits over the Superfish adware (or malware depending on your definition) that it included with some computers it shipped earlier this year.

The first, a class-action suit, alleges that Superfish negatively impacted the performance of plaintiff’s computers through injecting ads into browsers. The lawsuit says that affected individuals should receive compensation of $10,000 each.

The second suit is an individual suit by blogger Jessica Bennett, that seeks the option to also be pursued as a class action suit and seeks a jury trial.

Bennet alleges in her suit:

Defendants’ Spyware and popup advertisements decrease productivity by requiring that hours be spent figuring out how to get them off of a computer, closing advertising windows, and waiting for a slower machine to operate. Furthermore, computer users are forced to keep their computers running longer (due to the slowed performance) which utilizes more electricity, decreases the useful life of a computer, and causes increased Internet access charges. The cumulative impact of not only multiple ads, but also the threat of future ads and monitoring, impedes computer usage.

For its part Lenovo has apologized and has offered users a tool to remove Superfish altogether.

The post Lenovo Faces Lawsuits Over Superfish appeared first on VR World.

Earlier this month Cheetah Mobile — a China-based mobile app company with a sizable presence in Taipei — announced that its CM Security suite hit the 100 million download mark in a year and a day, beating many well-known apps such as Line and Instagram. Not to be outdone by its rival, Qihoo announced Friday that its 360 Security App had also hit the 100 million milestone — but all from international users.

“We’re thrilled that 100 million users internationally are embracing 360 Security and supporting our mission to secure mobile live worldwide,” said Huang Yan, Head of Product at 360 Security Group, in a press release. “It’s clear that our rejuvenated focus on delivering critical features that quickly and easily keep 360 Security users’ Android smartphones in top shape is satisfying the market’s growing demand for optimization and security apps.”

According to data from App Annie, a mobile app analytics firm, 360 Security is the most downloaded Google Play app in five countries, and the top 10 most downloaded app in 34 countries globally.

However, 360 Security did not say how long it took for its app to reach the 100 million mark. It could be that Cheetah Mobile’s CM Security still has the record for growth.

The post Qihoo’s 360 Security Also Claims 100 Million Record appeared first on VR World.

Recently buy a PC from Lenovo (HKG: 0992)? It might have shipped with a nasty piece of adware — which borderlines on malware — called Superfish.

Superfish is piece of manufacturer bloatware that dubs itself as a “visual search engine”.

However many users have complained that it has been injecting ads into a user’s web browser.

According to company representatives, it instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is.

While most software like this is passed over and ignored by customers, this nasty piece of code does more: its ad injection is done via user’s web browser via a man-in-the-middle root certificate, effectively hijacking the pathway between the browser and the server. This poses a potential security risk if Superfish is somehow compromised, the SSL connection between a user’s browser and a secure website, like a bank, would be vulnerable to eavesdropping by a third party.

This is a problem. #superfish pic.twitter.com/jKDfSo99ZR

— Kenn White (@kennwhite) February 19, 2015

Superfish has been categorized by nearly a dozen antivirus providers as adaware, a trojan, or an otherwise potentially harmful and unwanted program.

A Lenovo representative said on a customer support forum that the software will be removed from future Lenovo machines, and work is underway to create a patch to remove the ad injection.

Update: Lenovo sent in this statement:

Superfish has completely disabled server side interactions (since January) on all Lenovo products so that the product is no longer active.  This disables Superfish for all products in market.

2)      Lenovo stopped preloading the software in January.

3)      We will not preload this software in the future.

 

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.  But we know that users reacted to this issue with concern, and so we have taken direct action to stop shipping any products with this software.  We will continue to review what we do and how we do it in order to ensure we put our user needs, experience and priorities first.

 

To be clear, Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior.  It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted.   Every session is independent. Users are given a choice whether or not to use the product.  The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.  We recognize that the software did not meet that goal and have acted quickly and decisively.

 

We are providing support on our forums for any user with concerns.  Our goal is to find technologies that best serve users.  In this case, we have responded quickly to negative feedback, and taken decisive actions to ensure that we address these concerns.  If users still wish to take further action, detail information is available at http://forums.lenovo.com.

The post Lenovo Shipped PCs with Adware appeared first on VR World.

Nearly a decade before Stuxnet and Flame were household words, malware that has some genetic similarities was infecting computers in targeted regions across the globe stealthily burrowing itself into hard disks and flash drives.

That was the topic of a report presented by Kaspersky Lab researchers at the group’s annual summit in Cancun, Mexico. Kaspersky Lab said that the malware is some of the most advanced it has ever seen, and has traced back its origins to as early as 2001. Resarchers from Kaspersky Lab have given the organization behind the malware platform the same “the Equation Group” (likely because of its preference for mathematically complex attacks) and the actual software names like EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish.

“The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen,” Kaspersky Lab said in its report.

Out of the toolset discovered by Kaspersky Lab researchers, two items stand out for their complexity: Fanny and GrayFish.

According to researchers the purpose of Fanny is to map out air gapped networks, and allow for malicious commands sent from a master server to run on these networks.

The bridge between the air gapped network and the internet is a USB stick with crippled firmware and a hidden storage volume. The name Fanny comes from a file, Fanny.bmp that has been found in all infected USB drives. The report says that the majority of these USB drives were found in the Middle East. Around the world the infected USB drives were found in 30 different countries.

The other highlight of the malware discovered is GrayFish. GrayFish is able to burrow itself in the firmware of HDDs and SSDs. Deep rewrites and formatting of the drive do nothing to remove the malware and it’s stuck in the firmware of the drive itself. The only way to destroy GrayFish is to destroy the drive itself. Kaspersky said that the malware has been discovered in the firmware of 12 major manufactures of HDDs and SSDs.

Kaspersky Labs doesn’t directly suggest that the malware suite is the product of efforts by the NSA, but say that it’s definitely the outcome of efforts by a highly advanced electronic intelligence organization.

In 2012 Wired magazine published an interesting feature, outlining the relationship between the founder of Kaspersky Labs and Russian intelligence services. It’s worth a read considering the group’s report.

The post Kaspersky Lab Researchers Discover Malware That Lurks in HDD Firmware appeared first on VR World.

Job seekers, Rejoice. While unemployment tries to recover from stagnation, the IT industry has a bright outlook. CompTIA, a professional IT certification company, predicts a worldwide expansion in the industry of around five percent with only Canada and the UK lagging behind.

Companies are understaffed already in the technology department and 70 percent of managers report they expect to have a shortage of IT professionals to draw from to fill the gaps. The CompTIA report pegs unemployment in the IT industry lower than that of other fields nationally. In 2012, the Bureau of Labor Statistics averaged the unemployment rate for technology professionals at 4.4, about half the national average at that time. The image breaks that down by position. The picture hasn’t changed much.

A shifting environment due to acquisitions and mergers adds to the complexity of staffing. Not surprisingly, top on the list for growth are areas that make headlines: cloud computing, mobile, and as indicated by events such as Anthem Blue Cross’s hack attack, security. Established entities with familiar names have cash flow to entice employees with salaries and uncommon benefits that go beyond such traditional subsidies as health insurance.

If you plan to go job hunting, you might want to arm yourself with some hardware and software skills. That’s what companies continue to search for when interviewing applicants.

The post IT: It’s the Place to be for Job Hunting appeared first on VR World.

Cheetah Mobile’s (NYSE: CMCM) suite of mobile utility apps — anchored by the CM Security Suite — is not a household name for many outside of China but it should be considering the popularity of its app suite. China’s Cheetah Mobile had an impressive period of growth during the last year, opening an office in Taipei and launching the CM Security Suite — which has beaten better known apps to the 100 million mark in record time.

While Line — a popular instant messaging app in Japan, Taiwan and Southeast Asia — took a year-and-a-half to hit the 100 million mark, and Instagram took just over a year, Cheetah Mobile’s CM Suite his that critical mark in only 357 days and maintains a rating of 4.7 on Google Play. The growth in user data backs this up: according to Fu the company’s user base has grown by 900% since 2013. As of Q3 2014, the company has 340 million active users with 70% from outside China (and a big presence in the US and EU). On Google Play, the CM Security Suite is holding steady at number 3, behind Facebook. Revenue, says Fu, has grown by 140% per year, three years in a row.

At a press event in Taipei, Cheetah Mobile CEO Sheng Fu credited the success of CM Suite to the company’s policy of being hyper-reactive to the needs of customers. He pointed to the frequent updates his company pushes out for CM Security — three per-week — as proof.

While Cheetah Mobile has had success with impressive growth in its user base and revenue, like many Internet companies with a mobile focus sustaining profitability continues to be a concern. Its Q3 2014 earnings came in flat, and analysts were bearish about continued growth prospects in light of increased competition from the likes of Baidu (NASDAQ: BIDU) and Qihoo (NYSE: QIHU). That being said, the stock has been on something of a rally throughout February.

Cheetah Mobile and its CM Security Suite is an impressive achievement in the up and coming market for mobile security apps, as well as cross-strait cooperation in software development. Getting to 100 million downloads so quickly is a testament to the quality of its products. However, China’s internet industry is not immune to the bubbles that have frequently popped in the US meaning that Cheetah Mobile will have to work hard to sustain such impressive growth in the future.

Photo caption: Executives from Cheetah Mobile’s Beijing and Taipei offices at a press event in Taipei’s Beitou suburb. 

The post Cheetah Mobile Hits 100 Million Downloads With CM Security Suite appeared first on VR World.

Uber has not had a great month for publicity, with all sorts of accusations being directed at the company for its business model and behaviour. Now, the company faces another PR challenge as a security researcher has found that the company’s Android app hoovers up all sorts of data on its users.

According to security researcher Joe Giron, Uber’s app sends back a litany of data from the user’s phone — most of it unrelated to the apps functionality. Below is a list of the data that Uber sends back from the user’s phone:

– Accounts log

– App Activity

– App Data Usage

– App Install

– Battery

– Device

– GPS

– NetData

– PhoneCall

– SMS

– TelephonyInfo

– WifiConnection

– WifiNeighbors

– Root Check

– Malware Info

For Uber, having this data is advantageous, but its collection — especially without clearly informing the user — is unethical. Uber’s business model requires the company to have strong analytics data to plot its next moves, but this appears to be coming at the expense of user’s privacy.

Uber, for its part, has shifted blame to Google when confronted by the press on the issue.

“Access to permissions including Wi-Fi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional,” the company said in a public statement.

Technology blog Re/Code notes that Uber competitor Lyft also has an extensive permissions set.

But unless Uber, or Lyft, comes out with a satisfactory explanation of why it needs all this data users will be rightfully skeptical of the company’s intentions.

The post Uber Android App Watches Your Every Move appeared first on VR World.

A research survey recently published by the Japanese branch of San Francisco-based security firm Lookout Inc. indicates that Japanese users may actually lose their smartphones quite frequently. The survey revealed that at least one in every five smartphone users had experienced losing their smartphone at one time.

This conclusion made by the survey was based from the data collected from a small sample of about 1,000 users throughout the country. The approximate 23% within the group representing this figure reported having experienced losing at least one smartphone at some point. A considerable majority of the people within the group are users who live in busy cities, and are considerably young, averaging only to about 18 to 24 years of age.

As for where exactly do they lose their smartphones, the most common place was on public transportation mediums, especially on trains and subways, or on facilities and establishments that are near these vehicles. Second on the list was on commercial establishments, such as on shopping malls or market districts. Prefecture-wise, the region with the most users having lost their smartphones was on Okinawa Prefecture (44%).

The issue of lost mobile phones today holds more digital security risks than before, mainly because sensitive and private data are now being frequently and regularly used on smartphones. When questioned about data recovery, the general consensus of the entire sample was that they are willing to pay even 50,000 yen ($424.00), just so in order to recover and secure the lost data.

The data obtained from the survey will be used by Lookout Inc. to provide the appropriate security solutions and applications for future lost smartphones.

Weirdly enough, at least 11% from the entire sample have also reported losing their smartphones, however this group reported recovering their lost phones after a specific period of time.

The post One Fifth of Japanese Have Lost a Smartphone, According to Survey appeared first on VR World.

1. Regin. /ˈreɪɡɪn/ 1. (Norse myth) a dwarf smith, tutor of Sigurd, whom he encouraged to kill Fafnir for the gold he guarded.

Regin is essentially a murderous dwarf who is caught/killed by his own greed. This Norse mythology is at the core a description of the Regin virus that has injected itself across the globe and today has finally been brought to light by Symantec and Kaspersky researchers. The Regin cybvervirus is a virus that has been tracked over the course of the past few years by security firms like Symantec, Kaspersky and McAfee, but they simply did not have enough data to build the whole picture of the computer virus’ scope nor its target. As a result, this research has been going on for quite some time and today multiple security companies have published their findings on the Regin malware and what it seeks to accomplish once it has infected a system.

According to Symantec’s research, Regin is being used as a covert espionage tool to go after very specific targets and infect them at a very deep level to either gain access to information or to gain access to a user of that network’s information. They say that Regin is a very complicated and highly encrypted piece of malware that hides its final form from anyone looking to find it unless they have access to all five stages of the malware’s unpacking. They detail the process in their technical whitepaper but it is essentially a multi-stage virus that hides its ultimate target and execution unless users can obtain every form/stage of the virus’ unpacking until it becomes the final payload.

This multi-stage approach is similar to what was seen from Duqu and Stuxnet and is once again very likely to be a sovereign-built piece of malware from some government. And as you can see, the targets that it goes after are very broad and appear to be focused mostly developing countries with Russia, Belgium and Germany being the exceptions. Those countries according to Kaspersky are:

Algeria
Afghanistan
Belgium
Brazil
Fiji
Germany
Iran
India
Indonesia
Kiribati
Malaysia
Pakistan
Russia
Syria

However, if you use Symantec’s data, the list of countries actually expands to include Saudi Arabia, Austria, Ireland and Mexico.

Regin Countries

Additionally, Kaspersky discovered a strong attack on GSM networks, especially in the case of Belgium where an entire operator was infiltrated by this malware and had publicly announced that they had been attacked, but were not aware of the perpetrator nor the target. What’s interesting, however, is that both Kaspersky and Symantec had discovered that this malware’s structure and payload delivery system (the mutli-stage approach) were specifically designed to obscure the malware’s existence and once it had infected a system it was designed to be inconspicuous as it continued to linger on the infected system, making detection incredibly difficult.

The post Regin: Stuxnet's Best Spying Malware Cousin appeared first on VR World.

1. Regin. /ˈreɪɡɪn/ 1. (Norse myth) a dwarf smith, tutor of Sigurd, whom he encouraged to kill Fafnir for the gold he guarded.

Regin is essentially a murderous dwarf who is caught/killed by his own greed. This Norse mythology is at the core a description of the Regin virus that has injected itself across the globe and today has finally been brought to light by Symantec and Kaspersky researchers. The Regin cybvervirus is a virus that has been tracked over the course of the past few years by security firms like Symantec, Kaspersky and McAfee, but they simply did not have enough data to build the whole picture of the computer virus’ scope nor its target. As a result, this research has been going on for quite some time and today multiple security companies have published their findings on the Regin malware and what it seeks to accomplish once it has infected a system.

According to Symantec’s research, Regin is being used as a covert espionage tool to go after very specific targets and infect them at a very deep level to either gain access to information or to gain access to a user of that network’s information. They say that Regin is a very complicated and highly encrypted piece of malware that hides its final form from anyone looking to find it unless they have access to all five stages of the malware’s unpacking. They detail the process in their technical whitepaper but it is essentially a multi-stage virus that hides its ultimate target and execution unless users can obtain every form/stage of the virus’ unpacking until it becomes the final payload.

This multi-stage approach is similar to what was seen from Duqu and Stuxnet and is once again very likely to be a sovereign-built piece of malware from some government. And as you can see, the targets that it goes after are very broad and appear to be focused mostly developing countries with Russia, Belgium and Germany being the exceptions. Those countries according to Kaspersky are:

Algeria
Afghanistan
Belgium
Brazil
Fiji
Germany
Iran
India
Indonesia
Kiribati
Malaysia
Pakistan
Russia
Syria

However, if you use Symantec’s data, the list of countries actually expands to include Saudi Arabia, Austria, Ireland and Mexico.

Regin Countries

Additionally, Kaspersky discovered a strong attack on GSM networks, especially in the case of Belgium where an entire operator was infiltrated by this malware and had publicly announced that they had been attacked, but were not aware of the perpetrator nor the target. What’s interesting, however, is that both Kaspersky and Symantec had discovered that this malware’s structure and payload delivery system (the mutli-stage approach) were specifically designed to obscure the malware’s existence and once it had infected a system it was designed to be inconspicuous as it continued to linger on the infected system, making detection incredibly difficult.

The post Regin: Stuxnet's Best Spying Malware Cousin appeared first on VR World.

Today, Jolla, the open source operating system and phone, announced it is now going to have its own tablet as well.

The Jolla Tablet is the company’s first tablet, featuring a 7.85″ screen and an Intel quad Core mobile SoC. This tablet is going to sell for under $200, which may make it one of the best deals in the tablet world next year. While the Jolla tablet runs the open source Sailfish OS, it also has some awesome aspects to it that make it more consumer friendly, like the fact that it has 32 GB of storage as well as an SD card slot. Something that the iPad, Nexus 9 and the newly announced Nokia N1 don’t have.

But there are some compromises here, it has a slower 1.8 GHz Intel chip, 2GB of RAM and a 4300 mAh battery, which is only 30% more than the current crop of smartphones. The Nexus 9 and iPad Mini 3 both have more than 50% more battery capacity than the Jolla Tablet, so I would suspect that battery life will not be this tablet’s strong suit, unfortunately. It also only has 802.11 a/b/g/n Wi-Fi and no MIMO, which means that battery life will likely be even worse due to weaker Wi-Fi signal. Battery life should be a major concern for this device and isn’t even mentioned once anywhere in Jolla’s documentation. It also sports a measly 5mp main camera and a 2mp front-facing camera. Once again, not a huge fan of tablet photography, but this is probably a way that Jolla is able to get the Jolla Tablet’s cost so far below its competitors while still having that ‘camera’ tick box functionality.

Jolla Tablet Specs

What is awesome about this tablet, however, is that it is completely crowdfunded on Indiegogo and they have only opened up the campaign today and are already over 200% of their goal and are very likely to run out of tablets to sell within the day. So, this tablet is both open source and crowdfunded and not like the project from Canonical where they wanted the public to completely fund the profitability of Canonical through a crowdsourcing campaign.

It also appears as though Intel’s success in the mobile space in 2015 looks to be much better than it was in 2014, even if they are only partnering with emerging brands. If Intel properly ties themselves to upcoming and upstarting projects and products, they may actually find a way into the market and test their capabilities with biggest customers later on. The expected delivery date is May 2015. After that, they will very likely start putting the tablet up for sale for around $200 (they said $189).

There’s almost a certain chance they will sell out, the question will be whether it will be today or not, which is currently looking very likely. Below, you can watch Jolla’s promotional video about the Jolla Tablet.

The post Jolla Announces Open Source Jolla Tablet with Intel Inside appeared first on VR World.

In a very politically inflammatory statement today, Senator Ted Cruz likened Net Neutrality to Obamacare, which does more harm than good to the internet’s future as the hotly contested issue of Net Neutrality ping pongs around the IT industry and Capitol Hill.

Obviously, Cruz made his statement as a response to Obama’s instruction to the FCC (including Chairman Tom Wheeler) that they need to preserve Net Neutrality by giving the FCC the regulatory powers to oversee the internet by classifying it as a Title II communications service, which would liken it to land line phone service.

The problem with such an analogy is that it likens a multi-faceted piece of legislation that Republicans oppose to a reclassification of a type of telecommunications so that it can be properly regulated (which it technically isn’t right now). The idea was not to regulate the internet in order to allow it to self-regulate, but that does not appear to have worked and now people are calling for a reclassification as a Title II common carrier service. This would require companies to treat all traffic equally and not to be able to pick and choose, which they’re technically already doing. Some may liken Obamacare to this reclassification because Obama now supports it or because it involves government regulation, but the truth is that the FCC has already been regulating internet service for quite some time, but hasn’t had the authority to enforce a truly equal internet.

“Net Neutrality” is Obamacare for the Internet; the Internet should not operate at the speed of government.

— Senator Ted Cruz (@SenTedCruz) November 10, 2014

Following his statement, some well known internet personalities including the creator of The Oatmeal online comic, Matthew Inman, who broke down Net Neutrality to the junior Senator in a comical, yet informed, way.

The real issue with Cruz’s tweet is that it very likely comes from a place where lobbyists are encouraging him to shoot down Net Neutrality, after all, he does take money from large telecom companies for his campaign donations. Additionally, Cruz has been emboldened by the recent election to stand up to Obama even more than he already has and to make Obamacare a central issue around next year’s Congress and to repeal it. Cruz may have gotten the attention of many by likening a conversion of internet service into a Title II telecommunications form, but by likening it to Obamacare, he has immediately turned a bi-partisan issue of Net Neutrality into a partisan issue and will encourage people to be against Net Neutrality even though it is in their best interest.

Even the EFF is behind the reclassification plan that Obama now states that he also backs, because in the past Obama has remained silent on the topic and there’s actually a good chance that with a Republican House and Senate Obama may actually find some common ground with them on Net Neutrality. The problem is that the state of the internet is so horrible with all of the oligopolies that it is virtually impossible to allow the internet to exist in an unregulated manner, there is not enough competition among internet service providers, so there is no way that consumers can simply be the driving force behind innovation and Net Neutrality. We’ve covered this topic many times over the course of the past year, and some of the most recent talks by Tom Wheeler about the lack of competition are possibly the most enlightening. Because of government intervention, these companies have been allowed to become too big and effectively have local monopolies or duopolies with very few to no places having three options for wired broadband.

Optimally, the best thing would be to have multiple internet service providers in each area, including a possible municipal broadband option, which would then compete with each other for consumers’ business and improve in order to compete with those customers. After all, that’s sort of how it used to be until AT&T bought up all of the land line companies and Comcast started gobbling up cable providers (and now wants to absorb TWC).

The post Ted Cruz Falsely Likens Net Neutrality to Obamacare appeared first on VR World.

According to the agency, over 800,000 employees of the USPS have had their personal data stolen from the postal service’s servers. When you consider that the USPS employs just under 500,000 people (below 800,000 in the 90’s) then you realize that the data stolen includes both current and former employees of the USPS. The data breach mostly affects employees of the USPS rather than customers who may have done business with them. They do state that the USPS’ customers that have done business with them between the months of July and August may have had their contact information lost, but no credit card or payment data was obtained by the hackers.

The USPS has a long and detailed FAQ that answers consumers questions about the data breach and whether or not their data has been compromised. The interesting thing about this breach is that it isn’t a typical breach where hackers are going after customer data or going after credit card data or passwords. The hackers in this specifically went after the employee data of the USPS and were able to gain access to what appears to be all of it. The USPS isn’t clearly saying what employee data had been stolen, but the USPS official release states that it the data stolen includes, “The employee information potentially compromised in the incident included some employee personally identifiable information (PII), such as names, dates of birth, Social Security numbers, addresses and other information including beginning and end dates of employment, and emergency contact information.”

The other huge problem with this breach is that the USPS did not communicate this breach, which occurred in mid-September until now, almost two whole months later. This would mean that the employees that got hacked have had their information out and about without their knowledge for the past two months which means anyone could have caused financial ruin for the employees of the USPS. The fact is that the American Postal Workers Union should be absolutely up in arms about this and should sue the USPS for breaching their duty to protect and properly notify their employees of such risks in a timely fashion. We’ve already gotten quite angry with retailers taking a month to tell us that our credit card numbers have been stolen, yet even more personal potentially ruining data was kept from USPS employees for nearly 2 months.

There are currently no official suspects or leads in the case, but some publications are indicating that the attack may have come from Chinese hackers.

There is one more interesting tidbit in this USPS story, and that’s the fact that the USPS has taken this event as an opportunity to take a dig at the New York Times for their piece about the USPS and their involvement in tracking Americans’ mail. Here is the question and answer, verbatim.

Q: I’m concerned about a New York Times article that mentioned “surveillance” of mail. Is this connected with the cyber-intrusion incident and what is meant by “mail covers”?

A: The New York Times article is unrelated to the cyber breach. The New York Times article titled ‘Report Reveals Wider Tracking of Mail in U.S.’ published on Tuesday, October 28, 2014 is extremely disappointing. The article is inaccurate and unfairly presents a one-sided version of the facts. First and foremost, the United State Postal Service respects the privacy of its customers and the sanctity of the mail. Contrary to what is suggested in the article, the Postal Service does not monitor the mail behavior of its customers and it does not maintain any system or program of so-called “surveillance.” Unfortunately, and perhaps to create a news story where there is none, the New York Times article conflates three independent mail programs in order to create the wholly false impression that there is some vast mail monitoring system in operation. While such an assertion may make for a more interesting news article – it is not based on the facts. Mail covers are used for criminal investigations. The increased use of mail covers in 2013 and 2014 is connected to single packages investigated involving illegal drug shipments. Eighty percent of all mail covers in 2014 were related to these important investigations. All other mail covers have actually decreased by more than 30 percent since 2012. It is unfortunate that the New York Times presented such a distorted view of the facts. Its readership would have benefited from a more even-handed approach. The Postal Service processed and delivered 158 billion pieces of mail last year, of which only a tiny percentage was subjected to the mail cover process. The people who need to be concerned about mail covers are those who use the U.S. Mail to ship illegal drugs or who are otherwise breaking the law.

The post USPS Hacked, 800,000 Employees' Info Accessed appeared first on VR World.