Xiaomi devices have taken Asia by storm, providing fierce competition to established players such as Samsung (KRX: 005930). Recently Xiaomi has been under the microscope for security issues, as it has been alleged that these devices serve as a conduit that allows Chinese intelligence services to siphon user’s data. However a new report by security consultancy Bluebox Labs shows that the real threat might come from sloppy coding.

The device tested by Bluebox researchers was the Xiaomi Mi 4. Like many smartphones from Chinese vendors, it ships with a forked (non official) version of Android branded as MIUI. Forked versions of Android do not undergo the same security vetting procedures from Google (NASDAQ: GOOGL) as official versions do.

Being a forked version of Android means that Google services are not available on the device. For example, the phone ships with a Google Play alternative called Mi Market. However the researchers found that this version of Android appeared to be a combination of 4.4.4 and older versions. Doing a deep dive into the OS the researchers found some conflicts at the API level. The devices contains a mixture of API keys from Android 4.4 and Android 4.2 that are both test-keys (not for public use) and release-keys. As test-keys are not finalized they ship with more security bugs than their final counterparts. However the combination of both test and release keys could be incredibly problematic as bugs will no doubt arise just by combining the two.

Bluebox researchers did on the device was a scan for suspicious apps — malware, spyware or adware. They found three apps considered to be risky. The most problematic of which was an app called Yt Service as it disguises its developer package to make it look like it came from Google — which is not the case. Next up were apps called PhoneGuardService which was identified as a Trojan and AppStats which is classified as riskware.

Bluebox gives the device a low trustable score of 2.6. By virtue of the fact that it runs a forked version of Android, Xiaomi devices ship with security flaws that have been long ago patched by Google.

For its part Xiaomi has not responded to Bluebox’s attempts for responsible disclosure — approaching the vendor first before going public.

Bluebox told VR World that it did not accept outside funding for this study.

Update 4:50 China Standard Time:

Xiaomi sent in this response:

“We are investigating this matter now. There are glaring inaccuracies in the Bluebox blog post, as official Xiaomi devices do not come rooted and do not have any malware pre-installed. It is likely that the Mi 4 that Bluebox obtained has been tampered with.”

The post Bluebox Labs: Xiaomi Phones a Major Security Risk appeared first on VR World.

Job seekers, Rejoice. While unemployment tries to recover from stagnation, the IT industry has a bright outlook. CompTIA, a professional IT certification company, predicts a worldwide expansion in the industry of around five percent with only Canada and the UK lagging behind.

Companies are understaffed already in the technology department and 70 percent of managers report they expect to have a shortage of IT professionals to draw from to fill the gaps. The CompTIA report pegs unemployment in the IT industry lower than that of other fields nationally. In 2012, the Bureau of Labor Statistics averaged the unemployment rate for technology professionals at 4.4, about half the national average at that time. The image breaks that down by position. The picture hasn’t changed much.

A shifting environment due to acquisitions and mergers adds to the complexity of staffing. Not surprisingly, top on the list for growth are areas that make headlines: cloud computing, mobile, and as indicated by events such as Anthem Blue Cross’s hack attack, security. Established entities with familiar names have cash flow to entice employees with salaries and uncommon benefits that go beyond such traditional subsidies as health insurance.

If you plan to go job hunting, you might want to arm yourself with some hardware and software skills. That’s what companies continue to search for when interviewing applicants.

The post IT: It’s the Place to be for Job Hunting appeared first on VR World.

IDC Japan’s latest market analysis has just revealed that Japan’s estimated compound annual growth rate for its security business sector from 2015 to 2018 will be at around 4.0%, at an equivalent value of about $2.5 billion. This is primarily based from an earlier report last 2014 that revealed an average annual growth rate within the same business sector of 4.7%, or about $2.1 billion.

Following the general growth of cloud-based businesses and enterprises during the past few years in Japan, demand for security services, such as access administration, endpoint protection, and general network security have also increased. During the last year, the combined annual growth rate of business related to these services was 4.1%, or equivalent to about $1.8 billion. The growth rate is expected to go even further with the introduction of more security services aimed at the mobile device market, which IDC Japan expects to contribute to the previously mentioned 4.0% growth rate throughout the years 2015 to 2018.

In addition, the analysis also included the steadily growing security market for SaaS (Software as a Service) businesses within the country. Its security market is expected to have an estimated compound annual growth rate of 11.6%, or equivalent to about $154 million. This also based from a comparison made from 2013 and 2014’s growth rates, which were $89 million and $100 million respectively.

On the other side of Japan’s security market, demand for intrusion prevention/detection and unified threat management systems, as well as related security hardware for other access and authorization systems, have also increased in the past two years. IDC Japan reports its growth rate at 7.5% ($367 million) from 2013 to 2014. As more security issues in Japan are focused towards unauthorized access and data theft, it is expected that the growth of these sectors would also directly affect other major digital security markets within the country, at least during the time period estimated by the market analysis.

The post Japan Estimates Further Growth of its Security Market appeared first on VR World.

Intel (NASDAQ:INTC) began to give users a convenient way to log into all of its websites and applications from any device without having to type or remember passwords while it announced the acquisition of PasswordBox on Dec. 1.

PasswordBox is a Montreal-based and award-winning provider of a cross-platform identity management service. PasswordBox became a part of the Safe Identity organization within Intel Security Group after the acquisition. Intel’s Safe Identity organization is committed to delivering solutions that reduce the pain of passwords, simplify and strengthen security and providing consumers with easy access to their digital lives.

“Everyone can relate to password fatigue. The PasswordBox service has already brought relief to millions of consumers who now enjoy simple, instant login,” said Chris Young, senior vice president and general manager of Intel Security Group.

Young said that Intel Security and PasswordBox share the same goal of improving digital identity protection across all devices and platforms.

“We believe we have the technology, expertise and reach to bring simple, secure access to consumers worldwide,” he said.

A recent report by Deloitte, a consulting firm, said that more than 90% of user-generated passwords are vulnerable to hacking, citing that the 10,000 most common passwords could access close to 98% of all accounts.

Intel Security combines the security expertise of McAfee, with the innovation, performance, and trust of Intel. The department is focused on solving some of the largest challenges in digital security. Along with PasswordBox, Intel Security will reduce password fatigue, simplify security mechanisms and offer the chances to experience next generation solutions to their consumers, Young said.

“PasswordBox has spent the last two years building a product that people love, trust, and use around the world every day,” said Daniel Robichaud, CEO and co-founder for PasswordBox. “We share Intel Security’s vision of simple, secure access and identity protection across all platforms and devices. Together, we believe we can offer our customers world-class technology, expertise and support to bring such access anywhere, all backed by Intel.”

PasswordBox currently possesses 44 employees and was established in Montreal in 2012. All current employees have joined Intel Security.

Since is debut 12 months ago, PasswordBox secured VC funding, led by OMERS Ventures, won best mobile app at CES 2014, and has been downloaded 14 million times worldwide. Intel’s acquisition of PasswordBox is effective immediately. Terms of the transaction were not disclosed and are not material to Intel’s operations. The acquisition is expected to support future innovations that will be announced at a later date.

The post Intel Acquires PasswordBox appeared first on VR World.

Here is the daily roundup from Japanese consumer tech and tech business websites for November 27, 2014.

Sony to hold Walkman A demo event

Sony plans to hold a demonstration event for its recently unveiled Walkman A hi-res music players. The event will start on December 4, and will end two days later on December 6. The chosen venue will be at Tokyo Midtown Canopy Square.

Last September, Sony had announced the new Walkman A series, it’s next upcoming line up of hi-res digital music players. The event will mainly showcase the Walkman A units for testing by the event’s visitors. However, it will also demonstrate the unit’s “sound art” feature, which will be an event-exclusive display of water vibrations functioning as digital synthesizers.

The models that will be showcased in the event are the NW-A16 and the NW-A17, both of which are hi-res models, can expand their default storage via SD cards, and uses Sony’s proprietary DSEE HX audio up-scaling technology.

Tokyo-Mitsubishi UFJ introduces new network banking service

The Bank of Tokyo-Mitsubishi UFJ, in an effort to mitigate internet-based illegal and unauthorized banking remittance activities, has introduced yesterday a new network banking service, which is named as the Cloud Direct.

The Cloud Direct online banking service will be used as an alternative transaction platform for the bank’s Mitsubishi-Tokyo UFJ Direct service. Instead of directly logging into its servers, the new service will instead simply guide its user to several transaction forms, using a software keyboard input to log onto the service itself. The banking company claims that the new service can considerably lessen the risk of third party programs intercepting sensitive private banking data, helping the user conduct online transactions safely and more conveniently.

The service requires no registration, and will be available for free at no extra cost for its customers.

Takara Tomy unveils its ‘6-second’ toy camera

Takara Tomy announces its new Magical Six toy camera. This small camera is capable of recording short 6-second videos, and is designed as an easy-to-use, point-and-click camera for children.

The Magical Six camera features a very simplistic design, only having three buttons, and a small screen as its interface. Its design theme is “giving even small children the opportunity to feel like a video editor”. Using the device is advertised as straightforward, with the large right button instantly allowing its user to record, edit, and put together short 6-second videos.

Aside from recording 6-second videos, the camera also features continuous snapshots, audio recording, reverse playback and basic frame editing.

The post Walkman A event, Cloud Direct, 6-Second Camera: The Headlines in Tokyo for Nov. 27 appeared first on VR World.

A research survey recently published by the Japanese branch of San Francisco-based security firm Lookout Inc. indicates that Japanese users may actually lose their smartphones quite frequently. The survey revealed that at least one in every five smartphone users had experienced losing their smartphone at one time.

This conclusion made by the survey was based from the data collected from a small sample of about 1,000 users throughout the country. The approximate 23% within the group representing this figure reported having experienced losing at least one smartphone at some point. A considerable majority of the people within the group are users who live in busy cities, and are considerably young, averaging only to about 18 to 24 years of age.

As for where exactly do they lose their smartphones, the most common place was on public transportation mediums, especially on trains and subways, or on facilities and establishments that are near these vehicles. Second on the list was on commercial establishments, such as on shopping malls or market districts. Prefecture-wise, the region with the most users having lost their smartphones was on Okinawa Prefecture (44%).

The issue of lost mobile phones today holds more digital security risks than before, mainly because sensitive and private data are now being frequently and regularly used on smartphones. When questioned about data recovery, the general consensus of the entire sample was that they are willing to pay even 50,000 yen ($424.00), just so in order to recover and secure the lost data.

The data obtained from the survey will be used by Lookout Inc. to provide the appropriate security solutions and applications for future lost smartphones.

Weirdly enough, at least 11% from the entire sample have also reported losing their smartphones, however this group reported recovering their lost phones after a specific period of time.

The post One Fifth of Japanese Have Lost a Smartphone, According to Survey appeared first on VR World.

After beta testing for over six weeks, Synology is ready to roll out its latest operating system, DiskStation Manager 5.1. The update is now available for the vendor’s range of NAS products.

The major addition is Security Advisor, which runs a diagnostic to check your network preferences, password strength and other system settings to determine if your NAS is vulnerable. Synology was quick to roll out a patch after it was found that a hack allows remote users to access a user’s DiskStation earlier this year, hence the focus on increased security with this update. There’s also a new tool that automatically blocks malicious programs from accessing system resources.

On the productivity side, Note Station is a new addition that allows you to write, centralize, sync and manage all your notes across devices. Along with the ability to password protect notes, the feature allows you to share and collaborate with others and revert to previous versions. All notes are saved in your private cloud, and there is also the option of importing existing notes from Evernote. All notes can be easily accessed through a mobile device via DS Note.

The built-in file manager, File Station, has also received numerous additions, and now comes with built-in FTP and email clients. With DSM 5.1 users now have the ability to monitor and manage SSD cache.

Entertainment utilities like Video Station, Audio Station and Photo Station have all picked up updates, and now come with a better search interface that allows you to easily find content. You can sync your content to external cloud services such as OneDrive, Box, and hubiC, and as for data backup, you can configure Microsoft Azure, SFR, and hicloud.

Synology’s DSM is by far the best OS in the NAS segment thanks to the sheer number of features on offer, and with verison 5.1, it has gotten even better.

The post Synology releases DiskStation Manager 5.1 appeared first on VR World.

Remember when security researchers found a vulnerability in OpenSSL that potentially put the entire world at risk of having their data compromised? Well, Heartbleed appears not to be the end of these vulnerabilities. Well, Google has found another vulnerability in an older version of SSL, in SSL 3.0. Thankfully, SSL 3.0 has mostly been replaced by TLS 1.0, TLS 1.1 and TLS 1.2 but many of those systems still have SSL 3.0 as a backup in the event of a need to support this legacy protocol.

Three Google security researchers published a paper back in September called This POODLE bites: Exploiting the SSL 3.0 Fallback in that document, Bodo Möller, Thai Duong and Krzysztof Kotowicz from Google basically state upfront that SSL 3.0 is obsolete and insecure and that’s why most companies, websites and overall the world no longer uses it. However, because some implementations keep SSL 3.0 as a legacy support feature, there are some security vulnerabilities that can be exploited as a result of this. They also say, by simply disabling SSL 3.0 you can completely avoid this vulnerability as a whole. They call the attack that happens as a result of the downgrade to SSL 3.0 the POODLE (Padding Oracle On Downgraded Legacy Encryption) which allows them to steal “secure” HTTP cookies or any bearer tokens.

If you can’t disable SSL 3.0 for one reason or another in your setup, then they’ve provided for a detailed solution which helps work around this fallback vulnerability. Realistically this is nowhere near as scary as Heartbleed or Shellshock which are more broadly vulnerable on more systems and create a much greater effect on the victim’s data. But nonetheless, this is something that system administrators need to address on their own secure implementations in order to ensure that they do not become exposed to this SSL 3.0 Poodle attack.

The post Google Discovers Vulnerability in SSL 3.0 appeared first on VR World.

A security researcher has discovered that Yahoo has become a victim of the newly discovered Shellshock vulnerability (also known as bash bug) via Romanian hackers gaining access to Yahoo’s systems. There is already confirmation of the fact that Yahoo has been hacked via an email from Yahoo’s security team. This was originally submitted to Yahoo, but isn’t eligible for their bug bounty program, which for some reason doesn’t reward people for finding chinks in Yahoo’s armor for them before hackers do. This appears to be a significant flaw in Yahoo’s security policies and must be addressed by Marissa Mayer herself.

He states:
Disclosure and disclaimer: This document is being released due to several high profile companies being infiltrated using the recent Shellshock vulnerability, and what I have deemed as an improper response, or lack thereof, to resolving the issue from certain key companies contacted, as well as the FBI. Amongst the affected companies are Yahoo! and Lycos, major players and names in the technology world. This breach affects ALL of us in one way or another, and it’s crucial that this problem be resolved with haste. The FBI took the information down and went on their way. Yahoo! has not responded at all. I’ve attempted to email them, call them, and resorted to contacting Marissa Mayer directly via both email and Twitter, neither to which I have received a response as of yet. The ignoring of this issue is grossly negligent and even almost criminal. As such, I felt that for the safety of anyone using these services, it would be best to publicly disclose as much information as needed to get them moving and working towards resolving the issue before things get worse. All research and testing discussed in this paper was performed by Jonathan D. Hall of Future South Technologies.

Yahoo has been struggling to gain back trust from users after their email data breaches and the overall meltdown of the company as an internet destination for most users. Under Marissa Mayer’s rule, the company has tried to become more of a content provider rather than a search or news destination. Their most popular applications like Flickr have struggled to really retain their audiences and regain the losses to other services like 500px due to simply being too unwilling to listen to the community and simply give them what they want. Flickr was once the default destination for professional and amateur photographers and since the service’s decline tons of viable competitors have cropped up to give people what they want.

The problem here for Yahoo is that they simply are not taking security risks seriously and continually find themselves the targets of hackers. Why? Because they appear not to take security as seriously as they say they do. And Yahoo still has a fairly large user base, especially Yahoo mail, which means that they become a big juicy target for hackers that know that Yahoo is slow to adapt and secure. The security game is an ever evolving one and if your security team is not constantly working to address new threats and actively working to prevent them, then you are going to end up like Yahoo, a sitting duck and popular target.

Yahoo has said to Bloomberg that three of their servers were compromised but that no data was taken, which may still need to be evaluated if only three servers were accessed.

The post Yahoo Hacked via Shellshock Vulnerability appeared first on VR World.

There’s a very good chance that today’s Wired piece about Kevin Mitnick’s newest venture has a lot to do with the discovery of the Bash Bug within various Linux and Unix operating systems. This is a bug that could be considered a Zero Day exploit because of the fact that it is a security vulnerability within an application that is possible to exploit due to the fact that the software vendor has no knowledge of it yet or it has not been patched yet.

Either way, it is a vulnerability that someone can take advantage of. Now, Wired ran a piece about Kevin Mitnick and his security company which does security consulting which includes a whole host of internet and non-net consulting all pertaining to security. The Wired piece in question talks about one of Mitnick’s latest ventures which claims that his company is finding security researchers’ and hackers’ zero day exploits and selling them to the highest bidder.

“With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray,” Wired wrote.

Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.

And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells Wired in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”

Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”

In fact, they interviewed Mitnick appearing to take many of his quotes out of context in order to sell their own agenda that he is selling these Zero Day exploits to whomever will pay him. In fact, it seems odd that they would include commentary from people on Twitter as part of their article when its merely an opinion and doesn’t actually add anything to the piece, other than mentioning that Mitnick responded to his tweet.

The reality of the situation is that for people that discover vulnerabilities in government and corporate infrastructure, there is a very difficult balance to strike. Many ethical hackers looking to notify companies of their security holes eventually become the targets of investigations and attacked for what they do. Sure, there are plenty of unethical hackers out there that might try to hold a company ransom for a fee to give them the Zero Day that they’ve found, but that has nothing to do with what Mitnick is doing. They are offering researchers and security minded people an intermediary to help those companies find and close Zero Day exploits and to reward the researchers for their work and at the same time protect them from frivolous lawsuits if they try to approach the company directly.

Mitnick’s company vigorously vets all of their potential clients and makes sure that no bad actors are being involved in the process. They are not selling Zero Day exploits to competitors of the companies that have the security holes and they aren’t selling Zero Day exploits to the government that might make a company vulnerable. The goal is to help companies see their problems and give them the opportunity to fix them before they become public.

The post No, Kevin Mitnick is not Selling Zero Day Exploits to Hackers appeared first on VR World.

5 million Gmail usernames and passwords were recently leaked through several Russian cybercrime web forums earlier this week. Google had already confirmed the issue yesterday, though it claims that no compromisation of its data systems was done that led to leakage of these user accounts.

The leaked Gmail accounts were first published on a Bitcoin forum, and were submitted in the form of a standard listed text. The forum user who posted the account credentials claims that most of the data in the text are still usable. However, the administrators of the forum have already deleted the passwords, and only left the usernames for verification. Most of the account access data on the list are written in English, Spanish and Russian.

Though a substantial number of the listed usernames are legit, Google says there is no reason to panic. Reports highly suggest that the source of that data did not come from Google at all, but rather accumulated from hundreds of other websites and online sources (which are unrelated to Google’s own services) that might have used the same username and password.

Google’s own security blog even claims that only less than 2% of the username and password combinations on the leaked list actually worked. Furthermore, the time span of the accumulated passwords stretches as far as three to five years ago, which may mean that even if your account is on the list, the password may already be completely different to the one you have now.

Nevertheless, Google still advises Gmail users to at least check their accounts for possible security holes, and stay vigilant against phishing, malware and spam websites. Taking the necessary steps to prevent accounts from being accessed illegally goes a long way. Google’s 2-Step Authentication is also a plus, and can prevent unauthorized access even if your username and password becomes exposed.

This post originally appeared on Bright Side of News*, VR World’s sister site.

The post 5 million Gmail Passwords Leaked, Google Says Don’t Panic appeared first on VR World.

5 million Gmail usernames and passwords were recently leaked through several Russian cybercrime web forums earlier this week. Google had already confirmed the issue yesterday, though it claims that no compromisation of its data systems was done that led to leakage of these user accounts.

The leaked Gmail accounts were first published on a Bitcoin forum, and were submitted in the form of a standard listed text. The forum user who posted the account credentials claims that most of the data in the text are still usable. However, the administrators of the forum have already deleted the passwords, and only left the usernames for verification. Most of the account access data on the list are written in English, Spanish and Russian.

Though a substantial number of the listed usernames are legit, Google says there is no reason to panic. Reports highly suggest that the source of that data did not come from Google at all, but rather accumulated from hundreds of other websites and online sources (which are unrelated to Google’s own services) that might have used the same username and password.

Google’s own security blog even claims that only less than 2% of the username and password combinations on the leaked list actually worked. Furthermore, the time span of the accumulated passwords stretches as far as three to five years ago, which may mean that even if your account is on the list, the password may already be completely different to the one you have now.

Nevertheless, Google still advises Gmail users to at least check their accounts for possible security holes, and stay vigilant against phishing, malware and spam websites. Taking the necessary steps to prevent accounts from being accessed illegally goes a long way. Google’s 2-Step Authentication is also a plus, and can prevent unauthorized access even if your username and password becomes exposed.

The post Don't Panic: 5 Million Gmail Passwords Leaked appeared first on VR World.

Think your online privacy is free from prying eyes outside of sovereign jurisdiction? Think again. In late July, Microsoft was ordered by a US judge to disclose email data of a customer, even with the actual data being stored on servers in Dublin, Ireland. The court ruled that control, not physical jurisdiction, determined whether data can be turned over for investigation. This has been challenged by Microsoft through an appeal, and other technology companies and privacy advocates have likewise expressed that this will set a bad precedent for international business relations.

Control, not physical location
In an August 2014 ruling, US District Judge Loretta Preska affirmed the earlier decision that required Microsoft to lawfully hand over email data pertaining to a certain account regardless of where it is actually stored. Data jurisdiction is dependent on the control of the company, regardless of the physical location of the servers, said the ruling by Judge Preska. Thus, service providers like Microsoft are legally bound to turn over data to government in the event of an inquiry, even if these are stored in a foreign country.

Said warrant was issued in light of the Stored Communications Act, requiring the service provider to disclose records under its control. It is necessary to note that the earlier court order stemmed from a criminal case involving narcotics, and government lawyers intend to use email records as evidence. Government has since sought for the judge to hold Microsoft in contempt in view of the company’s firm resolve against turning over the email data. In a statement, the Redmond firm says it “will not be turning over the e-mail.” General counsel Brad Smith stressed that in its appeal, Microsoft will “continue to advocate that people’s emails deserve strong privacy protection in the US and around the world.”

Data jurisdiction in question
This particular case will set a precedent among future court cases that involve data retrieval from cloud service companies. Cloud providers and telecom firms have actually weighed in on the issue, challenging the ruling. AT&T, Verizon and Apple, among others, have filed amicus briefs in court expressing their stance.

If anything, this legal battle puts into light the validity of data sovereignty, as well as conflicting legal frameworks in different countries. In its amicus brief in support of Microsoft, Verizon said such a ruling “would have an enormous detrimental impact on the international business of American companies, on international relations, and on privacy.” In fact, some governments, such as Germany, are already banning the use of cloud services run by American providers in order to mitigate the risk of data being accessed by authorities in the US.

And even if companies like Microsoft were to comply with the US court ruling, turning over data might, in turn, constitute an illegal breach of privacy in other jurisdictions. This has become the central argument in a so-called Umbrella Agreement for data sharing that the US and the EU are trying to work out.

Cloud computing has changed the dynamic of data storage and information storage, particularly with respect to jurisdiction, legal oversight and compliance. Data sovereignty is certainly among the key concerns for individuals or institutions who require a certain level of privacy and security. But if a country’s government can claim control over data that is supposedly physically stored in another country’s jurisdiction, then it’s a whole new ball game. With data being in the cloud, does control take precedence over physical jurisdiction? This argument will need threshing out amongst stakeholders, including governments, foreign policy-making bodies, technology providers and privacy advocates, among others.

The post Data Sovereignty: Is Big Brother Over-Reaching? appeared first on VR World.

Last week news broke that ESD America, which manufacturers the $3,500 Cryptophone (a security hardened Samsung Galaxy S3) has discovered 19 rogue cell towers across the United States which were hoovering up SMS and data from phones as well as intercepting calls.

ESD America found these towers as its Cryptophone alerts users when calls are being forced over unencrypted bandwidth via 2G from a nameless cell tower (cell towers from big telcos are always named).

ESD America’s CEO, Les Goldsmith, is unsure of why there are so many rogue base stations (called interceptors) within the United States but is concerned about the high number of rogue base stations found by Cryptophone users.

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith said in an interview with Popular Science.  “One of our customers took a road trip from Florida to North Carolina and he found 8 different interceptors on that trip.  We even found one [in the vicinity of] South Point Casino in Las Vegas.”

Goldsmith said that the placement of towers appears to be seemingly random, with the exception of two: the one mentioned near the casino and a few more near military bases around the country.

Who’s spying on whom?

For the most part, cell phones are an inherently secure way to communicate. Connections between cell phone and tower are usually encrypted, through the exact encryption protocol must be agreed upon during the initial connection (handshake). As with the communication standard, the quality of encryption varies wildly.

Rogue base stations simply broadcast their signal at a level higher than nearby base stations, thereby drowning them out and forcing nearby phones to connect to them. Once connected, the rogue base station will act as a man in the middle passing along calls and text messages to the network after intercepting all of them — or just a specific few from targeted phones.

One comment in the press dismissed the idea that these towers had some sort of nefarious intention behind them. The most likely explanation, according to the source, was that these were simply towers purchased by private individuals or groups to boost cell reception in areas underserved by big telco.

But the possibility that these towers may be the tools of an intelligence agency or another group for industrial or state espionage should not be dismissed. The vast majority of people would dismiss their cell phone dropping to 2G, or many other irregularities, as simply the product of poor reception from their telco. While guardians of secrets would have protocols in place to avoid talking about them over the air, others within the military or academic industrial complex might also have access to this information that while not classified as secret is still sensitive and would aid those engaged in intelligence gathering against a target.

As the placement of towers across the United States is seemingly random, it’s difficult to discern a specific target. This could be, however, a trial run to see if it was an effective use of resources. While for most people things like the Cryptophone will be an unnecessary expense, but for those concerned about the safety of their information of the network security-hardened smartphones like the Cryptophone will be a necessary tool to do business.

The post Rogue Cell Towers Are The Industrial Espionage Threat of The Decade appeared first on VR World.

A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What’s more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple’s services) so they’re mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by ANYONE (in this case Apple) other than themselves. This is also why remote bricking and other ‘security’ features being pushed through legislatures are also a problem, but at least we’re aware of their existence unlike these services on iOS.

The services in question, om.apple.mobile.pcapd, com.apple.mobile.file_relay, com.apple.mobile.house_arrest among others have been addressed in Apple’s knowledge base article. Apple does not directly address Jonathan Zdziarski’s claims but instead tries to illuminate their use of these services and what they’re supposed to be used for. Apple claims that some of these services are used for diagnostic purposes internally as well as for iTunes and Apple Care support. However, the fact that these supposed backdoor services exist without users’ or developers’ knowledge is a bit worrisome.

The real truth here is that no matter what happens, or is really happening, customers should be aware of how intrusive some of these services are or can be. Sure, some of them are limited in scope in terms of what they can access, but even so, Apple should notify customers when they use such services or sign up for the operating system that there are services running on their devices that give Apple access to their device. Backdoor systems are not a joke and some of them are open invitations to hackers to try to hack into a backdoor and use it for their own purposes. Backdoors are inherently insecure and consumers should be made aware of them, malicious or not.

The post Security Researcher Claims iOS Devices Have a Backdoor appeared first on VR World.

The Washington Post is reporting via documents obtained from Edward Snowden that the NSA is collection hundreds of thousands of records, upwards of 160,000 communications, most of which are completely irrelevant to the target person or people. After spending four months analyzing the data which included 22,000 reports and 160,000 data intercepts, the Washington Post was able to discern that a whopping 89% of the total data collected was from non-targets or mere bystanders.

The records obtained by Edward Snowden and passed on to the Washington post spanned 4 years of records that started in 2009 and ended in 2012. Obviously, they are merely a sliver of what was actually collected, but gave a fairly good idea of what kind of net the NSA has been casting with their programs and how unabashedly they are collecting innocent people’s data.

Washington Post Diagram of Data Collection

The data above also shows a vast increase in spying on people as Obama took office, indicating that the NSA’s activities only increased under his presidency. This would make a lot of Obama’s own biggest supporters very worried as he was supposedly working to curtail such programs as a senator. Nonetheless, the Washington Post and Edward Snowden never disclosed that they had these reports and documents which detail the scope and detail of the NSA’s spying from 2009 to 2012.

Ultimately, these programs are a self-fullfilling prophecy where the government continues to spy on more and more people without any probable cause and doing so on such a scale that it becomes almost impossible to control. These programs, like many other government programs seek to enlarge themselves from year to year and in many cases result in larger and larger bureaucracies that seek to increase their own size regardless the cost. A good example of that is with the war on drugs, many agencies involved in such programs are become ever more militarized and as a result have stepped up the scale of the war on drugs which results in needing more funding to maintain competitiveness. The real truth is that the NSA spent $1.5 billion on a data center to warehouse all of the data they’re collecting on us and it won’t be the last either. If we continue to allow the NSA to spy with the use of FISA as a vehicle, they will only become more and more invasive and dangerous.

The post The NSA Gathers 90% Irrelevant Data appeared first on VR World.

The Department of Homeland Security (DHS) recently posted a ‘warning’ to foreign airports that have direct flights into the US, with an apparent focus on UK airports, namely Manchester and London’s Heathrow. In this posting, Secretary Johnson, the head of the DHS stated that elevated security measures were being implemented based on the ever changing security climate.

So, what exactly are these elevated security measures? According to the BBC, these new security measure being implemented in airports like Manchester and London are requiring users to have their electronic devices charged and to be able to power the device on when prompted to. Furthermore, if a device does not have charge or is ‘dead’ a passenger may actually be prevented from boarding their flight without proof of an operational laptop or tablet.

British Airways released a statement in regards to the issue at hand that advises that you not bring on any devices that are inoperable or depleted from charge. This includes people transferring from flights through the UK that may have had long flights. So, if you’re flying in economy and don’t have a charging plug, you no longer have the right to use your devices until they die because you might not get let onto your connecting flight.

The UK government also has a travel advisory that states,

Flying to the US

Make sure your electronic devices are charged before you travel. If your device doesn’t switch on, you won’t be allowed to bring it onto the aircraft.

These new rules implemented by the DHS are absolutely ridiculous and put an undo burden on consumers. I have flown through Heathrow countless times and have had a few instances where I had a dead phone, dead tablet or a dead laptop. And when you look at the utter lack of charging stations in Heathrow and in planes, it seems absolutely insane for them to be pushing these requirements on consumers without trying to alleviate them. The DHS and the UK have once again made flying miserable again and they’re taking more of our rights away without any justifications.

There are going to be easy ways to get around this ‘power-on’ requirement set by the DHS if you’re really trying to build a device that will cause harm. This is yet another pointless security measure being presented in airports to make traveling even more ridiculous and difficult than it already is.

The post DHS Pushes New Ridiculous Security Measures appeared first on VR World.

The much awaited OnePlus One smartphone has hit yet another snag on its way to being delivered to those that could actually get ahold of one. The $299 smartphone has it all, and for a reasonable price, but the catch is that they’re limiting production so that they don’t bankrupt themselves, or their parent company OPPO in the process. And since the device is running CyanogenMod as the OS, there are some things that need to be ironed out before the device ships to consumers as a ‘shipping’ final device.

One of those things is that CyanogenMod recently had a major security update as a result of the new OpenSSL vulnerabilities discovered on June 5th. Thankfully this new vulnerability was caught quickly and is nowhere near as damaging as the Heartbleed vulnerability which make essentially the entire internet with the exception of financial institutions insecure. Anyways, this new vulnerability got patched and since it is critical to CyanogenMod’s security suite, CyanogenMod needed updating, which meant the OnePlus One needed updating as well. So, they needed to do a new firmware update on the OnePlus One as well as confirm and test that it works, causing a delay.

Some sites are spinning this as a OnePlus problem, but the reality is that they have little to no control over it and its better that they delay it a bit and confirm its a working firmware update than ship the vulnerable devices out and then hope the patched version works on their phones. Its certainly commendable of OnePlus and CyanogenMod to make sure that this problem is resolved and done in a professional and methodical manner. But… that still doesn’t change the fact that its virtually impossible to get your hands on a OnePlus One to begin with.

And if you’re in line for one, don’t be disappointed that its been delayed. Just be glad that they’re doing the right thing.

The post OnePlus One Gets Delayed Due to an OpenSSL Security Update appeared first on VR World.

Since we’ve had quite a bit of time between Snowden disclosures of NSA activities, it appears as though Wikileaks has gotten ahold of some secret NSA documents that name names as to whom has been cooperating with them. They claim that they have over 80 different companies in their strategic partnerships.

Wikileaks Tech NSA

The Wikileaks obtained slide states that these 80 “Major Global Corporations” are supporting BOTH missions. However, the document doesn’t specify exactly what both of those missions are, exactly. However, since this slide is labelled as COMINT that means it specifically pertains to communications between people, which may narrow exactly what those missions might be.

They list that those 80 companies are in a long laundry list of businesses including:

Telecommunications and Network Service Providers – AT&T, Verizon and Qwest (now part of Centurylink).

Network Infrastructure – Cisco and HP

Hardware Platforms Desktops/Servers – HP, Intel, Qualcomm, IBM, EDS (now HP)

Operating Systems – Microsoft

Applications Software – Oracle, EDS (now HP) and Microsoft

Security Hardware and Software – Cisco, Oracle, EDS (now HP)

System Integrators – HP, IBM, Cisco and EDS (now HP)

However, if you do look at this list, it only specifically names 12 of the 80 companies that they’re cooperating with. This is the first time that companies are specifically being named as cooperative partners in NSA activities. Back when the NSA’s PRISM activities were disclosed most of the companies were able to feign their being victims of the NSA activities as completely unknowing as to the PRISM program. However, there have been numerous suspicions that many of these companies had been cooperating with the NSA on certain backdoors and such in order to obtain government contracts and such. Additionally, some executives even claimed that they were attacked by the government because they wouldn’t cooperate, namely Qwest’s former CEO Joseph Nacchio.

While Wikileaks has been known to leak documents that the US government doesn’t particularly like being seen by the public, this is a rare disclosure by Wikileaks that doesn’t come with much more information. While we would like to know the full list of companies involved and the rest of the slides in this deck, we’ll have to go off of what we have now. However, we will be contacting our people at the companies mentioned above to see what they have to say about their involvement with NSA security programs. On the record.

The post 80 Tech Companies Cooperating with NSA, Claims Wikileaks appeared first on VR World.

On Monday, as a follow up to the awareness around the Heartbleed bug and all of the rumors that circulated around it, The Whitehouse posted a blog clarifying their stance on how they approach vulnerabilities such as Heartbleed. In fact, the NSA categorically denied any knowledge of the Heartbleed bug officially on Twitter, even though they have been known to lie to Congress and the American people without hesitation, so their honesty is a little more than at question.

So, what exactly are they going to disclose and when? Well, there’s a nifty little check list that the Whitehouse has provided us with so that we know when an agency should withhold information from the public and when it should make it public.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

• Does the vulnerability, if left unpatched, impose significant risk?

• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

• How likely is it that we would know if someone else was exploiting it?

• How badly do we need the intelligence we think we can get from exploiting the vulnerability?

• Are there other ways we can get it?

• Could we utilize the vulnerability for a short period of time before we disclose it?

• How likely is it that someone else will discover the vulnerability?

• Can the vulnerability be patched or otherwise mitigated?

So, basically, The Whitehouse and the administration of Obama are basically saying that if a vulnerability doesn’t really affect us too much, but can gain us lots of valuable intelligence we should keep our mouths shut. What is interesting about this supposed “rigorous” process for vulnerability disclosure is that there is no time limit set for how long they are allowed to wait until they disclose a vulnerability. There is no limitation on how long they can leave a vulnerability open if it passes all of these checks that they’ve established. They mention utilizing the vulnerability for a short period of time, but that doesn’t actually mean anything because a short period of time could be a day, a week, a month, or a year.

With the Heartbleed bug and the public disclosure around it, there were a lot of companies scrambling to patch the bug and some attacks that utilized it immediately after its disclosure. However, if left unpatched, Heartbleed could have disasterous implications and would give any government with knowledge of it almost unlimited access across the web. As a result, many people simply don’t believe that The Whitehouse and the NSA were unaware of such a bug, especially since the NSA had quietly exploited countless other bugs continually without any concern.

The post The Whitehouse Says They Have Right to Withhold a Security Vulnerability appeared first on VR World.