This is according to the abstract of a briefing to be given at the upcoming Black Hat USA conference. The attack, dubbed “Mactans“, succeeded in compromising latest generation devices with the latest version of iOS. It led to a persistent infection with software of the attacker’s choice, invisible to the phone’s user thanks to built-in concealment techniques used to hide some of Apple’s own apps.

The researchers, from the Georgia Institute of Technology, say they built their malicious charger in minimal time with little budget, using a credit card-sized BeagleBoard-embedded computer. I’ve always been a little worried when I’ve seen those free charging stations at airports, shopping malls and other public places. OK, so sometimes you just have to get at some power, but the whole idea of plugging my phone into something I have so little reason to trust just seems a little dirty, not to mention unsafe. Now, assuming this is more than the usual pre-conference hype, those fears look more than justified.

Worse, the small scale of this particular device means you wouldn’t even need a big pedestal-sized charging station. While not quite small enough to disguise as a normal Apple USB power converter as it stands, there are still ample opportunities to trick people into trusting a reasonably compact charging device.

With a little more effort and investment, it should be trivial to build a trojanized charger that is almost identical to standard kit. Then we’d really be in trouble. Imagine an eBay shop selling super cheap USB plugs, which could happily take over your phone and make it call premium-rate numbers or harvest passwords from your email or even bank accounts. Not such a bargain all of a sudden. It might be a good time to buy up all the USB chargers you’re going to need – I suspect prices for proven trustworthy hardware might well be going up fairly shortly.

You can read the original article, here.

Service providers need higher level of encryption support

“If you look at one of our typical deployments, yes, they want security, they want SSL, but the numbers they support are in the thousands,” he said. “It’s nothing compared to a business model that is supporting millions of users. When we are talking to these SaaS providers, it’s a whole new level of value proposition” and a market segment that Array wants to target. 

With the new encryption standard requiring almost five times the computational power as 1,024-bit encryption, more robust ADCs are a necessity, he said. SaaS provider YourMembership.com is using Array’s 5600 platform to beef up its capacity and throughput, said Chief Technology Officer Hutch Craig. The St. Petersburg, Fla.-based SaaS provider serves more than 2,300 associations with its menu of back-office services, reaching more than 20 million users. A lot of the provider’s traffic requires secure processing, Craig said; everything from e-commerce to dues information and other sensitive data. 

YourMembership.com deployed a pair of ADCs for failover protection at a data center in Orlando, Fla. They replaced two older Array ADCs that were running at more than 50% utilization each because of the volume of transactions they had to process. “Things were getting really tough on them; the 5600s are unbelievable,” Craig said. “Everything is funneled through the ADC, from the API to the actual front-end offering. We have millions of [end users] and tens of thousands of administrators that go into the box.”

• Craig said the 5600’s SSL acceleration capabilities were a key attribute. In YourMembership.com’s case, the processor-intensive steps needed to handle public-key encryption algorithms are handed off to a hardware accelerator, although the ADC has the ability to process SSL transactions without the use of separate servers.

• More traffic headed in 2014

• YourMembership.com will increase the amount of traffic routed through the Array ADCs next year as part of a plan to consolidate all of its data center operations in Orlando, Craig said. Right now, the provider has a data center in Austin, Texas, that serves clients YourMembership.com inherited as part of its 2012 acquisition of rival Affiniscape.  

• Craig said YourMembership.com will phase out the Austin data center and route all traffic to Orlando and the 5600s by next spring. Andersen said SaaS providers are a logical target for his company’s ADCs, which are priced from 30% to 40% below competitors’ similarly equipped models. 

• “They have to support a lot more customers and they also have to be on a higher standard of SSL. At the same time, they can’t afford to pay through the nose for ADC hardware,” Andersen said.
  The 5600 is priced beginning at $28,995; models that support hardware SSL acceleration begin at $37,995.

• In addition to the 5600, Array beefed up two other models to handle the new encryption standards. The 2600 can process up to 5,000 SSL transactions per second, while the high-end 10650 can handle up to 70,000 transactions per second. All of the devices are engineered with 10 Gigabit Ethernet connectivity and multicore processing with throughput ranging from 10 Gbps to 120 Gbps, depending on the model.

You can read the original article here.

Download the Sophos Mobile Encryption app from Google Play for Android, or from iTunes for iOS devices (iPhones, iPod Touches and iPads).

New features available in this version

• Protect access to your Sophos Mobile Encryption application with an optional password.
• Fully transparent key management, so you don’t need to enter the passphrase each time you open a file.
• Store your encrypted files in the local storage area within the app. Local storage is also accessible via USB from your PC or Mac.
• Encrypt and upload files handed over by applications from cloud storage providers.
• Supported cloud storage solutions: Dropbox, Google Drive, Microsoft One Drive (former SkyDrive), Egnyte, Telekom Media Center, WebDAV (e.g., Windows Server, ownCloud or Strato HiDrive)

Sophos Mobile Encryption for Android

Download the Sophos Mobile Encryption app from Google Play for Android devices. Requires Android 2.3.3 and up.

Sophos Mobile Encryption for iOS

Download the Sophos Mobile Encryption app from iTunes for iOS devices. Requires iOS 5.0 or later. Compatible with iPhone, iPad, and iPod Touch. This app is optimized for iPhone 5.

For business users: You can get Sophos Mobile Encryption together with the optional SafeGuard Enterprise Encryption for Cloud Storage module. The app extends access to encrypted files to mobile devices –for persistent encryption wherever your users are working.

You can read the original article here.

The October 2013 CPU covers fixes for: Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle Supply Chain Products Suite, Oracle Siebel CRM, Oracle Industry Applications, Oracle Primavera Products Suite, Oracle and Sun Systems Products Suite, Oracle MySQL, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle iLearning, Oracle Financial Services Software, Oracle Java SE and Oracle Virtualization. All of these updates are important, but arguably Java is the most important of all of them.

51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication. Some versions of Java update themselves, some rely on the operating system vendor and others are too old to support an auto-update mechanism. This does not make things easy.

Our advice?

1) Determine whether you have Java installed and enabled in your web browser. Visit java.com/en/download/installed.jsp and click “Verify Java version“. If your browser prompts you to install Java, close the tab; you’re Java-free. If it loads the applet, check your version. Be sure you are running Java 7 update 45 (1.7.0_45), Java 6 update 65 (1.6.0_65) or Java 1.5.0_55.
If you must have Java installed you ought to be running Java 7 (1.7). All previous versions are not officially supported and present a greater security risk.

2) If Java is installed and out of date, be sure to update it. Windows users can open the Java Control Panel, select the Update tab and choose Update now. Mac users can check for updates using the integrated Apple updater. Linux users should follow normal procedures for system updates provided by their distribution.

3) Most importantly, if you don’t need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn’t belong in your browser. If you’re not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions.

You can read the original article, here.

As we explain below, next-generation firewalls are typically defined as firewalls enhanced with intrusion prevention and application intelligence. On the other hand, UTM systems include those features—plus additional technologies such as email security, URL filtering, wireless security, web application firewalls and virtual private networks (VPNs). In this view, UTM systems include NGFWs as components.

Manager’s guide to UTM and next-gen firewalls

UTM systems are among the most widely used tools in the information security arsenal. The concept of unified threat management is very appealing: multiple critical security technologies, integrated on a single platform, provided by a single vendor.
IT managers evaluating UTMs need clearly defined criteria to choose the right protection.

You may wonder: Is a UTM solution right for my organization? What security features are most important? What other issues need to be considered, such as ease of management and support for remote users?

Download our free guide to get the answers to these questions: A Manager’s Guide to Unified Threat Management and Next-Gen Firewalls. (Registration required).

You can read the original article here.

When you consider the country’s huge online population, it’s not surprising that the U.S. sends so much spam. Spam comes from “bots” — computers infected with malware and under the control of a criminal. “Bot masters” can use servers anywhere in the world to give the bots instructions. So spam-bots in the countries on our list aren’t the authors of the spam, they are more like the messengers.

While it’s interesting to call out the 12 “dirty dozen” countries that send the most spam by volume, we also like to look at the amount of spam by population. It’s a diverse list of nations, and even small countries have a big spam problem.

The Dirty Dozen Spampionship

We’ve been measuring spam in our quarterly “Spampionship” going back a few years, and the U.S. consistently tops our charts. As you can see in the graphic below, bots in the U.S. send by far the most spam of any country, with second-place France (responsible for 6.7% of spam) well behind.

Other countries in our top 12 include China (third at 6.2% of spam) and Russia (fifth at 5.1% of spam), both consistently at the top of our charts quarter after quarter.

Spam per person – a fairer measure

We also look at spam “per person.” We do this because we think it’s a fairer measure of how spammy a country is. By setting the U.S. as the baseline, we can see how likely it is that a computer in a given country is a spam-sending bot compared to the U.S.

This past quarter, Bulgaria was the top country for spam per person, coming in at 2.1 times the U.S. Belarus, which had been the tops of the spam per-person chart for the past year, dropped to second place, at 1.9 times the U.S. spam level.

Fight back against spam and cybercrime – kill a spam-bot

Spam is truly a global problem — spam-bots can be anywhere in the world. Remember, if your computer is infected with spam-sending bot malware, you are part of the problem. Do your part to fight back against spam — download our free Virus Removal Tool to scan your computer and automatically clean up malware.

You can learn more about our “Spampionship” series by visiting our award-winning Naked Security blog. If you’re a business looking to keep your email secure, Sophos blocks spam and email-borne threats. Learn more about email security from Sophos. 

You can read the original article, here.

Instead of just reinstalling your favourite apps and starting afresh, your new device will know how to get online straight away, how to get into your Twitter account, and how many Angry Birds levels you haven’t conquered yet. Clearly, Google keeps a raft of configuration data on your behalf, because if you have the option enabled and then decide to turn it off you get this dialog: So how risky is this option? It’s not risky in the sense, for example, of the recent flaw in the Tumblr app on iOS. There, Tumblr forgot to secure the actual transmission of personally identifiable information (PII), such as your password.

That meant that crooks at a coffee shop, for example, might easily be able to sniff out and extract your Tumblr password. The Android issue is more subtle: the data is encrypted in transit, and Google (for all we know) probably stores it encrypted at the other end. But it’s not encrypted in the sense of being inaccessible to anyone except you. That’s obvious because, you can recover your data from Google even after you’ve wiped (or lost) your device, or changed your Google account password. In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over. That’s just the sort of convenience which many users will trade against security. So, let’s say some Three Letter Agency were to use some prismatic techqniue to acquire those Wi-Fi passwords from Google. Is that likely? If so, would it be bad? I have to say that it probably would be, if only because the list of Wi-Fi networks and passwords on your device is most likely much more extensive than just your own network in your own home.

You’d effectively be helping to built a list of passwords to go with the already-existing and extensive maps of Wi-Fi access points built up over years, both by Google and others. You probably don’t want to help anyone, friend or foe, to do that. The solution is to encrypt everything “for your eyes only” before you back it up anywhere, especially into the cloud. And the problem with that is it’s not quite as convenient, not least because there’s no password-free way to recover that backed-up data, for example if you forget your password. That’s the dilemma we all face. Are you prepared to accept a digital equivalent of locking your keys in the car forever (for example if you forget your full-disk encryption password and didn’t save the recovery key)? Or would you prefer to have what amounts to a backdoor to your own, or worse still, to other people’s, personal information? What do you think?

You can read the original article, here.

“WD is using enterprise-class components to build a new family of network appliances for small businesses,” said Bill Evans, general manager of WD’s business storage solutions group. “The WD Sentinel S-series network appliances are engineered with Intel Xeon processors, pre-populated with WD Se datacenter 3.5-inch hard drives for rapid deployment, and feature dedicated 2.5-inch boot drives for maximum reliability. No other vendor offers a comparable network storage plus server in an equally small form factor. With a small footprint and quiet fan, an S-series appliance can be deployed anywhere.”  

Proven Components from Intel, Microsoft, and WD
Built by WD, powered by an Intel Xeon processor and running Windows Server 2012 R2 Essentials, the WD Sentinel S-series is based on proven technologies from industry leaders. Unlike competitors’ proprietary operating systems, the S-series is a fully configured native Windows Server on which customers can deploy thousands of Windows applications.

“Windows Server 2012 R2 Essentials gives customers the benefit of built-in, groundbreaking, low-cost storage technologies, and WD’s Sentinel S-series hardware helps small businesses take advantage of these technologies,” said Jamie Hamilton, Director of Marketing, OEM Division at Microsoft Corp. “We are pleased to work with WD to tackle the small business, first-server opportunity. WD’s hardware engineering expertise, previous success with network storage products based on Windows Storage Server, and leadership in offering an R2 version of Windows Server 2012 Essentials puts WD in a good position to serve this industry.”

Reliable Enterprise Grade Components    
The WD Sentinel S-series include WD 3.5-inch datacenter-class hard drives for enhanced data security.  Businesses gain enterprise-class reliability with dual dedicated boot drives (optional on WD Sentinel DS5100), dual gigabit Ethernet ports, and dual external DC-in power adapter ports. This engineered redundancy, along with a bezel lock for physical security, all add to the reliability of this ultra-compact network storage plus server that can be deployed virtually anywhere.

Affordable First Server for Any Small Business
The WD Sentinel S-series is a complete, fully-configured solution with automatic backup and restore software for up to 25 users and 50 computers, all at a very affordable price that starts at $2,560 U.S. MSRP.  By combining a single solution for both storage and server requirements, the S-series appliances are a great solution for any small business looking for their first server.

“Finally, a network storage vendor has delivered a low-cost, turn-key solution that meets my customers’ requirements—with no assembly required,” said Kevin Royalty, Microsoft MVP and Managing Partner of Total Care Computer Consulting in Centerville, Ohio. “Small business customers want a packaged solution with balanced disk, processor, memory, and operating system that is engineered and tested as a unit. The DS5100 and DS6100 appliances are ideal as a ‘first server’ due to the high-performance Intel Xeon processor, Windows Server, high-capacity enterprise-class disk storage, and tiny footprint.”

Availability
WD Sentinel S-series appliances are available today at CDW, PC Connection, and Insight, and through select VARs, resellers, and distributors worldwide. The WD Sentinel DS5100 is pre-populated in capacities of 4 or 8 TB. The WD Sentinel DS6100 is available with capacities of 8, 12, or 16 TB.

For the first time, AV-Test has released test results comparing malware protection for Macs among 18 major security vendors. The results show a wide disparity in protection against Mac OS X malware. Sophos came out near the top with a 96.6% detection rate. Our Mac protection was better than Kaspersky, Trend Micro, Symantec and McAfee. You can see the full results at the AV-Test website. AV-Comparatives tests also show Sophos protects Macs better — and we won’t slow Macs down either. According to the Register, the AV-Comparatives tests showed that Sophos “aced the test.”

 Protect your Macs

Malware targeting Mac OS X isn’t as widespread as malware for Windows and Android, but the threat is real and growing. And with more businesses expecting to add Macs in the future, protecting them will need to be a top priority. You need security that works not just for Windows malware, but for Macs and mobile devices too.

Visit sophos.com/best-endpoint to see how Sophos beats the other security vendors, from protection to performance, compatibility, and price.

You can read the original article, here.

As it is, Whitten explains, Facebook gives users the option of linking their mobile numbers with their accounts. Users then can receive updates via SMS and can also login using their phone number rather than their email address. Whitten found that when sending the letter F to Facebook’s SMS shortcode – which is 32665 in the UK – Facebook returned an 8-character verification code. After submitting the code into the activation box and fiddling with the profile_id form element, Facebook sent Whitten back a _user value that was different from the profile_id that Whitten modified.

Whitten says that trying the exploit might have led to having to reauthorize after submitting the request, but he could do that with his own password instead of trying to guess at his target’s password.

After that point, Facebook was sending an SMS confirmation. From there, Whitten said, an intruder could initiate a password reset request on his targeted user’s account and get the code back, again via SMS. After a reset code is sent via SMS, the account is hijacked, Whitten wrote: We enter this code into the form, choose a new password, and we’re done. The account is ours.

Facebook closed the security hole by no longer accepting the profile_id parameter from users. This could have been a valuable flaw were it to fall into the hands of attackers who might have used it to steal personal data or send out spam. As it is, one commenter on Whitten’s post who obviously didn’t understand the “it’s now fixed” part of the story made the bug’s value clear with his or her eagerness to figure out how to exploit it: ›khalil0777 • a day ago
someone explain me how to exploit it i am realyy need it i wait your helps friends :/
:/ oh well, ›khalil0777, looks like you’re too late for that party.
I’d say better luck next time, but perhaps instead I’ll save my good wishes for Mr. Whitten.
May he enjoy his $20,000.
It was well-earned, and it’s a bargain for Facebook even were the reward to be doubled, considering the grief that could have been caused by such an easy exploit.

Click here to see the original article.

Quantum computing hinges, very broadly, on allowing individual bits (called qubits) to contain superimposed values of zero and one, vastly increasing computing power. Its implications for cryptography, medicine, and research have made it a major goal for public services and private industry alike: DARPA has devoted years of funding to quantum computing research, and Google launched its own “Quantum Artificial Intelligence Lab” last year.

But while qubits have been stored for a limited period of time under certain conditions, and specialized machines have been built using quantum technology, that’s not enough for practical code-breaking applications. Last year, for example,The Economist all but ruled out the possibility that the NSA had a crypto-ready quantum computer.

The NSA’s program, part of the larger intelligence community “Black Budget,” doesn’t actually task anybody with building a quantum computer. According to the memo, it asks researchers to “conduct basic research in quantum physics and architecture/engineering studies to determine if, and how, a cryptographically useful quantum computer can be built.” So while the grant fits with the NSA’s general mission — and quantum computing could one day pose a real threat to present-day encryption methods — it’s a lot more theoretical than the agency’s ability to, say, seed malware to computers from miles away.

You can read the original article here.

UTM Series appliances will remain an important part of our hardware appliance portfolio and continue to enjoy all the great new features and enhancements that come with every software update. Our UTM Series delivers unmatched value with a great balance of price, performance and protection.

As you know, at Sophos, every feature is available on every appliance — and our UTM Series appliances are no different. And because they are based on an Intel architecture, you can benefit from all future software enhancements and performance optimizations — past, present, and future.

Features you get with Sophos UTM Series

• Intel architecture provides a future-proof upgrade path unlike ASICs
• Same protection on every appliance, from our smallest to our largest
• Cluster up to 10 appliances dynamically without external load balancers
• A range of models at performance and price points to fit diverse environments
• Sophos UTM Series — Eight (8) models suitable for organizations of all sizes

Small:  The UTM 100, 110, and 120 are ideal for small organizations or branch offices that have less demanding traffic capacity requirements, but still want the best network protection

Medium:  The UTM 220, 320 and 425 provide the optimal balance between performance and protection for a variety of different environments.

Large:  The UTM 525 and 625 are designed to protect even the most demanding enterprise networks. They are purpose built for scalability, reliability, and high availability.

UTM Series Tech Specs

Datasheets:  UTM 1xx | UTM 220 | UTM 320 | UTM 425 | UTM 525 | UTM 625  

You can read the original article here.

One of our SophosLabs researchers, Anna Szalay, made an interesting discovery recently: a new type of Android malware that slips in through a security hole in the USB debugging feature that allows developers to modify their Android devices. Naked Security expert Paul “Duck” Ducklin reports that this malware can intercept your SMS text messages to steal bank transaction details.

Duck explains in his post that intercepting SMSes from your Android phone allows the attackers to steal information they can use to access, for example, your email accounts or bank accounts:

The crooks want to infect you with malware that knows how to intercept incoming SMSes and redirect their content elsewhere. You can see where this is going: mobile malware that reads your SMSes before you do can steal important data such as the two-factor authentication (2FA) codes sent by your email provider or your bank, giving cybercriminals a way into your account despite the extra layer of protection in place.

SophosLabs detects this SMS-stealing malware as Andr/FakeKRB-H. As Duck explains, this malware gets onto your Android in a multi-step process that starts with your device getting infected by a crafty piece of Windows malware that sneaks in through the USB connection between your Android and a PC. This “helper” malware is a downloader detected by SophosLabs as Troj/DwnlAPK-A.

If you connect your Android to a PC infected by Troj/DwnlAPK-A, the malware sneaks in under the guise of files that “appear to be regular, clean files that enable full USB-to-phone connectivity on Samsung and LG devices,” Duck writes.

Then, once the downloader is installed, it loads the Android malware onto your device in what appears to be an app disguised as a Google-imitating “Google App Store” (the real Google store is simply called “Play Store”).

This is a good reminder that the bad guys continue to develop inventive ways of compromising our security to get at our most valuable data. Read the article at Naked Security to learn more about this malware and how to block it with security settings on your Android.

You can read the original article here and here.