1 Billion Mobile Apps Exposed To Account Hijacking Through OAuth 2.0 Flaw

Threatpost, the security news service of Kaspersky Lab, is reporting a new exploit which allows hijacking of third-party apps that support single sign-on from Google or Facebook (and support the OAuth 2.0 protocol). msm1267 quotes their article:
Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called "Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0"… The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina — which operates Weibo in China — and support single sign-on for third-party apps. The researchers found that 41.2% of the apps they tested were vulnerable to their attack… None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases. "The researchers said the apps they tested had been downloaded more than 2.4 billion times in aggregate."



Share on Google+

Read more of this story at Slashdot.

via http://ift.tt/2fIjK8N

No More Ransom Helps You Prevent and Recover from Ransomware Attacks

Ransomware attacks are on the rise, and once your computer or network has been infected, it can be really difficult to recover. No More Ransom can help, and more importantly, help you now, before an infection, and later, after one.

The No More Ransom site does a couple of great things. First, if you or a computer you use has already been compromised, you can upload an encrypted file and the details of the ransom letter you received and the service will analyze and tell you what type of ransomware you’re dealing with, and who’s behind it, if they know.

If you just want to protect yourself however, the site has plenty of tips to make sure your files and everything are safe and secure, starting with keeping regular backups. From there, it’s all about using robust antimalware tools on your computer, and learning a little internet savvy and good web hygiene (turning on “show file extensions” and never opening files or attachments sent to you by people you don’t know, and even then checking on ones from people you do know.)

The site is the result of a partnership between Intel Security and Kaspersky Labs, so keep an eye out for plugs for their specific tools and technologies, but overall the material there is correct and helpful—and worth a bookmark if you manage computers, work in IT, or are just worried a family member may call you one day asking whether what a Bitcoin is and why someone is demanding thousands of dollars in them to unlock their PC.

No More Ransom

Photo by Christiaan Colen and Malwarebytes.

via http://ift.tt/2ftf3mf

The ASUS RT-AC68U Is Your Favorite Wireless Router

Our wireless router Co-Op came down to a final face-off between two reader favorites, but in the end, the ASUS RT-AC68U took over 2/3 of the vote to claim the title.

This router is simply the best working router I’ve had in years. I’m not even using a tenth of what it’s capable of, but the fact of the matter is it’s the first router I’ve had where I didn’t feel like I needed to power cycle once every couple weeks. – lordkilgar

I second this. And if you’re brave enough, you can install third party firmware to unlock even more advanced features. – jbatubara

I’d also like to add 1) guest wifi to keep guest devices segregated from your network and 2) Asus has a baked in dynamic dns feature which makes accessing home network remotely a lot easier if you don’t have a static ip. – wherewallaceatstring


Commerce Content is independent of Editorial and Advertising, and if you buy something through our posts, we may get a small share of the sale. Click here to learn more, and don’t forget to sign up for our email newsletter. We want your feedback.

via http://ift.tt/2eN7DGx

Google Sprayscapes lets you build surreal 360-degree landscapes

Google has long held a reputation for being an experimental company, so it was notable that it felt the need to build Android Experiments, the platform it launched last year to show developers how weird you can get when building smartphone apps. The crazy interactive "paper planes" demo Google showed off at its I/O developer conference earlier this year is a perfect example of what the company is encouraging developers to do with Android Experiments.

All developers are encouraged to build Android Experiments, but today Google is launching one of its own called Sprayscape. It’s a weird name, but fairly accurate once you start using the app: It turns whatever your camera sees into a virtual spray paint gun that lets you splash the landscape around a 360-degree virtual canvas. The phone’s gyroscope is used to orient your position inside that sphere.

I won’t fault you if that description just made things more confusing. Here’s an example of an image I created using the app. That should clear everything up.

Still confused? I don’t blame you. It took me a long while to figure out how to best use the app, partially because there’s nothing in the way of directions when you launch Sprayscape for the first time. All you see is a black screen with some white grid lines outlining a 360-degree space. It sort of feels like you’re in an empty Photo Sphere (remember those?).

After many failed experiments, I realized that if you tap and hold on the screen, it’ll "spray" whatever the camera sees onto the 360-degree canvas; if you keep your finger on the screen and move the camera around, you’ll start filling in that space with the colors of the world around you.

It’s not altogether different from creating a Photo Sphere, but Sprayscape encourages weirdness and creativity and is absolutely not well-suited to capturing an accurate representation of the world around you. Once I realized that, I started getting weird. I took my phone on a walk and started randomly spraying in whatever was around me as I walked, with no concern for stitching together a coherent scene.

Another time, I tried to "write" on the virtual wall, with little success; there’s only enough room to get in about three letters, and a lack of precision makes it a pretty tricky prospect. That’s fine, though: There isn’t a "right" way to use the app, and it’s clearly meant for experimentation. Ultimately, the creations I liked the best were when I stood in one spot, spinning around to capture as much of the scene as I could. The results evoked where I was standing, but in a blurry, surreal dream-like way. Stitching together results from various locations looked much weirder and disjointed.

Unfortunately, the app is also pretty buggy right now in some crucial ways — namely saving your creations. Once you’re done making your scene, you can tap a save button that’ll upload an image file to your Google Drive account. You can also upload the link to a Sprayscape sharing site that’ll let others view it in their browser, on web or mobile. Viewing in a browser works pretty well, actually; you can pan around the scene by moving your phone, or click and drag around if you’re on a desktop.

But a few times times my creations simply didn’t save to Drive. I’m not sure where they went, but they were gone, never to return. I didn’t exactly mourn the loss of any of my abstract, messy creations, but the overall process for saving and sharing your creations could be a bit smoother. The app also straight-up crashed on me several times, but I’m not going to fault Google too much for that. I’ve been testing a beta version, and I’ll be looking to see if the app that’s now out in Google Play is more stable. The good news is that using the "share" feature to email links around to my weirdo creations seemed to work just about every time — the files just didn’t always end up in Google Drive.

Given Google’s interest in letting people generate their own "VR-ish" content, Sprayscape is a fun tool to achieve those ends. The results can be viewed in Google Cardboard, of course, but Sprayscape creations can still be fun to view in a normal browser. I may not have come up with any great pieces of 360-degree art in the few days I had to play around with the app, but I have little doubt that more skilled souls will use this to make some pretty fascinating landscapes. The app is out now for Android, and Google says that an iOS version will launch soon.

via http://ift.tt/2dWE3Pm

Second Hacker Group Targets SWIFT Users, Symantec Warns

A second hacking group has sought to rob banks using fraudulent SWIFT messages, cyber security firm Symantec said on Tuesday. The group is said to be using the same approach that resulted in $81 million in the high-profile February attack on Bangladesh’s central bank. From a Reuters report: Symantec said that a group dubbed Odinaff has infected 10 to 20 Symantec customers with malware that can be used to hide fraudulent transfer requests made over SWIFT, the messaging system that is a lynchpin of the global financial system. Symantec’s research provided new insight into ongoing hacking that has previously been disclosed by SWIFT. SWIFT Chief Executive Gottfried Leibbrandt last month told customers about three hacks and warned that cyber attacks on banks are poised to rise. SWIFT and Symantec have not identified specific victims beyond Bangladesh Bank. Symantec said that most Odinaff attacks occurred in the United States, Hong Kong, Australia, the United Kingdom and Ukraine.



Share on Google+

Read more of this story at Slashdot.

via http://ift.tt/2dNAvji

This Infographic Shows the Common Ways Scammers Try to Phish Your Account

Chances are if your email or social media account has ever been compromised, you accidentally gave your credentials to the scammers yourself. The most common way to infiltrate an account is called phishing, in which people trick you into handing over your login info to false websites that look legitimate.

Phishing attacks aren’t new, of course, and there’s likely a deluge of such emails in your spam folder, but it’s still the leading cause of compromised accounts. This graphic from Digital Guardian highlights how you can spot phishing attempts in your inbox and how to avoid them. Whether it’s weird attachments that prey on your curiosity or spoofed links that take you to a false login page that imitates a familiar brand, there are a variety of techniques that scammers use to engineer their way into your account (often just to proliferate more spam). And it’s not just email; beware of shady text messages from unknown numbers or people posing as IRS agents requesting your private info.

Have a look at the graphic below for a thorough look at common phishing methods.

Don’t Get Hooked: How to Recognize and Avoid Phishing Attacks (Infographic) | Digital Guardian

via http://ift.tt/2dL5oHK

The Difference Between Two-Factor and Two-Step Authentication

You know you should use two-factor authentication everywhere you can, but there’s also “two-step” authentication, which may come off like the same thing. They’re really not. Here’s the difference, and what you should know about both.

Old security heads will know the difference here just because of the names, but since they’re often used interchangeably by companies looking to obfuscate the difference, it’s worth highlight the separation between them. This thread at StackExchange sums up the difference well for anyone unfamiliar, or who doesn’t get the nuance. This answer from tylerl teases out the nitty details:

Two-factor authentication refers specifically and exclusively to authentication mechanisms where the two authentication elements fall under different categories with respect to “something you have”, “something you are”, and “something you know”.

A multi-step authentication scheme which requires two physical keys, or two passwords, or two forms of biometric identification is not two-factor, but the two steps may be valuable nonetheless.

A good example of this is the two-step authentication required by Gmail. After providing the password you’ve memorized, you’re required to also provide the one-time password displayed on your phone. While the phone may appear to be “something you have”, from a security perspective it’s still “something you know”. This is because the key to the authentication isn’t the device itself, but rather information stored on the device which could in theory be copied by an attacker. So, by copying both your memorized password and the OTP configuration, an attacker could successfully impersonate you without actually stealing anything physical.

The point to multi-factor authentication, and the reason for the strict distinction, is that the attacker must successfully pull off two different types of theft to impersonate you: he must acquire both your knowledge and your physical device, for example. In the case of multi-step (but not multi-factor), the attacker needs only to only pull off one type of theft, just multiple times. So for example he needs to steal two pieces of information, but no physical objects.

The type of multi-step authentication provided by Google or Facebook or Twitter is still strong enough to thwart most attackers, but from a purist point of view, it technically isn’t multi-factor authentication.

So what does this all mean for you? Well, nothing really—if a service offers two-step or two-factor, you should absolutely enable it, and it’s not like a service will give you a choice between the two. There are differences between types of two-factor, and you should absolutely choose the best one for you, but the bottom line is that being aware of the differences will help you understand exactly how secure your most important accounts really are.

Two-Step vs. Two-Factor Authentication – Is there a difference? | StackExchange

Photo by Brianetta.

via http://ift.tt/2dPpC34