09May 2014

apple-logo

Apple is under pressure to patch a security flaw in iOS 7, after researcher Andreas Kurtz published his discovery that email attachments are unencrypted on iPhones and iPads, and can be accessed by an attacker using “well-known techniques.”

Apple usually doesn’t talk about any security bugs until it has issued a patch, although in this case the company confirmed the vulnerability and said it is working on a fix.

This probably isn’t a show-stopping hole – it seems that an attacker can’t use the bug to read your email attachments remotely – but it was serious enough to get Apple’s reaction.

Apple security patching getting better?

The security community often criticizes Apple for its slow reaction to vulnerabilities and infrequent patching.

But the Silicon Valley tech giant seems to be responding with more security updates in recent months than in the past.

Already iOS 7 has had five major updates (iOS 7.0.1 – 7.0.4, and iOS 7.1.1), including multiple fixes for security bugs.

In iOS 7.0.2, Apple fixed two bugs that allowed anyone to make phone calls or share user photos from the lock screen, without using the passcode.

Kurtz said he had disclosed the email attachment bug in iOS 7 to Apple two weeks prior to the iOS 7.1.1 update, meaning Apple has known about the flaw for more than a month.

With four weeks to fix a security bug, you could argue that Apple has had plenty of time already, and should push out its patch quickly now that the vulnerability has attracted attention.

Microsoft, for example, just last week released a patch for a zero-day vulnerability in all versions of Internet Explorer after only a few days (even in IE 6 and XP).

The IE zero-day, CVE-2014-1776, was actively being exploited in targeted attacks, Microsoft said.

Apple has made a quick turnaround of a serious security bug quite recently – the encryption flaw called the Goto fail bug, because of an erroneous line of code that repeated the phrase “goto fail.”

The extra “goto fail” caused an important security check to be bypassed that meant a phony TLS certificate from a phishing website could trick OS X into giving it the all clear.

Apple discovered the bug in iOS and released a patch, for iPhones and iOS devices, but researchers soon discovered the error wasn’t patched in OS X 10.9 Mavericks for the Mac.

Apple responded to the bug with a security patch for Mavericks in just three days.

Keep your iDevices secure

Smartphone PINs cracked with microphone and camera – a game-changer for phone security?The easiest way to keep your iPhones and iPads secure is, of course, to enable data protection and use a passcode to lock the device.

On the iPhone 5s, you have the option to use fingerprint authentication instead of a passcode, which Apple is touting as a more secure option.

Even the fingerprint scanner can be hacked though – researchers found out that it’s possible to create a fake fingerprint from a photo of the victim’s print.

(The same trick also works on the fingerprint scanner on the Samsung Galaxy S5.)

Creating a secure passcode is really important – the longer the better.

But the most effective kind of data protection relies on more than just a password or passcode. Two-factor authentication (also called two-step authentication, or 2FA) provides an extra layer of security.

Wherever possible you should enable two-factor authentication for your mobile apps, especially banking apps.

You can listen to our Sophos Techknow podcast about 2FA to learn more (and you should!).

If you’re an Apple user concerned about security on your Macs, you can also try our five security tips for better Mac security.

09May 2014

facebook-app

Facebook’s the company that’s always been about keeping it real. Real identity. Real names. Real people.

Well, now that anonymity is all the rage – just ask Snapchat, Whisper and Secret how much users like to keep their identities or content hush-hush – Facebook’s going to serve it up.

To that end, at the F8 developers conference on Wednesday, Facebook unveiled Anonymous Login: a way to use your Facebook account to anonymously log in to other sites and apps.

Mind you, this does not mean you can anonymously log in to Facebook itself.

Facebook will still suck up all the information about you that it always has, plus a running tab of all the sites and services you fancy.

But what about the soon-to-be-famished developers, whom Facebook will be depriving of the data its users once spread throughout the land?

They’re just going to have to deal with it, Zuckerberg told Wired’s Steven Levy:

Our philosophy is that we care about people first. In the case of login, some of the things that we’re doing may add a little bit of friction to the experience by giving people the opportunity to not share certain things with apps.

That will mean that developers will have to adjust. Over time, making it so that people trust the blue button to log in to Facebook will ultimately be good for developers, too.

Facebook cares about people first, Zuckerberg said, which means they should be able to refuse apps’ requests for information. Unless, of course, you’re talking about the app that is Facebook, in which case it’s a continuing data bacchanalia.

Anonymous Login is just one change in the new Facebook Login, which will also let mobile users edit the information they provide, feature a redesign that highlights the audience that apps will post to when they request permission to post back to Facebook, and will let people decide what information they want to share about themselves, including their friend list.

Facebook says it’s testing Anonymous Login with a few developers, and it will be opened up to more developers in the coming months.

Undeniably, users like the “blue button” when it comes to fast and easy login to sites and apps, without having to remember separate usernames and passwords.

People don’t like it a little. They like it a lot – to the tune of using it over 10 billion times last year, Facebook said in its announcement.

We can expect many, many people to choose to hide their identities behind Facebook, I’m sure.

And expect Facebook to be all the more data-rich because of it.

Is Anonymous Login a good thing, security-wise? We often tell you to be careful of what information you share with apps, be they mobile apps or third-party Facebook apps. So yes, feeding apps less information seems like a good thing.

Of course, you should still be careful about the information you share with Facebook itself.

And of course, you can always stay up to date on privacy leakage and other internet threats by liking the Naked Security page on Facebook.

09May 2014

Viber-Free-Phone-CallsLarge

Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.

According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber’s app sends user messages in unencrypted form – including photos, videos, doodles, and location images.

All of that rich data from users is also stored unencrypted on Viber’s servers, rather than being deleted immediately, and is accessible without credentials, just a link, the UNH researchers said.

It’s the second cryptographic blunder exposed by UNH researchers in as many weeks – the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.

Using a Windows PC as a Wi-Fi access point, the UNH team was able to capture data sent by an Android smartphone with regular traffic sniffing tools, the same approach taken by UNH in their experiments with WhatsApp.

In a video posted on the UNH website and YouTube, the researchers demonstrated capturing messages sent between two test Android phones.

Data can be intercepted by poisoned access points, by malicious users on the same Wi-Fi network, or elsewhere in the network between you and Viber.

In the video, one of the researchers said the unencrypted messages can also be retrieved from Viber’s servers by anyone who knows the message URL:

The data is stored on Viber’s server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.

The researchers, Dr Ibrahim Baggili and Jason Moore, said in a blog post that they reported the security flaw directly to Viber before publishing their results but did “not receive a response from them.”

In a statement to CNET, Viber said it would be releasing a fix soon for Android and iOS, and said the issue has been “resolved.”

This issue has already been resolved. It is currently in QA and the fix will be released for Android and submitted to Apple on Monday. As of today we aren’t aware of a single user who has been affected by this.

The fact is that an modern online messaging app shouldn’t really be “fixing” this sort of blunder – encryption should have been baked in from the start.

And for all that Viber may have “fixed” its apps to exchange data securely now, it hasn’t said anything about addressing the insecurities that UNH found in Viber’s cloud, where your messages are stored.

The company also lists only Android and iOS as getting updates, leaving users of its numerous other supported platforms in the dark.

That includes users of Viber on the desktop, via Samsung’s Bada ecosystem, on Microsoft’s various mobile operating systems, and on Blackberry and Nokia phones.

09May 2014

S5scan-582_size_blog_post

When Samsung unveiled the latest in its Galaxy series of Android smartphones, gadget reviewers focused on the Galaxy S5’s fingerprint scanner, a feature that the rival iPhone 5s has done much to popularize.

Samsung’s positive buzz over the Galaxy S5 didn’t last long – security researchers from SRLabs soon posted a video on YouTube demonstrating how they were able to trick the scanner with a fake fingerprint made of wood glue.

Indeed, the same approach allowed a similar and well-publicised hack of the iPhone 5s Touch ID last year, the researchers from SRLabs said in their video.

To use SRLabs’s fake fingerprint, an attacker simply places the wood glue replica over the tip of his finger and swipes as usual over the scanner, which is embedded in the Galaxy S5’s home button.

The wood glue is poured into a mold made out of a laser printout created from a photo of the victim’s fingerprint.

With the right image contrast and printer settings, the buildup of toner on the printout creates a 3D representation of the fingerprint that is accurate enough to “cast” a replica that will fool the phone.

According to the researchers, a latent fingerprint left behind by the owner on a stolen phone can be snapped with another phone’s camera, giving an image of sufficient quality to print out a usable mold.

“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” one of the researchers said in the video.

What’s worse, Samsung’s implementation is even less secure than Touch ID that Apple unveiled in September 2013, which is ironic given the former Samsung CEO’s contention that “beating Apple is no longer merely an objective, [but] our survival strategy.”

SRLabs claimed in its video:

Samsung does not seem to have learned from what others have done less poorly. Not only is it possible to spoof the fingerprint authentication, even after the device has been turned off, but the implementation also allows for seemingly unlimited authentication attempts without ever requiring a password.

It’s not just Samsung that has egg on its screen due to the ease of the Galaxy S5’s fingerprint scanner hack – electronic payments company PayPal partnered with Samsung to make the PayPal app accessible “with the swipe of a finger,” as Samsung boasted on its website.

PayPal responded to the video in a statement:

PayPal never stores or even has access to your actual fingerprint with authentication on the Galaxy S5.

The scan unlocks a secure cryptographic key that serves as a password replacement for the phone. We can simply deactivate the key from a lost or stolen device, and you can create a new one.

PayPal also uses sophisticated fraud and risk management tools to try to prevent fraud before it happens. However, in the rare instances that it does, your eligible transactions are covered by our buyer protection policy.

Is a fingerprint more secure than a password?

The fingerprint scanner is not a new concept – think back to laptops that offered the supposed convenience of a fingerprint scanner instead of typing a password.

But Apple and Samsung have fine-tuned fingerprint authentication to the point that it’s super-fast and simple – just what smartphone users want.

If we ignore the speed and convenience, however, is this kind of biometric technology really more secure than passwords, as Apple and Samsung claim?

Security folks often talk about the limitations of passwords.

People can’t be relied upon to use hard-to-guess, unique passwords, and also leave their passwords written down to remember them.

Worse still, even passwords you might have relied on a service provider to store securely for you can be stolen and recovered electronically due to data breaches.

Yet stealing fingerprints is pretty easy – we leave our prints on almost anything we touch.

What’s especially inconvenient about fingerprint authentication is that we’re pretty much stuck with the fingerprints we have.

If someone steals a photo of your fingerprint to use for identity theft, you can’t change it like you can your password.

In fact, in the SRLabs video showing the Galaxy S5 being tricked, the researchers say that the wood glue replica they used was left over from last October when they were having a crack at the iPhone 5s.

Given these well-known drawbacks, one wonders why Samsung and Apple went through such enormous expense to add this flawed technology to their “phones of the future”?

13Jun 2014
android-app
Google just made a huge change to the way application permissions work on Android devices which has left a potential door open to malicious app developers and hackers.
Google narrows down Android’s 145 permissions into 13 broad categories and groups app permissions into ‘groups of related permissions‘, likely for Android users to have an easier time dealing with app permissions.
Unfortunately, the new update has introduced a few potential security and privacy issues, as listed below:
  • hiding permissions behind the group names
  • auto-updating app with no warning for new permissions
According to new update, once a user approves an app’s permissions, he actually approves the whole respective permission groups. For example, if an app want to read your incoming SMS messages, then it requires the “Read SMS messages” permission. But now installing an app, you are actually giving it access to all SMS-related permissions.
The app developer can then include additional permissions from ‘SMS-related permissions Group’, in a future update, which will not trigger any warning before installation.

Google explains, “If you have automatic updates enabled, you won’t need to review or accept these permissions as long as they are included in a permissions group you already accepted for that app.

If your Android apps update automatically, then malicious developers can gain access to new dangerous permissions without your knowledge by abusing this mechanism, though a smart user could manually view all permissions in a dropdown before installation, but one out of thousands does that.
fifa-live-steaming-app
For example, as you can see in the above screenshots – I am installing FIFA’s android app from Google Play Store and before installation the app is asking for group permissions in left image and actual group permissions are expanded in the right-side image.

Similarly, if you install any app with group permissions to read contacts, later that app can secretly gain permission to add or even change calendar entries too.

Below I have listed some most abused Android app permissions that cyber criminals are exploiting for their personal gain:

  • GPS Location and Network-based Location
  • Read Phone State and Identity
  • Automatically Start at Boot
  • Modify/Delete SD Card Contents
  • Read/Send SMS Messages
  • Read/Modify Contacts
I strongly recommend users to disable automatic updates and verify app permissions manually every time an app wants to update.
07Jul 2014

asd

Open Blocked sites with useful tricks suggested by us. You can easily get instant access to blocked sites. Many Schools, Colleges and offices blocked websites for students & workers.Some countries also block some particular site like torrents You can still access blocked websites in very easy ways. There are many tricks available to access blocked sites.

1) OPEN BLOCKED SITES BY USING BY USING PROXY SITES

Open blocked sites by using the proxy sites. This trick is very easy & simple. Sometimes proxy sites will show few or no ads to surf your desired website. Mostly people will not get access to blocked sites through proxy since there School, Colleges & Offices also had blocked these proxy sites. We have other tricks below to access blocked sites, when proxy sites not working. You simply open the proxy sites, enter the URL you want to visit and access blocked sites. Some popular proxy sites are:

2.)  OPEN BLOCKED SITES BY USING  IP INSTEAD OF URL

You can also access blocked sites by using IP instead of URL of the website. Some software or hardware (like routers) used to block the website by using their name (e.g. www.facebook.com or www.google.com). For this case you can find the IP of the website and open the blocked sites by using website IP address.

Many a times you may be looking for the ip address of the website your foe has hosted or created .

  • Step 1 : Click on Start menu.
  • Step 2 : Click on Run. A pop-up will appear , type “cmd” and hit ‘run’.

A black window will appear.

  • Step 3 : Type ” ping<space><url> ” and press enter.

example: ping www.google.com

2014-07-07_211208

2014-07-07_211244

3.) BEST WAY TO ACCESS BLOCKED SITES: OPEN BLOCKED SITES USING SOFTWARE

 

SOME COUNTRIES INCLUDING PAKISTAN, CHINA, INDIA, UAE, SAUDI ARABIA,  INDONESIA, NIGERIA, IRAN, KOREA, UNITED KINGDOM (UK) AND MANY MORE HAD BLOCKED SOME WEBSITES WITHIN THEIR COUNTRY. YOU CAN NOT ACCESS/OPEN BLOCKED SITES WITH IP ADDRESS OF THE BLOCKED REGIONS. THE NEXT ALTERNATIVE WAY TO ACCESS BLOCKED SITES IS USE OF A SMALL SOFTWARE.

Hotspot Shield- Click to Download

both free and paid small software which will change your current IP address to other country IP address. Free and Paid both version works fine & exactly same. Only difference is that a free version will show few ads while paid version is add free. You can access blocked sites by installing this software.

 

Hotspot-

Happy Surfing – GPG

  • 1
  • 2

Contact Us

Please don't hesitate to contact one of our friendly staff on: +91 9035323269 We aim to respond to enquires from this form within 8 business hours. If we don't, please let us know and we'll send you a bottle of wine for your trouble!

Hi there! Click one of our representatives below and we will get back to you as soon as possible.

Chat with us on WhatsApp