Google to Apps users: take more responsibility for protecting your accounts : Changes to the suite's security features should make it easier for employees to become more active in protecting themselves from hackers

To get employees more involved in securing their Apps accounts, Google has tried to simplify how they monitor log-in activity and configure security settings.

It's key for Apps users to get more engaged in this manner, because that way they complement the efforts of their company's IT department and of Google itself.

"Security in the cloud is a shared responsibility," Eran Feigenbaum, security director at the Google for Work team, wrote Monday in a blog post. "By making users more aware of their security settings and the activity on their devices, we can work together to stay a step ahead of any bad guys,"

A new dashboard gives users a snapshot of all the devices that have been used to access their account in the past 28 days, including any currently signed in, along with their approximate location, and displays prominently a link for changing their password if they notice any suspicious activity. Users can also revoke a device's access to the account.

In addition, Google has rolled out a wizard designed to guide users through the steps to activate or adjust security settings and features. The wizard takes into account domain settings and preferences established by IT administrators for their employees, so that users are only able to make choices based preset permissions.

Mobile apps could be abused to make expensive phone calls : Mobile applications often don't warn users before a call is made, which a developer says could be misused

A security precaution skipped in mobile applications such as Facebook's Messenger could be abused to make an expensive phone call at a victim's expense, a developer contends.

Phone numbers often appear as links on a mobile device. That is possible by using a Uniform Resource Identifier (URI) scheme called "tel" to trigger a call.

URI schemes are a large family of descriptions that can tell a computer where to go for a certain resource, such as launching a mail application when an email address is clicked.

Andrei Neculaesei, a full-stack developer with the wireless streaming company Airtame in Copenhagen, contends there's a risk in how most native mobile applications handle phone numbers.

If a person clicks on a phone number within Apple's mobile Safari browser, a pop-up asks if a person wants to proceed with a call.

But many native mobile applications, including Facebook's Messenger and Google's +, will go ahead and make the call without asking, Neculaesei wrote on his blog.

Mobile apps can be configured to display a warning, but on most applications it's turned off, Neculaesei said via email on Thursday.

He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page. The JavaScript automatically launches the phone number's URI when the page is opened.

A demonstration on his blog showed how a malicious link, sent through Facebook's Messenger, will launch a call when viewed. Neculaesei wrote that someone could create a link that when viewed immediately launches a call to a premium-rate number, which the attacker gets the revenue from.

His testing found that Facebook's Messenger app, Apple's Facetime, Google's Gmail, and Google + applications do not warn users before launching a call.

A Facebook spokeswoman said Friday its mobile application would be updated soon to fix the issue. Google couldn't be immediately reached for comment.

Neculaesei wrote that he only tested a few big-name apps, but it's probable that smaller teams and platforms haven't thought about the risk either.

Neculaesei's finding dovetails with research presented earlier this month at the Bsides security conference in Las Vegas.

U.S. warns 'significant number' of major businesses hit by Backoff malware : Backoff malware is stealing credit card details, according to a cyber security alert

Over a thousand major enterprise networks and small and medium businesses in the U.S. have been compromised by a recently discovered malware package called "Backoff" and are probably unaware of it, the U.S. Department of Homeland Security (DHS) said in a cybersecurity alert on Friday.

Backoff first appeared in October 2013 and is capable of scraping the memory contents of point of sales systems -- industry speak for cash registers and other terminals used at store checkouts -- for data swiped from credit cards, from monitoring the keyboard and logging keystrokes, from communicating with a remote server.

"Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the "Backoff" malware," the alert said. "Seven PoS system providers/vendors have confirmed that they have had multiple clients affected."

The malware is thought to be responsible for the recent data breaches at Target, SuperValu supermarkets, and UPS stores, and the Secret Service is still learning of new infections.

DHS first warned of Backoff in late July, when it noted the malware was not detectable my most antivirus software. That made it particularly difficult to stop, because much of the fight against computer viruses and malware rests on antivirus applications.

Most antivirus packages now detect Backoff, but DHS is advising network operators take immediate action to ensure they haven't been affected.

"DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised," it said. "The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this PoS malware."

In many cases, hackers gained access to machines through brute-force attacks on remote log-in systems offered through companies like Microsoft, Apple and Google and other third-party vendors. Once inside, they were able to copy the malware to the machine and set it capturing credit card data.

The DHS asked that instances of it are reported to a local Secret Service field office.

The Target data breach was one of the largest in recent memory, resulting in tens of millions of credit and debit cards being compromised. In the last couple of weeks, SuperValu said that at least 180 of its stores had been hit by a data breach and earlier this week UPS said 51 of it UPS Store locations had been hit.

Netcore, Netis routers at serious risk from hardcoded passwords : More than two million of the devices on the Internet may be vulnerable to hackers monitoring their Internet traffic, Trend Micro says

A line of routers from a China-based manufacturer has a serious flaw that could allow a hacker to monitor someone's Internet traffic, according to research from Trend Micro.

The routers are sold under the Netcore brand name in China and Netis outside of the country, wrote Tim Yeh, a threat researcher.

Trend found a "backdoor," or a semi-secret way to access the device, Yeh wrote. The password needed to open up the backdoor is hardcoded into the device's firmware. All of the routers appear to have the same password.

"Attackers can easily log into these routers, and users cannot modify or disable this backdoor," he wrote.

Backdoors can be used for legitimate product support, but coding such access methods into software is generally discouraged for fear of abuse.

The Netcore and Netis routers have an open UDP port, 53413, which can be queried since the routers have an externally accessible IP address, Yeh wrote. Trend Micro scanned the Internet and found more than 2 million IP addresses with the open UDP port, which could indicate vulnerable equipment.

"Almost all of these routers are in China, with much smaller numbers in other countries, including but not limited to South Korea, Taiwan, Israel, and the United States," Yeh wrote.

Trend Micro has notified the company but did not receive a response. Company officials reached in Shenzhen didn't have an immediate comment.

By using the backdoor, an attacker could upload or download files to the device. A router's settings could also be changed to allow a hacker to monitor a person's Internet traffic as part of a man-in-the-middle attack, Yeh wrote.

Trend also found that a file containing a username and password for the routers' Web-based administration control panel is stored unencrypted, which could be downloaded by an attacker.

It doesn't appear that most Netcore and Netis routers support the installation of other open-source firmware packages, such as dd-wrt or Tomato, that could be used to replace the vulnerable software, Yeh wrote.

"Aside from that, the only adequate alternative would be to replace these devices," he wrote.

Mobile apps could be abused to make expensive phone calls : Mobile applications often don't warn users before a call is made, which a developer says could be misused

A security precaution skipped in mobile applications such as Facebook's Messenger could be abused to make an expensive phone call at a victim's expense, a developer contends.

Phone numbers often appear as links on a mobile device. That is possible by using a Uniform Resource Identifier (URI) scheme called "tel" to trigger a call.

URI schemes are a large family of descriptions that can tell a computer where to go for a certain resource, such as launching a mail application when an email address is clicked.

Andrei Neculaesei, a full-stack developer with the wireless streaming company Airtame in Copenhagen, contends there's a risk in how most native mobile applications handle phone numbers.

If a person clicks on a phone number within Apple's mobile Safari browser, a pop-up asks if a person wants to proceed with a call.

But many native mobile applications, including Facebook's Messenger and Google's +, will go ahead and make the call without asking, Neculaesei wrote on his blog.

Mobile apps can be configured to display a warning, but on most applications it's turned off, Neculaesei said via email on Thursday.

He found a malicious way to abuse the behavior. He created a Web page containing JavaScript that caused a mobile application to trigger a call after someone merely viewed the page. The JavaScript automatically launches the phone number's URI when the page is opened.

A demonstration on his blog showed how a malicious link, sent through Facebook's Messenger, will launch a call when viewed. Neculaesei wrote that someone could create a link that when viewed immediately launches a call to a premium-rate number, which the attacker gets the revenue from.

His testing found that Facebook's Messenger app, Apple's Facetime, Google's Gmail, and Google + applications do not warn users before launching a call.

A Facebook spokeswoman said Friday its mobile application would be updated soon to fix the issue. Google couldn't be immediately reached for comment.

Neculaesei wrote that he only tested a few big-name apps, but it's probable that smaller teams and platforms haven't thought about the risk either.

Neculaesei's finding dovetails with research presented earlier this month at the Bsides security conference in Las Vegas.

The biggest iPhone security risk could be connecting one to a computer : Design quirks allow malware to be installed on iOS devices and cookies to be plucked from Facebook and Gmail apps

Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.

Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled.

The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

"We believe that Apple kind of overtrusted the USB connection," said Tielei Wang, a co-author of the study and research scientist at the institute.

Last year, Wang's team developed Jekyll, an iPhone application with well-masked malicious functions that passed Apple's inspection and briefly ended up on its App Store. Wang said although the research was praised, critics contended it might have been hard to get people to download Jekyll amid the thousands of apps in the store.

This time around, Wang said they set out to find a way to infect a large number of iOS devices and one that didn't rely on people downloading their malicious app.

Their attack requires the victim's computer to have malware installed, but there's a thriving community of people known as "botnet herders" who sell access to large networks of compromised computers.

Wang said they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X.

Apple requires a person to be logged into his account in order to download an application from the App Store. But Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.

As long as the application still has Apple's digital signature, it doesn't even need to still be in the App Store and can be supplied from elsewhere.

But Apple is pretty good at not approving malicious applications, so the researchers found another way to load a malicious app that didn't involve the App Store.

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.

Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

"The whole process can be done without the user's knowledge," Wang said. "We believe that it is a kind of weakness."

Wang said Apple has acknowledged the team's research, some of which was shared with the company last year, and made some changes. An Apple spokeswoman in Sydney did not have a specific comment on the research.

One of Apple's changes involved displaying a warning when an iOS device is connected to a particular computer for the first time, advising that connections should only be made with trusted computers, Wang said. That advice is only displayed once.

To be sure, Apple has powerful ways to disable such attacks. It can remove applications from the App Store, remotely disable applications on a device and revoke developer certificates. And it's questionable if an attacker would see an economic benefit from infecting large numbers of iOS devices.

But state-sponsored hackers and cyberspies opt for stealthy, targeted attacks aimed at just a few users. This method could be of use if an attacker knows exactly who is using a specific, compromised computer.

They also found another weakness when an iOS device is connected over USB. The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files.

That protocol has access to files within iOS's application directories, which include secure, "https" cookies, according to their research paper. Cookies are small data files that allow Web services to remember that a person is logged in, among other functions.

Cookies are especially sensitive since they can be used to hijack someone's account. iOS prevents applications from accessing each other's cookies. But it doesn't stop a desktop computer from grabbing that information, Wang said.

The researchers recovered login cookies, including those for Facebook and Google's Gmail. Neither of those companies had a comment.

The best advice is to not connect your phone to a computer, especially if you think the computer might be infected with malware.

"Just avoid that," Wang said.

The study was co-authored by Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee.

Hackers steal data on 4.5 million U.S. hospital patients : Community Health Systems says the breach occurred in April and June

A major U.S. hospital operator says hackers based in China broke into its computer systems and stole data on 4.5 million patients.

Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place.

Working with a computer security company, it determined the attack was carried out by a group based in China that used "highly sophisticated malware" to attack its systems. It didn't release specific details of the attack.

"The attacker was able to bypass the company's security measures and successfully copy and transfer certain data outside the company," it said in a filing with the U.S. Securities and Exchange Commission.

The group is apparently known to U.S. federal law enforcement authorities, which are now involved in the case. But the identity of the group was not disclosed.

The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical or clinical information.

Community Health Systems, based in Franklin, Tennessee, is one of the largest hospital operators in the U.S. with 206 hospitals in 29 states from New York across the South to the Pacific coast.

The attack ranks as the second largest disclosed attack to hit the U.S. medical industry in the last few years, according to data from the Department of Health and Human Services.

The only one that was bigger involved data on 4.9 million military clinic and hospital patients stolen from Science Applications International Disclosed in 2011, the loss happened when data backup tapes containing records from 1992 through September 2011 were lost.

A second incident that comes close was the theft of a personal computer from Advocate Medical Group in a 2013 burglary that contained information on around 4 million patients.

The biggest iPhone security risk could be connecting one to a computer : Design quirks allow malware to be installed on iOS devices and cookies to be plucked from Facebook and Gmail apps

Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.

Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled.

The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

"We believe that Apple kind of overtrusted the USB connection," said Tielei Wang, a co-author of the study and research scientist at the institute.

Last year, Wang's team developed Jekyll, an iPhone application with well-masked malicious functions that passed Apple's inspection and briefly ended up on its App Store. Wang said although the research was praised, critics contended it might have been hard to get people to download Jekyll amid the thousands of apps in the store.

This time around, Wang said they set out to find a way to infect a large number of iOS devices and one that didn't rely on people downloading their malicious app.

Their attack requires the victim's computer to have malware installed, but there's a thriving community of people known as "botnet herders" who sell access to large networks of compromised computers.

Wang said they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X.

Apple requires a person to be logged into his account in order to download an application from the App Store. But Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.

As long as the application still has Apple's digital signature, it doesn't even need to still be in the App Store and can be supplied from elsewhere.

But Apple is pretty good at not approving malicious applications, so the researchers found another way to load a malicious app that didn't involve the App Store.

Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.
Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.

That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.

"The whole process can be done without the user's knowledge," Wang said. "We believe that it is a kind of weakness."

Wang said Apple has acknowledged the team's research, some of which was shared with the company last year, and made some changes. An Apple spokeswoman in Sydney did not have a specific comment on the research.

One of Apple's changes involved displaying a warning when an iOS device is connected to a particular computer for the first time, advising that connections should only be made with trusted computers, Wang said. That advice is only displayed once.

To be sure, Apple has powerful ways to disable such attacks. It can remove applications from the App Store, remotely disable applications on a device and revoke developer certificates. And it's questionable if an attacker would see an economic benefit from infecting large numbers of iOS devices.

But state-sponsored hackers and cyberspies opt for stealthy, targeted attacks aimed at just a few users. This method could be of use if an attacker knows exactly who is using a specific, compromised computer.

They also found another weakness when an iOS device is connected over USB. The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files.

That protocol has access to files within iOS's application directories, which include secure, "https" cookies, according to their research paper. Cookies are small data files that allow Web services to remember that a person is logged in, among other functions.

Cookies are especially sensitive since they can be used to hijack someone's account. iOS prevents applications from accessing each other's cookies. But it doesn't stop a desktop computer from grabbing that information, Wang said.

The researchers recovered login cookies, including those for Facebook and Google's Gmail. Neither of those companies had a comment.

The best advice is to not connect your phone to a computer, especially if you think the computer might be infected with malware.

"Just avoid that," Wang said.

How hackers used Google to steal corporate data : Attackers used Google Developers and public DNS to disguise traffic between the malware and command-and-control servers

A group of innovative hackers used free services from Google and an Internet infrastructure company to disguise data stolen from corporate and government computers, a security firm reported.

FireEye discovered the campaign, dubbed Poisoned Hurricane, in March while analyzing traffic originating from systems infected with a remote access tool (RAT) the firm called Kaba, a variant of the better known PlugX.

The compromised computers were discovered in multiple U.S. and Asian Internet infrastructure service providers, a financial institution, and an Asian government organization. FireEye did not disclose the name of the victims.

The unidentified hackers had used spear-phishing attacks to compromise the systems, then used the malware to steal sensitive information and send it to remote servers, FireEye said.

What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Hurricane Electric, based in Fremont, Calif.

In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com, and outlook.com.
"It was a novel technique to hide their traffic," Ned Moran, senior threat intelligence researcher for FireEye, said Thursday.

The attackers' tactics were clever enough to trick a network administrator into believing the traffic was headed to a legitimate site, Moran said.

The malware disguised its traffic by including forged HTTP headers of legitimate domains. FireEye identified 21 legitimate domain names used by the attackers.

In addition, the attackers signed the Kaba malware with a legitimate certificate from a group listed as the "Police Mutual Aid Association" and with an expired certificate from an organization called "MOCOMSYS INC."

In the case of Google Developers, the attackers used the service to host code that decoded the malware traffic to determine the IP address of the real destination and edirect the traffic to that location.

Google Developers, formerly called Google Code, is the search engine's website for software development tools, APIs, and documentation on working with Google developer products. Developers can also use the site to share code.

With Hurricane Electric, the attacker took advantage of the fact that its domain name servers were configured, so anyone could register for a free account with the company's hosted DNS service.

The service allowed anyone to register a DNS zone, which is a distinct, contiguous portion of the domain name space in the DNS. The registrant could then create A records for the zone and point them to any IP address.

In addition, Hurricane did not check whether newly created zones were already registered or owned by other parties, FireEye said.

Google and Hurricane were notified of the malicious use of their services, Moran said. Both companies had removed the attack mechanisms.

"We appreciate FireEye discovering and documenting this unusual attack, so that we could immediately fix our service to eliminate the possibility of this type of abuse in the future," Mike Leber, a spokesman for Hurricane said in an email sent to CSOonline.

Moran believed the services were victims of hacker creativity versus a flaw.

"These are services offered online that can be used for good or ill," he said. "A gun can be used to protect and a gun can be used to hurt."

Microsoft, Google, others back Facebook in New York privacy dispute : Facebook is seeking important rulings on the collection of bulk user data under gag orders

Key technology companies including Google, Microsoft and Twitter on Friday filed in support of Facebook's dispute with the New York County District Attorney's office over the collection of user data in bulk under a gag order for a fraud investigation.

The New York Civil Liberties Union and the American Civil Liberties Union also filed an amicus curiae brief Friday in support of the Facebook plea.

Facebook said in June that a court in New York directed it to turn over to law enforcement virtually all records and communications for 381 accounts, including photos, private messages and other information. The social networking company was also prohibited from informing the targeted persons who included "high schoolers to grandparents, from all over New York and across the United States."

Of the 381 people whose accounts were covered under the warrants, 62 were later charged in a disability fraud case, Facebook said. The NYCLU in a statement Friday objected to "broad fishing expeditions" by government into personal and social conversations with family and friends with no regard to user privacy.

In its appeal in the appellate division of the New York State Supreme Court, Facebook is asking the court for the return or destruction of the data. It has also asked for a ruling on whether the warrants, which authorized collection of large amounts of personal information and communications without an "apparent connection to the crimes under investigation, or procedures requiring the return of the seized information," are in violation of the Fourth Amendment to the U.S. Constitution that prohibits unreasonable searches and seizures of property.

The company is also asking for a ruling on whether the gag provisions of the warrants violated the Stored Communications Act and the First Amendment, and as importantly whether it has standing to challenge the warrants on behalf of its users.

The trial court had ruled in the negative in September on these issues, according to a Facebook filing. The court documents and warrants were unsealed after Facebook's appeal.

Dropbox, Google, LinkedIn, Microsoft, Twitter and Yelp in their motion for leave to file an amicus curiae brief argue that the service provider has third-party standing to raise the constitutional rights of its subscribers, particularly as the provider is subject to a gag order.

"Unless Facebook is able to assert its subscribers' constitutional rights -- and any of its own rights -- the legality of the government's actions with respect to those subscribers will escape review altogether. And had the government chosen to indict no one, no one would have been the wiser," according to the filing.

Foursquare Labs, Kickstarter, Meetup and Tumblr separately filed a brief asking that the trial court's order should be reversed and the bulk warrants quashed. To act as custodians of their users' private information, Internet companies must have the choice to either object to unlawful government intrusions or notify users of such intrusions, according to the filing. "The Trial Court's order denying both options must be reversed," the companies said in an amicus curiae brief.

Describing themselves as the "New York Amici," the small and medium-size platforms said smaller companies may not have the resources to litigate each search warrant or court order, which makes it important to provide users with notice and an independent opportunity to object.

The New York County District Attorney's office could not be immediately reached for comment. Facebook said it did not have a comment beyond its remarks in June.