6 C
Tuesday, November 21, 2017
Home Tags Google Gmail

Tag: Google Gmail

Shawn Collins It was just days ago when the federal judge presiding over the upcoming Oracle v.

Google API copyright trial said he was concerned that the tech giants were already preparing for a mistrial—despite the fact that the San Francisco jury hasn't even been picked yet. US District Judge William Alsup said he was suspicious that, during the trial, the two might perform intensive Internet searches on the chosen jurors in hopes of finding some "lie" or "omission" that could be used in a mistrial bid. To placate the judge's fears, Google said (PDF) it won't do Internet research on jurors after a panel is picked for the closely watched trial, set to begin on May 9."The Court stated that it is considering imposing on both sides a ban on any and all Internet research on the jury members prior to verdict. Provided the ban applies equally to both parties, Google has no objection to imposition of such a ban in this case," Google attorney Robert Van Nest wrote to the judge in a Tuesday filing. Enlarge Peter Kaminski Google was referring solely to Internet searches of the jury once jurors were picked. Oracle didn't go so far in its response Tuesday and said the dueling companies should be able to investigate jurors both before and after they are chosen. "...the parties should be permitted to conduct passive Internet searches for public information, including searches for publicly available demographic information, blogs, biographies, articles, announcements, public Twitter and other social media posts, and other such public information," Oracle attorney Peter Bicks wrote (PDF) Alsup on Tuesday. However, Oracle was concerned that Google might tap its vast database of "proprietary" information connected to jurors' Google accounts and said such research should be off-limits. "Neither party should access any proprietary databases, services, or other such sources of information, including by way of example information related to jurors', prospective jurors', or their acquaintances' use of Google accounts, Google search history information, or any information regarding jurors' or prospective jurors' Gmail accounts, browsing history, or viewing of Google served ads..." Oracle wrote. Google has never suggested it would violate its customers' privacy in such a way. Oracle is seeking $1 billion in damages after successfully suing the search giant for infringing Oracle's Java APIs that were once used in the Android operating system.

A federal appeals court has ruled that the "declaring code and the structure, sequence, and organization of the API packages are entitled to copyright protection." The decision reversed the outcome of the first Oracle-Google federal trial before Alsup in 2012.

APIs are essential and allow different programs to work with one another. The new jury will be tasked with deciding solely whether Google has a rightful fair-use defense to that infringement.
From ransomware to adware, mobile devices are seeing more attacks, even though far fewer users are affected than on typical personal computer platforms. Security researchers have long predicted that malware will arrive on mobile platforms, threatening the owner's sensitive information and using the devices to carry out a variety of scams, from stealing bank funds to racking up premium texting charges.In some regions, where third-party application stores are numerous and not well secured, malware rates have soared.
In North America, however, where applications are usually downloaded from Google's Play store or Apple's App Store, the security checks conducted by those companies have kept mobile devices mainly free of malware.In 2014, for example, only about 0.15 percent of devices that only installed applications from Google Play had a potentially harmful app installed, according to Google.Yet, that may start to change in 2016, according to researchers. One technique, known as overlays, may allow criminals to steal information in real time and foil the use of smartphones as a second security key used to augment Website login security ranging from Gmail to bank accounts, Limor Kessem, security researcher for IBM's X-Force research group, told eWEEK.
Such techniques may result in much higher infection rates on mobile devices, she said. "Mobile malware is finally doing what everyone thought it was going to do," Kessem said. IBM is not alone in its predictions.Security firm Webroot found that 52 percent of the 20 million apps that it scanned from app stores worldwide were either potentially unwanted or outright malicious. "When we look at those environments, the stores have a lot of malicious mobile apps—in some cases, upwards of 30 percent," Grayson Milbourne, Webroot's security intelligence director, told eWEEK.And 70 percent of enterprises believe that the company had lost data because of an insecure mobile device, according to a survey conducted by the Ponemon Institute for mobile-security firm Lookout.

Fifty-four percent of companies believed that malware had infected a corporate mobile device in theFrom several recently released reports, a fresh picture emerges of the current mobile malware threat.The relative danger of mobile malware infection, for the most part, continues to be overstated. PCs continue to account for the majority of malicious traffic seen on residential networks, according to data from Nokia's Application and Analytics group, which released a report on March 1 summarizing the threats the company saw on both mobile and residential networks in 2015.About 11 percent of computer systems were infected with malware or potentially unwanted software, such as adware, in the second half of 2015, down from 14 percent in the first half, the company found.
Smartphones, meanwhile, only had a 0.3 percent infection rate, the company found, which is in line with Google's data.However, the rate of PC infections is falling, while the rate of smartphone infections has begun to climb, according to Nokia.
Smartphones now account for the majority of malicious traffic seen on mobile networks, according to Nokia's Applications and Analytics group.In the past, a great deal of malware seen on mobile networks could be tracked back to Windows PCs or laptops tethered to mobile phones, but in 2015 that changed with smartphones accounting for about 60 percent of malicious traffic.
The new functions include enhanced detection of personally identifiable content in email messages and better control of DLP policies. Google has updated the data loss prevention capabilities in Gmail for customers of the premium business version of Google Apps for Work.The new functions, announced Feb. 29, include those that enable scanning of images in email attachments, enhanced detection of personally identifiable content in email messages and better control over data loss prevention (DLP) policies.The enhancements build on the DLP capabilities for Gmail that Google introduced last December for customers of its Google Apps Unlimited service.

At the time, the company described the initiative as part of a broader effort to implement rule-based security across Google's entire suite of email collaboration and productivity apps for businesses.Google has said the goal is to give enterprises a way to manage information security based on the rules and policies they use internally for data access, data handling and storage. An organization, for instance, might have a policy that forbids members of the sales department from sharing customer credit card data externally via email.

Gmail DLP would allow the email administrator to set a policy for scanning all emails from the sales department for credit card numbers and for blocking or quarantining emails that do contain them, Google noted last December when introducing DLP for Gmail. Similar to many other DLP tools on the market, Google's DLP for Gmail looks for prohibited content not just in the email text, but also inside documents, spreadsheets, presentations and other common attachment types.The technology offers administrators a library of pre-specified content detectors that they can use to quickly specify a DLP policy.
It also allows them to create custom rules for scanning emails for specific keywords and expressions. "If there's a confidential new product your company is building code-named 'Lochness,' admins can create custom checks for 'Lochness,' 'confidential' and other keywords to help deter any leaks," the company noted previously.This week's updates include a new optical character recognition (OCR) capability for scanning email attachments for prohibited and objectionable content in images and scanned copies of documents. With the OCR enhancement, an administrator can create a DLP policy for scanning and analyzing common image types and to extract text from them for analysis, Google said.Google also has added new predefined content detectors to support the requirements of Google Apps for Work customers around the world. Organizations will be able to use the new content detectors to scan email for what would be considered personally identifiable information (PII) or protected patient health information in their specific country or region.Also new are two content parameters that administrators can use for scanning email in such a way as to minimize false positives. One of them is a "count parameter" that allows administrators to set policies for distinguishing emails with individual PII and bulk PII.

The other is a "confidence parameter" that lets administrators adjust their detection policies for commonly used content.Organizations have used DLP tools for a long time to prevent sensitive data from exiting their networks in unauthorized fashion.

The adoption of software-as-a-service and cloud delivery models in recent years has exposed some of the limitations of on-premise DLP tools and forced organizations to look at alternative ways of protecting data leaks in the cloud.The trend has resulted in the emergence of a slew of so-called cloud access security broker, or CASB, tools for inspecting traffic flowing between enterprise networks and cloud providers.

The need for better data leak capabilities in the cloud has also pushed cloud service providers to deliver services like those announced by Google this week and to offer APIs that let third-party DLP tools work in the cloud.
Google has expanded the digital loss protection features in Gmail for Work, to help ensure that employees don't share confidential information outside the company they work for. The service can now use optical character recognition on attachments, so a...
Google warrant fingers culprit A rogue IT manager has been sentenced to 30 months in prison after he changed jobs and decided to take revenge on his former employer. From 2007 to March 2012, Nikhil Nilesh Shah, 33, worked at mobile apps developer Smart Online in North Carolina, US.

After moving on to another job, Shah accessed his old company's servers three months later and deleted large amounts of information, including some of the firm's intellectual property. The FBI began investigating the case and soon fingered Shah as a prime suspect.

After they got a warrant to search his Gmail inbox, the team found incriminating evidence – specifically that Shah had emailed to himself details of the company's servers, plus its Cisco ASA VPN and PIX firewall configurations. In addition, the FBI subpoenaed Facebook and AT&T for their records on Shah.

The Facebook warrant yielded nothing useful, but the AT&T data allowed the Feds to triangulate and pinpoint his location at the time Smart Online was hacked. Even more damning were chat logs from his Google account, which revealed Shah talking about how he could infiltrate Smart Online's servers and boasting that he had hacked his old employer. He was arrested in New Jersey on January 8, 2014. Shah immediately asked for his lawyer and eventually worked out a plea deal with the FBI. He pled guilty to causing the transmission of computer code, damaging computers, and causing loss of at least $5,000 in value. He was sentenced to 30 months in prison on Tuesday this week, and must pay the firm $324,462 in compensation. ® Sponsored: Building secure multi-factor authentication

The Evolution of Acecard

While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard.

This family accounted for almost all the banker Trojan attacks in Australia. After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications.
In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords.

Two other apps are targeted by the Trojan for their credit card details.

But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages. Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices.

All three Trojans run on Android. How it all started Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family. It all started with Backdoor.AndroidOS.Torec.a.

The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C; #grab_apps – send a list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to numbers specified in the command; #control_number – change the phone’s control number. Then, in April 2014, a new version emerged with more capabilities.

The additional commands were: #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the SMS interception list; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #sentid – send an SMS with the Trojan’s ID to a specified number. In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a.
It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C. A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields. We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware.

From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family. An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a Here is another example: Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a A lot of the class, method and variable names are the same for all three Trojans.

The code of the corresponding methods is either the same or very similar with only minor differences. Acecard’s progress The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number. The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor.

Besides that, we identified two more differences.

Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec: #intercept_sms_start – start intercepting incoming SMSs; #intercept_sms_stop – stop intercepting incoming SMSs; #ussd – create a USSD request; #check_gps – send the device’s coordinates to the C&C; #block_numbers – add numbers to the list of senders from which SMSs will be intercepted; #unblock_all_numbers – clear the SMS interception list; #unblock_numbers – remove specified numbers from the SMS interception list; #listen_sms_start – start stealing incoming SMSs; #listen_sms_stop – stop stealing incoming SMSs; #check – send the Trojan’s ID to the C&C; #grab_apps – send the list of applications installed on the mobile device to the C&C; #send_sms – send an SMS to the number specified in the command; #control_number – change the phone’s control number; #sentid – send an SMS with the Trojan’s ID to a specified number; #show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters. The second difference was the number of phishing windows.

Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows: IM services: WhatsApp, Viber, Instagram, Skype; The apps of the VKontakte, Odnoklassniki and Facebook social networks The Gmail client The official Twitter client In the second half of October 2014, we detected the next modification of Acecard.
It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users.

The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users.

This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries. At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US.

The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia. A new modification of Acecard emerged in mid-November 2014.

As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks. This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect. This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down.

This check is carried out in almost all subsequent modifications.
Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware. For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window. There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings. It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015.

Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month. Number of Acecard files detected each month The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans.

The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan. Also at this time, there was an increase in the number of attacks using this malicious program. The number of unique users attacked by Acecard per month In the first half of September, we detected a new modification of Acecard.
Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks. It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window. The subsequent development of Acecard’s “banking business” then got even faster: The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications.

The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks. In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal.

The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS.

This version of Acecard intercepts SMSs from 17 Russian banks. Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks.
Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users.
In that month, the US came third in terms of the number of unique users attacked by this malware. In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app. A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank. It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command. The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems.

Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger. Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France. Number of unique users attacked by country In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users. Propagation In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software.

This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard. We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store. A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store The Trojan propagates under the guise of a game, but in reality it has no useful functionality.

The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard.
Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen. We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c.
It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor. The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans.

This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users. MD5 58FED8B5B549BE7ECBFBC6C63B84A7288D260AB2BB36AEAF5B033B80B6BC1E6ACF872ACDC583FE80B8F54957E14355DFFBBCCD640CE75BD618A7F3187EC1B74201E8CEA7DF22B1B3CC560ACB049F8EA0DDCE6CE143CCA26E59063E7A4BB890199D34FC3CFCFFEA760FC1ADD377AA626A03DA636518CCAF432AB68B269F7E6CC305EBAA5C7FFA440455ECB3519F923B56E3FD483AD3731DD62FBE027B4E6880E653888352A4A1E3CB810B2A3F51D0BFC2E1C794A614D5F6AAC38E2AEB77B139DA54332ED8EA9AED12400A75496972D7D75DB57F89A85F647EBBC5BAFBC29C801E702770D70C7AAB793FFD6A107FD08DADCF25782CAC01837ABACBF31130CA4E7507DF64C87EA74F388EF86226BC39EADF
MicrosiervosApple's encryption battle Activists plan rally on Tuesday at dozens of Apple Stores worldwide How the FBI could use acid and lasers to access data stored on seized iPhone Apple CEO Tim Cook: Complying with court order is “too dangerous to do” Apple: We tried to help FBI terror probe, but someone changed iCloud password Trump urges supporters to boycott Apple in wake of encryption brouhaha View all…The FBI sent Ars a statement late Saturday further clarifying its role in resetting the iCloud password on the seized iPhone 5C central to the San Bernardino terrorism investigation. Earlier in the day a spokesman for the San Bernardino County Health Department confirmed to Ars that his agency changed the iPhone’s associated iCloud password at the request of the FBI.

That action had the unintended effect of making any further iCloud backup attempts impossible, likely frustrating the terror probe.

The San Bernardino County Health Department, which owns the phone, was shooter Syed Rizwan Farook’s employer. However, the Saturday evening statement, written by FBI Los Angeles Field Office spokeswoman Laura Eimiller, also claimed that "we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains." She did not respond to further questions by phone and e-mail. The latest FBI statement directly contravenes what an Apple executive, who was granted anonymity, told reporters on Friday afternoon: That if the iPhone had backed up to iCloud as Apple had suggested, then the data that the FBI may have been able to recover would be precisely the data that it is currently trying to get directly off of the phone that Farook used. Ars spoke with three iOS security experts at length.

They agreed that Apple’s statement is theoretically correct only if the bureau performed just a classic Cellebrite-style direct data extraction.

Doing that would produce the same data as an iCloud backup. However, there might be other information and data on the phone that the FBI could access if agents could break the passcode and decrypt the phone.

After all, bypassing that passcode limit is precisely what the FBI has asked Apple to do. Last week, Apple was given an unprecedented court order—under an obscure 18th century law known as the All Writs Act—to create custom firmware for the iPhone 5C that was used by Farook.

That new firmware would remove a possible automatic wipe feature on the phone if a passcode is incorrectly entered 10 times and would remove a delay between passcode attempts intended to make brute-force entry more difficult.
If Apple does comply, it would allow the government to enter PIN codes in rapid succession until it gained access to the phone.

Apple CEO Tim Cook has publicly said it will resist this attempt, calling it a significant "overreach." A court hearing has been scheduled for March 22 in Riverside, California. Pwned two-factor authentication? So, what information on the phone wouldn’t be available as part of an iCloud backup? There are a handful of applications that Farook may have had installed on the phone that don’t associate with iCloud.

The FBI has not said publicly what it expects to find on the phone. "Signal Messenger isn’t going to back up your messages to iCloud and since they’re end-to-end encrypted, the only place they’re going to be is on the phone," Dan Guido, the CEO of Trail of Bits, a security firm, told Ars. Another possible app that the FBI may want to see running on the phone could include Telegram, another messaging app that has been known to be associated with Islamic State radicals.

Telegram, however, has an optional app-specific passcode that protects access to the app even if the phone is unlocked. "That would be a thing that me as an FBI agent would be concerned about," Guido added. "Maybe [Farook] communicated on it, so we need to get access to the phone.

That’s a reasonable line of thinking for an FBI agent to make." With access to installed apps like Signal and Telegram, the FBI may want to know who else Farook was communicating with, and what was said, which could open up other avenues or confirm other details about who he was communicating with. According to John Adams, a former security official at Twitter, with access to the phone itself, the FBI may also be able to access Farook’s two-factor authentication apps, if they exist.

For example, having data from the Google Authenticator app could potentially give the FBI access to his Gmail account. "They gain a massive amount of functionality and visibility of the user that they didn’t have before," he said. Slow down, turbo Ars learned Friday that Apple had suggested that the FBI try to force the iPhone to perform an iCloud backup by taking it to a previously used Wi-Fi location, plugging it into an electrical wall socket, and leaving it overnight.

Because the iCloud password was reset four days after the attack by the San Bernardino County Health Department, at the behest of the FBI, the possibility of forcing the phone to perform an auto-backup to its associated iCloud account was eliminated. On Saturday, Apple declined to answer Ars’ question as to whether the company was consulted prior to the iCloud password reset. The FBI has been doggedly trying to extract a missing six weeks worth of data from the iPhone since its last iCloud backup on October 19, 2015. No one knows why there were no further backups subsequent to that date, but the same Apple executive described Farook’s iCloud backup history as "sporadic." Guido, the iOS security expert, also noted that it was foolish for the FBI to suggest that San Bernardino officials reset the iCloud password rather than simply wait for Apple to hand over iCloud data as part of a normal legal request. "Any investigator knows that you can make a simple request to Apple—you don’t need to reset the password," he added. "It was likely a panicked response and they thought they could get the data faster than Apple could give it to them.

That, unfortunately, was probably not the best idea." For his part, a third iOS expert, Jonathan Zdziarski, who wrote a book called iPhone Forensics, speculated to Ars that the FBI is "hiding the fact that there's going to be a second [court] order to complete the [data] acquisition." In a blog post published late Saturday night, Zdziarski theorized that federal prosecutors may try to expand their court order, and demand that Apple perform a physical extraction and decryption of all the data that currently sits on the phone. As he wrote: In other words, if the FBI is planning to have Apple perform a physical extraction of this extra data, then they are forcing Apple to create this backdoor tool for a separate reason, as it is completely unnecessary if Apple will be forced to extract the contents of the device in the end.
It would also mean that they’re hiding all of this extra work from both the courts and from Apple, possibly because the combination of the two [All Writs Act] orders would have constituted "unreasonable" assistance in the court’s view.
It completely modifies the purpose of the first order as well; we’ve now gone from having a single tool with a very specific purpose to having two separate tools to create a modular platform for FBI to use (via the courts) as each piece becomes needed.
An Oregon man has admitted he tricked hundreds of people into divulging their Apple and Gmail passwords in a scheme that allowed him to steal nude images of more than a dozen victims, some of them celebrities. Andrew Helton, 29, of Portland, entered th...
Google's taking some of the user interface techniques it uses to flag insecure Web pages and applying them to email. The plan: to warn users of Gmail on the Web when they receive emails from people who aren't using encrypted connections, or if message authentication fails. The change is outlined on the Gmail blog. While a Gmail user is protected by TLS encryption, there's no way for them to know whether the email service they're sending to or receiving from is also protected. Google, however, can see that exchange, so if the far-end isn't encrypted, it is going to start showing users a broken lock. Name-and-shame: if the email service doesn't encrypt, Gmail on the Web will tell you The second UI flag Gmail is adding covers authentication: while it's easy to trust an email address you've exchanged messages with for a long time (a partner, a boss, an old friend and so on), a lot of messages arrive claiming to be from banks, shops and payment houses. As Mountain View explains here, it's a little burdensome for end-users to double-check the details that would let them authenticate messages. So Google will simply substitute a question mark for the avatar or logo if a message can't be authenticated. How an authentication failure will be flagged A question mark accompanied by the claim that "this is a message from your bank" will, The Chocolate Factory hopes, go a long way to stopping people falling for phishing scams. ® Sponsored: Building secure multi-factor authentication
Customers of Virgin Media who are increasingly convinced their service provider has been victim of a security breach have formed a Facebook group to share their experiences and push for answers. Virgin Media is firmly denying any breach of its systems but users are equally adamant that the cause of a widespread and ongoing email spoofing problem must be down to a problem with the ISP. The aggrieved customers say the issues at Virgin Media began in September last year, around the time the service provider migrated from the Google platform to its own. This was accompanied by some spamming, as we reported at the time, but this was only one aspect of a bigger and ongoing mail security problem – at least, according to disgruntled customers. According to this group, Virgin Media somehow managed to leak email addresses and address books held on its servers to hackers. Within days of the migration, ntlworld and blueyonder accounts were spoofed to distribute spam messages in junk mail runs limited to email addresses those users had previously been in contact with. “Around 70 of us have had our email web accounts compromised and [believe] that the spammer is sending out spoofed email to everyone in our sent/received items,” Simon, a victim of the apparent breach – who says he has worked in IT for 20 years – told El Reg. “Each email to five of these contacts contains a link to a compromised website with the aim of infecting a new PC. A spoofing event happens about every 3-4 weeks causing a large number of bounce-backs to the victim.” Virgin Media customers started to receive batches of undelivered email reports at the time the service provider changed its email platform last September and the problem remains unresolved, with spoofed emails still circulating. Virgin Media: It ain't us, guv In a statement, Virgin Media acknowledged its customers were experiencing a spoofed messages problem while firmly denying that a breach on its systems had precipitated the unwelcome behaviour. Ensuring customer data is secure is of utmost importance to Virgin Media. There has been no breach of our systems and our email platform is not the cause of reported email spoofing. We have advised customers how best to protect their email accounts from spoofing. The change of email platform meant that some emails (e.g. bouncebacks) that Gmail would have delivered to a customer’s junk box became visible in customers' inboxes, a Virgin Media PR representative added. The statement issued to El Reg dovetails with what the ISP has been telling its customers for months, a line that’s hard to disprove but has nonetheless failed to placate disgruntled users. Simon said the issue has caused him all sorts of inconvenience. He described Virgin’s statement and the position it reflects as “utterly implausible”. “Virgin have a good description of what spoofing is on their website and are making the claim that the increase post migration is due to the fact that their spam filters are not as good,” he said. “This is just not true as when a spoofing event happens I get several calls / email texts from irate friend colleagues and customers telling me I’ve been hacked and it’s only happened since the migration.” “It caused me personally a great amount of embarrassment and there is nothing that can be done to solve the problem now the addressees are out there. In trying to fix the symptoms of the problem, Virgin are now blocking swathes of legitimate email. The whole thing is a disaster and I am about to move to a new email provider, which is a significant pain as this has been my email address for 20+ years,” he concluded. 'Targeted' recipients Other Virgin Media users caught up in the spamming and spoofing storm remain equally frustrated. “When we looked at the emails, it was clear we had not sent them – they were spoofs,” explained Kate B, a Virgin Media customer who has also been in touch with El Reg about the issue. “What was more concerning was that the recipients were targeted. “They were all people who had email contact with the VM account. This includes people who were cc'd in emails sent and received years ago. They were not in any address books,” she added. Aggrieved punters have been complaining about the issue to Virgin Media but it has consistently denied any wrongdoing. Instead the ISP is blaming message storm problems on individual customers. Call centre staff are telling aggrieved punters to run various security checks on their computers and to change passwords, actions that don’t really tackle the problem, according to activist customers. “This is the not the issue,” another aggrieved user, AnnHelen P, told El Reg. “These email addresses [are] held in the address books or in emails on the Virgin Media web servers, not from customers’ computers. As a result, spoofed emails are being sent between the email addresses that were captured. “Also since many of the email addresses leaked have been for email addresses that no longer exist, many of these emails bounce back to the spoofed sender address,” she added. Complaints to the Information Commissioner Several customers have complained about Virgin Media to data privacy watchdogs at the Information Commissioner's Office (ICO). Asked to comment on the issue, an ICO spokeswoman told El Reg said: “We are aware of this issue and are making enquires.” She declined to answer follow-up questions from El Reg on whether or not Virgin Media was co-operating with its inquiries, explaining that the ICO has a policy of not commenting on ongoing inquiries. Virgin Media’s community forums are full of threads on the spoofing/malicious spam issue (examples: "Recieved about 20 of these, has my e-mail or system been hacked, virus, what's going on?" here; "email hacked?" here; "How does spoofer access my contact list?" here; "Outward spam emails being sent from my .ntlworld address" here; and "Email Spam Spoofing" here. Nonetheless, Virgin Media is sticking to its official line (see under email spoofing here) and maintaining that its customers are to blame for any problems they may be experiencing. VM has steadfastly stated there was no data breach but has not provided any information on how it managed to clear itself of any involvement in the ongoing malfeasance, aggrieved customers tell El Reg. In response, frustrated customers recently started a Facebook group on the issue, dubbed Virgin Media Email Problems - Spoofing, Hacked, Data Breach?. The group is designed to allow people whose emails have been compromised to exchange and pool their experiences. “We are not getting anywhere with Virgin,” AnnHelen P said. “We do realise that the emails are now out there and nothing can be done about that. We do, however, wish to know exactly what information these hackers were able to access, how it happened in the first place and how widespread this breach is.” Kate B added: “We are worried there has been a data breach. If VM does not know how it happened, how can they prevent it happening again? We are also very concerned that information was harvested from inside of our old emails... What else was taken?” She concluded: “We have found it hard to raise the profile of this issue. Many of the people in the group are IT professionals and very savvy; we estimate there are very many others who have been targeted but remain unaware.” ® Sponsored: Building secure multi-factor authentication
"Google stole a small amount of time and attention from a large number of people."
The HTTPS Everywhere campaign received a small boost this week with a commitment by a UK schools technology provider to roll out secure logins for a service used by many educational establishments.Reg reader and former school governor Paul F tipped us off about security shortcomings of the RM Easymail which he claimed were so severe that he baulked at using the service, a supposedly more secure alternative to personal webmail accounts for school governors and the like. “I was a school governor for about 14 years, and towards the latter part of that time the governors were 'encouraged' (ie, forced) to use school-assigned email accounts, as governors' personal email accounts were deemed insecure,” Paul F explained. “We were all allocated email accounts for the 'RM EasyMail' service. The email containing our logins and passwords was sent to all of us, naturally, but after I looked at this web-based email service I refused to use it as it didn't appear to use encryption on the login screen.”A quick Google reveals that insecure logins for RM EasyMail remain commonplace in the schools sector (we sent a few examples along with our query). El Reg put our tipsters' security concerns to RM Education, which responded promptly with a statement acknowledging the issue while providing reassurance that its was encouraging schools to move towards more secure systems.RM Easymail can be used via SSL encryption but requires some action on behalf of each customer. Many customers are already using this mechanism to access RM Easymail. For those school domains that you’ve listed we will make proactive contact to help them through the process of enabling SSL. Following your enquiry we recognise that we may not have made this option clear enough to schools and so we will take action to remedy this, including a notification on the login page. It’s also worth noting that we are currently trialling the migration of RM Easymail customers onto cloud-based email platform; Outlook Office 365 from Microsoft or Gmail from Google Apps for Education. The trial is to ensure that our customers receive a smooth and hassle-free transition. We will then launch the service on completion of successful trial sites. Paul F was somewhat unconvinced about this response. “It has been unencrypted for years, so they're not exactly proactive,” he told El Reg. “I would have thought a redirect to an https link would have been simple enough to implement.”That’s as maybe but RM’s reply explains that a sysadmin has to turn on SSL in the settings for each particular site to enable secure logins. It’s unclear why encryption wasn’t applied by default in the first place. In any case, Paul F’s experience suggests awareness of the importance of secure logins in safeguarding login credentials and other important information is somewhat lacking in the UK schools sector.“When I pointed out the lack of TLS for the mail login screen at the school, it fell on deaf ears,” Paul F explained, “perhaps as you'd expect for a load of non-techies. The irony was that RM Easy Mail was introduced as a security measure, as using individuals' personal email accounts was deemed insecure.“Anyway, I refused to use it, and they had to print everything out for me,” he added.RM Education earned its stripes in the education sector supplying PCs & software to schools as plain old RM before morphing into a major supplier of everything IT-related in the educational market. ®