Security

This is a screenshot of the SMS the hacked iPhone users received.

(Credit: Tweakers.net)

A hacker in the Netherlands broke into some jailbroken iPhones and sent text messages to the owners asking them to pay to find out how to secure their phones, according to postings in a Dutch forum called Tweakers.net.

One of the victims posted a screenshot from his iPhone of the SMS received. It said: "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."

The URL provided now displays a message indicating that it was reported for spam or phishing abuse and has been deactivated.

Ars Technica reports that before the page was removed, it asked that victims send 5 euros ($7.36) to a PayPal account and then await an e-mail with instructions on how to secure the phone. The fix probably would involve restoring the factory settings, according to the Ars Technica post.

"If you don't pay, it's fine by me," the hacker's page said. "But remember, the way I got access to your iPhone can be used by thousands of others--they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."

More midsize companies are being attacked by cybercriminals at the same time they're spending less on security, says a McAfee report released Wednesday.

Across the world, more than half of the 900 midsize businesses (51 to 1,000 employees) surveyed by McAfee for its report, The Security Paradox, said they've seen an increase in security breaches over the past year. Despite the threat, the recession has caused most of these companies to freeze their IT security budgets.

(Credit: McAfee)

McAfee found that the costs of dealing with a security attack can be high. Over the last year, one of five midsize companies surveyed lost $41,000 in sales on average as a result of a breach. In China alone, 38 percent of the businesses questioned lost an average of $85,000 due to an attack. And more than 70 percent believe a serious data breach could put them out of business, noted the report.

(Credit: McAfee)

But as the recession has grown, IT budgets have dropped. Almost 40 percent of the companies trimming their IT security budget plan to limit the purchase of new security products. And more than a third are switching to cheaper security software to cut expenses, even though they realize that may put them at greater risk.

"An organization's level of worry and awareness about increasing threats has not overcome the downward pressure on budgets and resources," said Darrell Rodenbaugh, senior vice president of global midmarket for McAfee, in a statement. "But this creates a vicious cycle of breach and repair that costs far more than prevention."

Midsize companies also may underestimate their risk, according to McAfee. Among companies with fewer than 500 employees, more than 90 percent believe they're protected from cybercriminals and feel they don't face the same threats that larger firms do.

But McAfee discovered that businesses with 101 to 500 people had on average 24 security breaches over the past three years, compared to 15 breaches for those with 501 to 1,000 employees.

In the long run, dealing with the aftermath of a security attack eats up a company's time and expenses. The study found that 65 percent of firms spend less than four hours a week on IT security, but around the same percentage have spent more than a day recovering from security breaches.

"Our research shows that organizations that put more effort on preventing attacks can end up spending less than a third as much as those that allow themselves to be at risk," said Rodenbaugh.

The study was conducted by research firm MSI International, which surveyed 100 midsize businesses in each of the following countries: U.S., U.K., Australia, Canada, China, France, Germany, India, and Spain. The results were compared with prior studies done in North America and Europe.

Nokia and SAP are forming a new company that will use their technologies to help manufacturers battle counterfeit products.

Announced Tuesday at SAP TechEd in Vienna, Original1 will offer services to better authenticate branded products and protect them from counterfeiting, the companies said in a statement.

Offering software as a service (SaaS), Original1 will draw on a combination of SAP's supply-chain technology and Nokia's mobile authentication software. Nokia and SAP will each own 40 percent of the business, while German firm Giesecke & Devrient (G&D) will own the remaining 20 percent and add the security and encryption component.

The service will target products that are especially vulnerable to counterfeiting, such as pharmaceuticals and luxury goods, G&D spokesman Stefan Waldenmaier said. Other items, such as auto parts and software, could also benefit from the service, he said.

At this point, the service can only work with physical products, not electronic items. So, for example, Original1 could protect boxed software but not downloadable media.

Here's how it works: branded products will be electronically tagged with smart, tamper-proof barcodes, allowing the manufacturer to track them using a Nokia smartphone as they move from factory to store shelf. A retailer can then check the product information against a database and determine whether the data is coming from a legitimate product.

Located in Frankfurt, Germany, Original1 will be run by Claudia Alsdorf, currently the vice president of SAP Research.

"Counterfeiting is a worldwide problem that is increasing and affecting many successful companies in all industries," Alsdorf said in a statement. "Today, more than ever, companies need to combat counterfeiting before it's too late, when their company livelihood is at stake."

SAP has already run pilot tests of the new service with some of its customers and said the testing has been successful.

Nokia and SAP have a history of working together on mobile projects. Nokia is an SAP global technology partner, while SAP is a Nokia Enterprise Zone member.

Subject to regulatory approval, Original1 is expected to open its doors before year's end.

In the video below from SAP, Alsdorf talks about the new company:

TrendMicro last year introduced its cloud computing strategy to deliver security to desktop PCs. Now the security software vendor, according to CEO Eva Chen, is taking cloud security a step further by protecting the cloud itself.

An update to its Deep Security product, introduced Monday, offers protection for the "entire server," including the operating system, network, and applications layers, according to the company.

So is why there a need for yet another layer of server protection. Don't servers already have an enormous amount of protection?

She acknowledged that servers are typically protected by a firewall, an intrusion detection system (IDS), and an intrusion prevention system (IPS). "But now people are doing virtualization," Chen said. "And once you do virtualization, the server can move from one network center to another network center or move from your own data center to a public data center, and therefore the server is not just behind the firewall all the time. It needs to protect itself."

Another issue is the changing nature of servers. In the past, they mostly were used to serve up data. But with cloud computing, applications run on the server and that makes them vulnerable to hackers. "In last two years an enormous amount of Web servers were attacked by cybercriminals. They just insert SQL injections or a malicious link in your site or serve up malicious content from your site," Chen said.

Initially, TrendMicro's product is aimed at the enterprise but, long term the company plans to develop services to support small Web sites and blogs.

As a small site owner, I understand the need. SafeKids.com, which is a WordPress blog I maintain, was attacked a couple of years ago due to a security flaw in a template I was using. The attacker embedded hidden links to sites that offered male enhancement products. I discovered the problem when I was embarrassed by Google Viagra ads appearing on my site. I don't have anything against Viagra, but the ads weren't appropriate for a site that focuses on Internet safety for children. Google, which places ads that are related to the site's content, was fooled into thinking that my site covered male enhancement rather than children's safety. Chen said that TrendMicro is exploring technology that could protect sites like mine by alerting owners to potential problems as soon as they occur.

In a partnership with RSA, the company is also working to protect financial sites against phishing attacks. It has software that looks for phishing sites that mimic legitimate ones and warn the legitimate site owners who can then take action against the impostors.

Listen to Larry's interview with TrendMicro CEO Eva Chen.

Listen now: Download today's podcast

Security in Windows 7

See what security features are new and improved in Windows 7 in this slideshow, emphasizing what you can do from the Action Center's security tools.

ORLANDO, Fla.--OK, IT managers, it's time to loosen up.

That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.

Carol Rozwell, a Gartner vice president

(Credit: Stephen Shankland/CNET)

"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."

The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.

Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.

"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.

Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.

Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."

This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.

(Credit: Screenshot by Stephen Shankland/CNET)

The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.

Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.

That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."

One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.

"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"

Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"

Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.

"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.

CORRECTED October 15, 2009, 11:45 a.m.: The default search choice is not changed, as was mistakenly reported earlier. Also, it's not the user's home page that gets changed, but the new tab page. I've clarified the nonmandatory nature of the LinkScanner toolbar, and added information on the identity theft feature in the toolbar.

After giving its paying customers a few weeks to upgrade to version 9, AVG has announced its update for AVG Free 9.

For those unfamiliar with the popular freeware security tool, it provides only the bare necessities for protecting your PC, but that should be enough for savvy Windows users. AVG Free 9 introduces few new features, with improvements focused on performance, including claims of faster scan and boot times. AVG is claiming that scans are 50 percent faster compared with AVG 8.

AVG Free 9--photos

AVG comes with a combined antivirus and antimalware engine, the proprietary LinkScanner for Web browsing safety, and e-mail scanning. Developed independently and bought by AVG in 2007, the LinkScanner tech performs two functions. It protects you from third-party code exploits before they load in your browser and it ranks search results.

Annoyingly, the optional AVG LinkScanner toolbar commandeers your new tab page, decidedly inappropriate behavior that a security vendor should really know better than to do. LinkScanner can be downloaded separately from AVG, too. The scheduler is robust, automating both scans and updates with multiple options.

One new feature in the new version is the the Identity Theft Recovery Unit. Only for users in the United States, ITRU is a business partnership with Identity Guard which provides "consumer identity theft solutions." Accessible only from the browser toolbar, which only works in Firefox or Internet Explorer, the service provides "a dedicated identity theft recovery unit with fraud experts," to assist handling, getting and analysing a credit report, enrolling in credit file monitoring, and offering report-filing support.

The interface in AVG Free 9 remains nearly untouched from the last version, and generally it's easy to use. From the main window, though, you must double-click to get further information on any feature, whether virus scanning, LinkScanner settings, or updating. Streamlining this to one click would be helpful.

That ad in AVG Free 9 can be easily hidden.

(Credit: Screenshot by Seth Rosenblatt/CNET)

When starting a scan, a slider makes it easy to jump between Slow, Automatic, and Fast scans: the faster the scan, the less comprehensive it is, so it's a good idea to take the program's advice and optimize your scans when you install. This will make that first scan faster. A slow scan took nearly 2 hours, while the fast scan completed in under an hour. A progress meter for these regular scans would've been useful, though. Should a virus create serious problems, AVG creates a rescue disk to scan your computer in MS-DOS mode.

Besides the LinkScanner problem, there are some other concerns with AVG. It doesn't tax your system in an obvious way when scanning or when running in the background, although CNET Labs determined that it will significantly slow down your system's boot time and will slightly delay shutting down. AVG detected some image files as threats, when two other security programs decided they weren't--these were fairly obvious false positives. There is an advertisement to upgrade at the bottom of the program window, but it can be easily hidden using the Hide Notification button.

AVG might not be the fastest or the most effective free security option, but it still gets the job done and you're better off with it.

Tuesday was the biggest Patch Tuesday ever as Microsoft released 13 bulletins for 34 vulnerabilities. But just because Microsoft issues patches, does that mean that users should apply them? Yes, says Ben Greenbaum, senior research manager for Symantec Security.

Greenbaum said that these patches impacted many Microsoft products, including Windows 7 that isn't even out yet.