Although most human eyes struggle to see them clearly, Google has developed a software that can crack most CAPTCHAs. In a paper published earlier this week, Google researchers from its Street View and CAPTCHA teams discuss a new algorithm capable of solving the company’s jumbled text security puzzles with an accuracy rate of 99.8 percent.
Google just made some announcements about how it’s beefing up security on Android. In a post on the Official Android blog, Android Security Engineer Rich Cannings announced Google is introducing improvements to how the “Verify apps” process works. While Android already scans apps at the time of installation, even ones outside of Google Play, it will soon continually scan devices to keep an eye on apps that after installation.
Expand
Expanding
Close
Google today announced that it will be changing the way it validates the view counts on YouTube videos. In the past, the company would scan views for spam immediately, but starting today, Google will periodically validate a video’s view count and remove fraudulent views as it finds them. Google says it is doing this to keep YouTube views authentic in order to maintain “the trust” of fans and creators.
While in the past we would scan views for spam immediately after they occurred, starting today we will periodically validate the video’s view count, removing fraudulent views as new evidence comes to light. We don’t expect this approach to affect more than a minuscule fraction of videos on YouTube, but we believe it’s crucial to improving the accuracy of view counts and maintaining the trust of our fans and creators.
Google also advises YouTube creators to be hesitant when working with third-party marketing firms, as some offer to sell fake views. You can read Google’s full blog post on its Online Security blog.
Following recent API abuse that lead to phone numbers and usernames being exposed, Snapchat, the social photo sharing app, has updated its Android app with the option to opt out of linking your phone number with your username. The feature was intended to increase social discoverability among mutual contacts, but was recently abused leading to the following update and apology:
Find Friends Improvements
This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.
This update also requires new Snapchatters to verify their phone number before using the Find Friends service.
Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.
Love,
Team Snapchat
The update is available now on for Android users on the Google Play Store.
Lookout, a popular antivirus and security app for Android devices, today announced that it has struck a deal with AT&T to include the app preloaded on all of the carrier’s Android devices starting with the Samsung Galaxy Note 3. Yep, that means you’ll have yet another preloaded app to put up with on your new Android device, and if AT&T’s Lookout app is anything like T-Mob, you won’t be able to easily delete it from your device:
Moving forward, the Lookout app will be installed on all compatible AT&T Android devices (currently installed on the Samsung Note 3). With Lookout, AT&T customers can have the confidence to use their phone to its fullest capability, and rest assured knowing they are protected no matter what they do. Whether its helping to find a lost/stolen phone, managing phone security or backing up precious data, we’re helping AT&T customers with a safer, more secure, mobile experience.
This marks the third of 4 major US carriers to adopt the Lookout antivirus and security app. Sprint already preloads it on some of its Android devices as part of its Sprint Default Configuration and some T-Mobile devices, like the new LG G2, also have the Lookout app preloaded.
Expand
Expanding
Close
Billed as ‘the lockscreen that learns,’ Cover is an Andoid app that notes which apps you use in which locations, and then puts the apps you’re most likely to need onto your lockscreen.
At home you might get weather, news, traffic and Twitter; at work, calendar, Google drive and LinkedIn; in the car, maps and music …
Expand
Expanding
Close
During a Q&A session at the Gartner Symposium, Eric Schmidt was asked for his response to people who say that Android’s security is lacking compared to competitors such as Apple’s iPhone. Schmidt’s answer was straightforward:
“Not secure? It’s more secure than the iPhone.”
This response understandably elicited laughter from the audience.
Sure, Google has created software to ensure that Android is more secure than it used to be, but that hasn’t stopped malware creators from exploiting holes in the operating system’s Play Store or creating fake apps for the purpose of phishing user information. Yes, Apple has had their share of security issues as well, but Schmidt’s assertion that Android is more secure than the iPhone seems just a bit on the ridiculous side.
Google has just added an incredibly useful feature to its Android Device Manager service. As first noted by Android Police, you can now remotely lock your Android device with a specific password or passcode, should you misplace it or have it stolen.
Most notably, you can override any other pattern or pin set on the device. The Device Manager will simply ask to you to choose a new password when submitting the lock request, and when you find the device, you simply enter in that passcode to regain access. If the device is in Airplane mode, the service will automatically perform the lock request as soon as it’s reconnected to the internet.
With Google, Apple, and others under strong pressure from the government to improve device security, this feature is incredibly useful. Apple recently launched a new Activation Lock feature that requires an Apple ID and password to reactivate a device after it’s reset via Find My iPhone.
To try this functionality out for yourself, head to the Android Device Manager site and select the lock icon and be sure the service is already enabled on your device, as well.
Expand
Expanding
Close
Update: It has now been officially announced – full blog entry below
Even though the device is not yet availability to the public, Motorola has just put a new X Phone accessory up for sale on its website. The “Motorola Skip” is described as a wearable accessory that you can use to “unlock [your] phone with a single tap.” Details are still a bit scarce, but it looks as if the device is attached to a clip and simply gives you the ability to tap it to unlock your phone. According to the support document, the device will work via NFC. The Skip starts at $19.99, which seems a tad pricey for something that saves you all of a few seconds.
Google is increasing the bounty it pays to security researchers who discover and report bugs in Chromium by up to 500 percent after announcing that it has paid out a combined total of $2M in bug bounties across Chromium and Google-owned websites in just three years.
Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.
This follows earlier similar increases for reporting website vulnerabilities back in June.
Although the sums of money offered for reporting vulnerabilities are substantially lower than could be made by selling the info on the black market to those who would use it for nefarious reasons, the thinking behind bug bounties is it encourages those who would never dream of misusing the info to file prompt reports. Many large tech companies offer bug bounties, with Microsoft – a long-time hold-out – joining in a month ago.
Image: joyenjoys.com
Update: CNN reported on 1st August that five major carriers have pushed out a patch to block the vulnerability.
A two-minute SIM card hack could enable a hacker to listen to your phone calls, send text messages from your phone number and make mobile payments from your account. The vulnerability, discovered by a German security researcher, is present in an estimated 750 million SIM cards – around one in four of all SIM cards.
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it …
Expand
Expanding
Close
Google has issued a patch to handset manufacturers to block a security hole that could, in theory, allow almost any Android application to be turned into malware, reports ZDNet.
It doesn’t get much scarier than this. Bluebox Security claimed to have discovered a vulnerability in Android’s security model that could allow attackers to convert 99 percent of all applications into Trojan malware. Google has told ZDNet that the hole has been patched and that it has been released to original equipment manufacturers (OEM)s.
Handset and tablet owners will have to rely on the manufacturer to push the patch to their device, but the vulnerability isn’t as scary as it sounds. While it would in principle allow an attacker to change almost any application to malware without Android detecting the change, Google reports that there is no evidence of the exploit having actually been used.
“We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play,” said Gina Scigliano, Google’s Android Communications Manager.
Via Techmeme
The NSA’s $2b data centre in Bluffdale, Utah (source: businessweek.com)
Last week, we reported on a letter Google had sent to the U.S. government in which it asked for the release of national security request data. A week later, the company is now asking for the secretive Foreign Intelligence Court to lift a gag order, claiming that it has the constitutional right to clear its name after openly discussing government data requests.
A Google spokesperson says the company is asking the court to let it “publish aggregate numbers of national security requests, including FISA disclosures, separately,” because “lumping national security requests together with criminal requests – as some companies have been permitted to do – would be a backward step for our users.” Google is essentially asking for more leeway to describe its relationship with the government following the NSA leak two weeks ago. It wants to publish the total numbers of requests the court makes and which users are affected. The company says that the First Amendment gives it the right to disclose the information it is forced to hand over to the government.
The full statement from Google follows:
Expand
Expanding
Close
Earlier this month, we told you about government officials calling on major tech companies to improve anti-theft features of their devices. At WWDC this year, Apple did just that and announced its new Activation Lock feature. Now, all eyes have shifted to the other large smartphone manufacturer, Samsung. According to a report out of Korean site MK, Samsung is set to launch its anti-theft features for smartphones as early as July.
The feature will essentially be a kill switch that will allow carriers, manufacturers, and even the government to remotely wipe, lock, and disable any smartphone that has been stolen. Once this is done, the device would be rendered useless, even when a new SIM card is installed.
A kill switch is exactly what government officials called for earlier this month, and what it and manufacturers likely discussed when they met last week at a “smartphone summit” to talk about mobile security.
Expand
Expanding
Close
Google has been signing up a lot of Google Apps for Government customers over the last year, including Colorado and the US Naval Academy, and today The Boston Globe reports that Boston is soon making the switch from Microsoft to a Google Apps environment for city employees.
As noted in the report, Boston was previously relying on Microsoft’s Exchange for much of its tasks and making the switch to Google will save the city around $280,000 a year:
It’s not just the gee whiz factor: It’s also a matter of money. It will cost Boston around $800,000 to move over to Gmail, Google Docs for word processing, and Google’s cloud service for storing documents. But by dropping some Microsoft products, the city government will save at least $280,000 a year.
Microsoft responded to the decision in a statement to the Boston Globe, claiming, “Google’s investments in these areas are inadequate, and they lack the proper protections most organizations require.”
Expand
Expanding
Close
Earlier this week we told you that the Defense Department was nearing a decision on approving the three major mobile platforms through new security approvals that would allow widespread use of devices by government agencies and the DoD networks. While the department is yet to grant approval to Apple’s iOS 6 for for nonclassified communications by military agencies, today the Wall Street Journal provides an update noting that both Samsung’s Knox security software and BlackBerry 10 have now received the approvals ahead of Apple:
RIM announced late Thursday that the Department of Defense approved smartphones and tablets running on BlackBerry 10, the company’s new operating system, for use throughout DOD networks…Samsung devices outfitted with Knox, the company’s new security software offering, also received Pentagon approval Thursday, according to a DOD spokesman. Apple’s approval is still expected in the “next few weeks,” according to the spokesman.
As of February, BlackBerry made up the majority of the 600,000 devices on the DoD’s networks. Currently the networks consist of around 470,000 BlackBerrys, 41,000 Apple products, and 8,700 Android devices, although that could quickly change thanks to the new security approvals allowing more government agencies to adopt Samsung and Apple devices.
The iPhone and iPad have already been cleared for use by a number of US government agencies, and in February the US Defense Department confirmed plans to open its networks to 100,000 new devices from Apple and Google by February of next year. Today, The Wall Street Journal reports the DoD is about to grant two more important security approvals that could increase the number of agencies allowed to deploy iPhone, iPads, and Samsung Galaxy devices:
The Defense Information Systems Agency, or DISA, the agency that sanctions commercial technology for Pentagon use, is set to rule that Samsung’s Galaxy line of smartphones, preloaded with Samsung’s Knox security software, conforms with the Pentagon’s so-called Security Technology Implementation Guide, according to people familiar with the approval process. That would allow it to be used by some Pentagon agencies for things like sending and receiving internal emails, according to these people.
Separately, DISA is expected to rule that Apple’s latest operating system, iOS 6, conforms to a different security-requirement guide, these people said. That would allow iPhones and iPads to be used by military agencies for nonclassified communications, like email and Web browsing.
The report from WSJ explained Samsung has been steadily increasing its attempt to break into corporate and government markets by hiring a new team of security experts and former RIM employees to reach out to Western governments and corporations:
Expand
Expanding
Close
We knew that Google would likely face fines in the Federal Trade Commission’s investigation into its method of bypassing Apple’s default iOS Safari browser settings. Last month, reports claimed the FTC would make a decision on the fines within 30 days. Today, Reuters reported sources close to the situation have confirmed Google is currently negotiating with the FTC over fines that “could amount to tens of millions of dollars”:
Google Inc. (GOOG) is negotiating with the U.S. Federal Trade Commission over how big a fine it will have to pay for its breach of Apple Inc. (AAPL)’s Safari Internet browser, a person familiar with the matter said. The FTC is preparing to allege that Mountain View, California-based Google deceived consumers and violated terms of a consent decree signed with the commission last year when it planted so-called cookies on Safari, bypassing Apple software’s privacy settings, the person said.
Cross-posted on 9to5Mac.com
Bizztrust is essentially a customized version of Android created by the Center for Advanced Security Research Darmstadt (CASED) and Fraunhofer trade group specifically to bring BlackBerry-like business class security to Android users.
With Bizztrust for Android installed, applications are then installed into one of two partitions– “work” and “personal”. Users can quickly swipe between either partition using an onscreen toggle baked into the UI. Of course, a business’s IT team will control anything installed on the “work” partition, while the end user will have full control of their “personal” partition. Any content installed on the work partition is also automatically scanned before a user is granted access to the company network and any transferred data is automatically encrypted. If an issue is detected prior to the user joining the network, any apps related to the issue will be disabled.
Ahmad-Reza Sadeghi of CASED says Bizztrust “significantly improves the security of today’s mobile terminals at no cost to user-friendliness.” If successful, this could be a huge hit to RIM’s quickly decreasing market share which still greatly relies on business users, as the Blackberry’s security features are often its only selling point.
Expand
Expanding
Close
The fine folks over at Android Police have discovered that many HTC devices have a huge security hole due to a recent Android update. The results are pretty shocking, and HTC has no one to blame but themselves. In a recent update, HTC included a set of logging tools that logs users email accounts, last known network and GPS connection, phone numbers that have been recently dialed, encoded SMS data (probably can be decoded), and system logs.
Okay so HTC logs all of this, what’s the big deal? The big deal is that any app that requests android.permission.INTERNET can get their hands on this information. Phones include the Thunderbolt, Evo 4G, Evo 3D, and more.
As of now, the only way to patch this hole is to root your device and remove /system/app/HtcLoggers.apk. If you’re not rooted, stay away from sketchy apps. As Android Police points out, even a high-quality app could still get their hands on this information. Android Police has all of the technical details.
After sending out the usual laundry list of bug fixes for its Flash Player yesterday, Adobe is coming under pressure from Google security engineer Tavis Ormandy who claims the update only listed 13 of the approximately “400 unique vulnerabilities”… A number he describes as “embarrassingly high”.
Ormandy claims he sent the bugs to be fixed “as part of an ongoing security audit” and, according to a report from Computerworld, was “upset that he was not credited for his bug reports”. After noticing he hadn’t received credit in the patch, he took to Twitter to address his concerns, prompting Adobe’s senior manager of corporate communications to tweet the following:
“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?”
Ormandy responded, also in a tweet, saying:
“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”
Hours before the patch officially rolled out, Google launched the latest version of Chrome 13 and 14, which included the Flash Player patch in question, and was accompanied by the following statement from Google:
“The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player.”
Adobe did credit 10 other researchers in the report accompanying the update, but had only this to say about Google and Ormandy’s work:
Google has updated the stable Chrome channel with new security, privacy and graphics acceleration enhancement. Carrying a build number of 12.0.742.91, Google’s browser now warns you before downloading certain malicious files “without Chrome or Google ever having to know about the URLs you visit or the files you download”, software engineer Adrienne Walker explained in a post on the Chrome blog.
The team has also advanced Chrome’s GPU-assisted hardware acceleration to include 3D CSS elements on Mac OS X Snow Leopard and Windows Vista or later. Finally, Google has worked closely with Adobe to provide greater control over local storage for Flash Player’s Local Shared Objects directly from Chrome’s settings, without having to visit a special page on Adobe’s site to tweak your settings . Thanks to Chrome’s silent updating mechanism, your copy of Chrome will automatically update itself to the latest stable version available. If not, choose About Google Chrome from the wrench menu.
Cross-posted on 9to5Mac.com
Check out GPU-acceleration improvements in the “Shaun the Sheep” Chrome experiment which lets you rotate and scale the video, disable or enable cool reflections and more.
