Hasta La Gadget!

Tired of getting swamped with spam and malware? Just pack your things and catch the next flight to Japan, where computer viruses are now considered illegal. Under the country’s new legislation, anyone convicted of creating or distributing viruses could face up to three years in prison, or a maximum fine of ¥500,000 (about $6,200). It’s all part of Japan’s efforts to comply with the Convention on Cybercrime — an international treaty that requires member governments to criminalize hacking, child pornography, and other terrible things. Privacy advocates, however, have already raised concerns over some stipulations that would allow investigators to seize data from PCs hooked up to allegedly criminal networks, and to retain any suspicious e-mail logs for up to 60 days. In an attempt to quell these fears, the Judicial Affairs Committee tacked a resolution on to the bill calling for police to exercise these powers only when they really, really need to.

Don’t bring your computer viruses to Japan, because they’re illegal now originally appeared on Engadget on Fri, 17 Jun 2011 13:33:00 EDT. Please see our terms for use of feeds.

Permalink Slashdot  |  The Mainichi Daily News  | Email this | Comments

Well, it looks like Microsoft is taking those warnings about WebGL pretty seriously. The company has decided not to support the web-based 3D standard because it wouldn’t be able to pass security muster. Highest on the list of concerns is that WebGL opens up a direct line from the internet to a system’s GPU. To make matters worse, holes and bugs may crop up that are platform or video card specific, turning attempts to plug holes in its defense into a game of whack-a-mole — with many players of varying reliability. Lastly Microsoft, like security firm Context, has found current solutions for protecting against DoS attacks rather unsatisfying. Lack of support in Internet Explorer won’t necessarily kill WebGL and, as it matures, Microsoft may change its tune — but it’s still a pretty big blow for all us of hoping the next edition of Crysis would be browser-based.

Update: As is usually the case Apple and the Windows folks are on opposite sides of this one. In fact, the Cupertino crew plans to bring WebGL to iOS 5 with one very strange restriction — it will only be available to iAd developers. Now, chances are it will eventually be opened up in mobile Safari for everyone, but for the moment it seems browser-based 3D graphics will be limited to advertisements on the iPhone. Still, that’s another big name throwing its support behind the burgeoning standard.

[Thanks, Greg]

Microsoft decides to pass on WebGL over security concerns (Update: iOS 5 supports WebGL, sort of)) originally appeared on Engadget on Fri, 17 Jun 2011 01:58:00 EDT. Please see our terms for use of feeds.

Permalink WinRumors, The Register  |  Microsoft, WebGL Mailing List  | Email this | Comments

Researchers spotted a number of malicious applications on the Android Market. Photo: Jim Merithew/Wired.com

Google recently removed at least 10 applications from the Android Market, all of which contained malicious code disguised as add-ons to one of the most popular apps of all time.

Each of the removed apps posed as a cheat or an add-on to Angry Birds, the much-lauded mobile application created by Finnish game development studio Rovio.

A number of the apps in question contained a spyware program called Plankton, which connects to a remote server and uploads phone information like the IMEI number, browser bookmarks and browsing history.

“Market descriptions for these apps included the statement ‘brought to you free sponsored by Choopcheec Platform,’” Lookout Security spokesperson Alicia diVittorio told Wired.com in an interview. “[They include] a link to an EULA that does seem to accurately describe the behavior observed to date. We do not see these as desirable behaviors and classify it as Spyware.”

Xuxian Jiang, an assistant professor of computer science at North Carolina State University, initially discovered the malicious applications last week, and reported them to Google on June 5. Google suspended the questionable applications the same day, “pending further investigation.”

Jiang found malicious programs other than Plankton in his research. YZHCSMS, for example, is a Trojan horse virus that jacks up your phone bill by sending large amounts of SMS messages to premium numbers. Jiang says apps containing the virus were available on the Android Market for at least three months before Google pulled them.

Jiang found a similar application, DroidKungFu, circulating Chinese application markets before YZHCSMS made its way to the Android Market. “DroidKungFu can collect various information about the infected phone, including the IMEI number, phone model and Android OS version,” according to a Lookout Security blog post.

For many app developers, the Android Market offers a freedom not found in other application retail outlets. Unlike Apple’s strict application review process, apps submitted to the Android Market are published almost instantaneously. Many appreciate the freedom given to push programs out to the public at such a speed.

However, the Android Market’s app submission process comes at a cost. Google’s lack of vetting applications lends the Market to security vulnerabilities like these. Google mostly relies on a self-policing community — including researchers like Jiang — to spot offending apps, which means malware can sit in the market for months before someone spots it.

With a relatively open submission process like Android’s, this obviously isn’t Google’s first run-in with malicious app removals. Google pulled close to two dozen malware-infected applications in early March, but not before nearly 200,000 downloads occurred.

Going outside of the official Android Market for apps can be even riskier. Because users are able to download applications from alternative app markets (a feature unavailable to iPhone users), many have popped up over the past two years. Without Google’s moderation capabilities in these outside markets, users are more susceptible to downloading malicious apps. A Trojan with “botnet-like capabilities” popped up in early April, for example, highlighting the risk in going to alternative markets for applications.

This must be the season of the hacking witch as we’ve now seen yet another company’s online security walls breached. Independent UK games developer Codemasters, responsible for titles like Dirt 3 and Overlord, has reported that its website was hacked on the third of June, exposing the names, addresses (both physical and email), birthdays, phone numbers, Xbox gamer tags, biographies, and passwords of its registered users. Payment information wasn’t compromised, but when you consider that almost everything else was, that feels like hollow consolation. For its part, Codemasters says it took the website offline as soon as the breach was detected and a subsequent investigation has revealed the number of affected users to be in the tens of thousands. Those who might have been affected directly are being emailed with penitent apologies, while the rest of us are being pointed to the company’s Facebook page while its web portal is kept offline.

Codemasters website hacked, ‘tens of thousands’ of personal accounts compromised originally appeared on Engadget on Mon, 13 Jun 2011 04:03:00 EDT. Please see our terms for use of feeds.

Permalink   |  BBC  | Email this | Comments

Here’s a little tip for app developers: encrypt everything, especially passwords. Security firm viaForensics fed some popular iPhone and Android apps through its appWatchdog tool and found that Netflix, LinkedIn, and Foursquare all stored account passwords unencrypted. Since the results were first published on the 6th, Foursquare has updated its app to obscure users’ passwords, but other data (such as search history) is still vulnerable. While those three were the worst offenders, other apps also earned a big fat “fail,” such as the iOS edition of Square which stores signatures, transaction amounts, and the last four digits of credit card numbers unencrypted. Most of this data would take some effort to steal, but it’s not impossible for a bunch of ne’er-do-wells to create a piece malware that can harvest it. Let’s just hope Netflix and LinkedIn patch this hole quickly — last thing we need is someone discovering our secret obsession with Meg Ryan movies.

Netflix, Foursquare, LinkedIn, and Square apps expose your data originally appeared on Engadget on Thu, 09 Jun 2011 19:38:00 EDT. Please see our terms for use of feeds.

Permalink Wall Street Journal  |  viaForensics  | Email this | Comments