Hasta La Gadget!

If you’re subscribed to any of TiVo‘s email-based communiqués, now would be a good time to make sure your spam filters are up to scratch. Epsilon, TiVo’s email service provider, has reported the discovery of a security breach that has compromised the privacy of some customers’ names and / or email addresses. A rigorous investigation has concluded that no other personal data was exposed, however it’s not just TiVo that’s affected — other big names, such as JPMorgan Chase, Citi, US Bank, Kroger, and Walgreens have also seen their users’ deets dished out to the unidentified intruder. As we say, no credit card numbers or any other truly sensitive data has escaped, so the only thing you really have to fear is fear itself… and an onslaught of spam.

Update: Best Buy and the US College Board have also joined the extremely broad list of affected organizations now, judging by the warning emails they’ve been sending off to our readers. Valued Best Buy customers should expect an email similar to the scawl posted after the break.

Update 2: You can also count Chase Bank customers among those also affected — not their bank accounts, mind, but their e-mail addresses.

[Thanks to everyone who sent this in]

Continue reading Epsilon breach exposes TiVo, Best Buy email addresses, spambots stir into action

Epsilon breach exposes TiVo, Best Buy email addresses, spambots stir into action originally appeared on Engadget on Sun, 03 Apr 2011 07:59:00 EDT. Please see our terms for use of feeds.

Permalink   |  Epsilon, TiVo, Best Buy  | Email this | Comments

Witness uses your Mac’s iSight camera to detect movement and sound the alarm

If you own both a Mac and an iPad, it’s a fair bet that you also have a home stuffed with other electronic gear, the kind of gear that burglars like to, well, burglarize. Luckily, there’s an app for that.

It’s called Witness, and it turns your Mac into a motion-activated security camera. When running, it monitors your room with using the iSight camera, and when it detects movement it sends an alert to your iPhone or iPad.

Included with the alert are photos and videos, so you can either rest easy knowing that Kitty has jumped up on the desk again, or watch in horror as your home is emptied miles from where you are standing.

Forgot to activate the alarm? You can do it remotely from the phone.

Witness seems like a great idea, but for a couple of things: you need to leave your Mac running 24/7 while you are away, which is something of a waste of electricity. It also requires an internet connection, so the smart thief could just cut the power on entry — it’s pretty unlikely that your Mac is out in the hallway where the breakers are often kept.

Aside from this, though, it’s nice not to be worrying about the house when you’re out. The Mac App costs $40, and the companion iOS app is free.

Witness product page [Orbicule]

See Also:

• Burglar Blaster Alarm Fires Pepper Spray
• Australian Kid Hacks Mousetrap into Burglar Alarm: Catches Lunch …
• Set Plasma to Stun: Lethal Burglar Alarm
• Water Leak Alarms Will Make Your Neighbors Hate You Even More …

Android phones, like this Motorola Defy, can install apps from sources other than Google's official Android Market. But doing so poses security risks. Photo: Jon Snyder/Wired.com

Amazon’s new app store offers some killer deals and can make it easier for customers to purchase Android software. However, installing it reduces overall security for Android devices, some security experts say.

The root of the issue is the requirement to allow installations from “unknown sources,” in order to put Amazon’s Appstore app on an Android phone. Amazon instructs customers that this option must be enabled to install apps sold through the Amazon Appstore.

Selecting that option immediately puts Android customers at risk to malware that could come from sources that go unchecked by Google and the general Android community, said Charlie Miller, a security researcher well known for finding exploits on mobile devices.

“As soon as you flip that switch and go away from the Android Market, which is the one place where most people go, then you are putting yourself at some risk,” Miller said.

Amazon and Google did not respond to requests for comment.

That’s not to say Google’s official Android Market has been impervious to viruses. The Android Market was infiltrated recently when a malicious hacker injected a virus into the code of 21 popular, free apps and then republished them in the Market. The hacked versions of the apps contained code that stole user data and had the ability to download more code after it was installed, potentially hijacking devices.

Google responded immediately to the exploit and used a “kill switch” to remotely remove the infected applications from customers’ Android phones. The company also issued a security tool for people to remove the exploits caused by the malicious applications.

Although Google’s Android Market fell victim to a security exploit, it is still more secure to allow your Android device to install apps only from the official Android Market, explained Andrew Brandt, lead threat research analyst at security company Webroot. If malware were to make its way into the Amazon Appstore, Amazon does not have a kill switch to remotely remove apps from Android devices like Google does, he explained.

Miller added that the benefit of Android’s official market is that it’s one central location to get apps, tenaciously moderated by the Android community, which is safer than going out into the wild to find software, like you would with Windows. By exposing yourself to third-party stores, you’re subjecting yourself to less legitimate sources.

Brandt noted that weakened security is not unique to Amazon’s Appstore, because any third-party app store living on Android must require customers to allow installations from unknown sources. There is no other method to add third-party app stores on an Android device.

However, this security issue magnifies if you consider that Amazon, a retail giant who has millions of customers with registered credit cards, is telling Android owners to disable that security provision. Also, many Amazon customers aren’t as tech-savvy as the typical Android nerd seeking to unlock special functionalities on their phones.

“Without giving people the full context of the security involved in that decision [to install from unknown sources], I think it’s a little irresponsible,” said Brandt, regarding Amazon’s method.

To be fair, Amazon claims it carefully curates apps that appear on the Appstore, so the chances of malware appearing in the store are slim. However, installing the Amazon Appstore on an Android device also requires tapping on a shortened URL sent from Amazon, which could easily be spoofed.

Additionally, when you download an app from the Amazon.com website, you receive a URL in the form of a text message; these URLs could also be spoofed to redirect to malware.

Bottom line, becoming an active Amazon Android Appstore shopper reduces the security of your Android device, especially if you don’t know what you’re doing.

At the end of the day, however, when using Android the level of security depends on the user’s skill level.

“The real question is do dumber users need Big Brother to keep them from installing dumb things?” said Jonathan Zdziarski, a security researcher who specializes in mobile hacking.  ”I’m sure a lot of people are buying these [Android] devices without knowing anything about them. They are more likely to fall victim.”

See Also:

• Amazon Launches Its Own Android App Store
• Amazon Android App Store Set to Launch Tuesday
• Independent App Stores Take On Google’s Android Market

See that chart up there? That’s a beautiful visualization of a dozen folk models surrounding the idea of home computer security, devised by Michigan State’s own Rick Wash. To construct it (as well pen the textual explanations to back it), he interviewed a number of computer users with varying levels of sophistication, with the goal being to find out how normal Earthlings interpreted potential threats to their PC. His findings? A vast amount of home PCs are frequently insecure because “they are administered by untrained, unskilled users.” He also found that PCs remain largely at risk despite a blossoming network of preventative software and advice, and almost certainly received an A for his efforts. Hit the source link for more, but only after you’ve spiffed up, thrown on a pair of spectacles and kicked one foot up on the coffee table that sits in front of you.

Visualized: preconceived notions about personal computer security originally appeared on Engadget on Thu, 24 Mar 2011 13:23:00 EDT. Please see our terms for use of feeds.

Permalink Boing Boing  |  Rick Wash (PDF)  | Email this | Comments

Armageddon averted. Exactly as promised, Adobe has rolled out a fix this week for the zero-day security vulnerability in Flash that had us sweating the world was about to come crashing to an end. It’s a somewhat circuitous route to getting your system patched up, however, as you’ll need to download an out-of-cycle update for Acrobat and Reader — the other software affected by this issue. Still, a small price to pay for protecting yourself from the evils of the internets.

[Thanks, Paul]

Adobe patches Flash flaw with Acrobat / Reader update originally appeared on Engadget on Tue, 22 Mar 2011 05:37:00 EDT. Please see our terms for use of feeds.

Permalink   |  Adobe  | Email this | Comments