security

Here's an interesting little gem: On February 1st, AT&T pushed out a new app to the Marketplace called "AT&T Secure Messaging". Part of their new service, the app looks to be an excellent addition for Windows Phone users on the all-powerful network. From the app's description:

"AT&T Secure Messaging enables the exchange of encrypted messages between businesses, enterprises and government agencies who are using AT&T's Global Smart Messaging Suite powered by Soprano. AT&T Secure Messaging ensures your sensitive personal data is protected -  for example, a one-time password from your bank/online payment broker or a healthcare appointment reminder. Your secure messages are encrypted, then sent to the AT&T Secure Messaging mobile application and decoded, ready for you to read."

Fascinating stuff, especially for Windows Phone users in those key industries. For perhaps obvious reasons, we have no experience with AT&T's Global Smart Messaging Suite, but a quick trip to their site gives a plethora of details on the service which even regular consumer can opt-into (for a hefty price):

"The AT&T Global Smart Messaging Suite is a powerful web-based application designed for large enterprise messaging and communication. The AT&T Global SMS service enables 2-way communication (via SMS or e-mail), and can reach employees and opted in consumer subscribers at most wireless carriers globally. AT&T can help organizations get started using domestic short codes for cross-carrier SMS messaging, and the AT&T platform can also be extended on a global scale for messaging to employees and consumers worldwide."

Think of it as an in-house messaging service akin to Exchange. This push by AT&T into secure message delivery seems to be relatively new. A quick glance on YouTube shows a recently uploaded video detailing how this service can benefit the healthcare industry like hospitals in protecting vital doctor-patient data. Of course in the demonstration Android and RIM are shown using the service but it's now clear that AT&T also intend for Windows Phone to be there too as the app and service are both ready to use. That's good news as this could be a big area for AT&T to be entering especially as institutions look to support the many different devices of their end users.

If you're on AT&T you can find the app here in the Marketplace. QR code and video demonstration of the service can be found after the break. Thanks, Ben H., for the find!

More →
2
loading...
0
loading...
28
loading...
0
loading...

Tango, the cross-platform video calling application, appears to following in the footsteps of iPhone's Path application when it comes to the poor management of private account data. (Not to be confused with the Windows Phone update, codenamed Tango.) Today, a reader wrote in detailing how the PC client (version 1.6.14117 at time of writing) allows one armed with simply a mobile number access to any Tango user's contact data -- and account -- by simply using the application in a specific manner. While we won't share exact details, we must admit it's not hard to figure out. And just a few months ago, Tango was discovered to be downloading contact details without permission.

Using the steps provided, we were able to download a colleague's Tango contact data, make Tango calls, and manage account details with ease. This possibly indicates that Tango's security code-based account validation is simply an arbitrary client-side check -- a big no-no.

Update: Tango let us know the issue has been fixed and an update has been pushed out to users. Kudos to the Tango team for the quick response.

More →
0
loading...
0
loading...
26
loading...
0
loading...

Microsoft Store India has come under attack by hackers raiding under the banner of 'Evil Shadow Team', WPSauce has reported. The website was defaced yesterday with the above image replacing access, which was achieved by redirecting visitors to a file the team uploaded -- evil.html. The message is clear from the attack: "Unsafe system will be baptized."

For now the website is offline, presumably while Microsoft investigates what exactly went wrong and suggesting the software giant has regained control.

"The Microsoft Store India is currently unavailable. Microsoft is working to restore access as quickly as possible. We apologise for any inconvenience this may have caused."

Customers of the online store have been strongly urged to change their passwords once the site comes back online as Quasar Media, the online marketing agency that maintains the website, decided it would be a great idea to store user credentials and personal information in plain text - an obvious insecure practice.

While one could argue that it's in the interest of the customers to know that their details are not being stored securely, another could counter with stating that the attack, which has no known motive, was not required. 

Source: WPSauce, Hackteach, thanks for all the tips that were sent in!

More →
0
loading...
4
loading...
21
loading...
0
loading...

Security Toolkit (our review) is an app that enables the user to turn their Windows Phone into a mobile security system. From motion sensor capabilities to an intrusion alarm, Security Toolkit certainly is a neat app to play with. The app has recently been updated to 1.6. A brief list of a hundful of improvements implemented in the latest version:

  • WebCam Viewer - view a PC (live) connected webcam over local WIFI (auto discovered Cam Broadcaster is available as a separate app.)
  • Voice Recorder - voice recorder with silence detection and skip, start/stop/pause/resume recording using phone camera button, remote listen/record from PC console via local WIFI
  • Image quality improved for Cam Broadcaster

You can download Security Toolkit from the Marketplace for $3.99.

More →
0
loading...
0
loading...
7
loading...
0
loading...

Just a few hours ago we just posted on the 810x builds of Windows Phone and now Italian site Plaffo is noting that their LG Optimus 7 just received the very same update: OS build 8107. More exciting is the news that it came with a list of changes, most of which will make most folks very happy:

  • It solves a problem of the keyboard on the screen, preventing the keyboard to disappear while typing
  • Resolves an issue with syncing Gmail
  • It solves a problem of access to the location. After the upgrade, the function IO hub sends to Microsoft anonymous information contact the Wi-Fi access points and antennas for mobile phones in the vicinity, only if you have allowed access to and use of location information from part of the "I'm here."
  • Revocation of certificates issued by DigiCert Sdn Bhd to solve a problem of encryption
  • Fixes a problem with the e-mail related to Microsoft Exchange Server 2003. When you reply to or forward an email, the original message is now included in the response.
  • Fixes an issue of notification of voicemail

As you can see, this is a maintenance build, addressing many ongoing bugs and issues including the troublesome "disappearing keyboard" which plagues all Windows Phone Mango devices. That keyboard problem occurs when the on-screen keyboard will suddenly disappear when typing, due to certain background tasks "stealing" the focus, resulting in much user frustration. What is not clear, however, is what are the plans for Microsoft and the carriers for rolling this out. This looks to augment the 7740 OS package with even more fixes (if users don't have 7740, this new OS update will add those changes). Since US carriers skipped the 7740 build, they would seem obligated to roll this out to their customers.

In addition, since the Nokia Lumia 710 and 800 are running that update too, users of those devices should expect to see an update as well.

Once again, we expect more info about this OS build next week at CES but perhaps Microsoft will chime in on their blog before then with more details.

Update (6:08PM MST): Microsoft has sent us a statement:

Our engineering team has developed a service release which has been delivered to our carrier partners for their assessment. Details on specific improvements contained in these releases are available via the Windows Phone Update History page.

We're told the history page is lagging behind a bit but should reflect changes soon.

Update II: No shocker here, but the update doesn't fix the "SMS bug" according to Tom Warren who tested it. That's expected as it is not listed in the changelog.

Source: Plaffo

More →
0
loading...
0
loading...
89
loading...
0
loading...

We previously covered the "Windows Phone SMS bug" that would disable the messaging hub on the victim's handset, which was discovered (and reported) by Khaled Salameh. Just two days after the bug was made public by WinRumors, we learnt that Microsoft was looking into the issue. Today we have further news surrounding the bug, Salameh has been contacted by the Microsoft Security Team and informed that they've located the root cause and a fix is currently being tested.

While it's highly unlikely to affect users, it's good to know Microsoft is on top of potential security issues. Now we just need the disappearing keyboard to be looked at. We're getting there.

Source: Twitter (@KSalameh)

More →
2
loading...
0
loading...
35
loading...
0
loading...
4

Windows Phone Lock Screen version 2

We previously covered the Windows Phone Lock Screen wallpapers by AJ Troxell, which provided owners with an extra layer of protection should they misplace their phone. The wallpapers are customizable with editable files included in the pack so personal information can be added including name, email, number, etc.

As AJ is being non-secret Santa this year with 12 days of freebies, and because the lock screen wallpapers proved to be popular, he's released version 2 today. What's new? 4 styles, 43 backgrounds, 4 variations of complete icon sets, and comes in Photoshop and Illustrator formats. Head on over to AJ's site (link below) to download version 2 of this truly useful pack.

Source: AJ Troxell, thanks AJ!

More →
1
loading...
0
loading...
14
loading...
0
loading...
9

Windows Phone App Review: Security Toolkit

While it has practical applications, Security Toolkit for your Windows Phone is just a neat app to play with. It turns your Windows Phone into a mobile security system with alarms and surveillance abilities.  To do so, Security Toolkit makes use of your Windows Phone camera, microphone and Wifi.

Security Toolkit does go beyond the coolness factor by offering you a discreet, mobile security system.  While I can see Security Toolkit being featured on Hawaii Five-O to help McGarrett solve the next big case it can easily be used in every day adventures.  The motion camera can be used to see who's been sneaking into the break room refrigerator or while traveling to help keep an eye on your hotel room. The remote camera can be used to monitor your children playing in another room or for use as a baby monitor.  The motion alarm can be used to keep your Windows Phone safe from curious hands.  

More →
2
loading...
0
loading...
18
loading...
0
loading...

Should you lose your Windows Phone, there is a possibility that should a person come across it they'll return it. But what if there's a lock on the handset? They can't rummage around your Twitter, Live, email and Facebook accounts in attempt to contact you. This is where WP7 Lock Screen comes into play.

Waking up the screen will present whoever has picked up your phone with a wallpaper that's customised with your contact details so they can easily get in touch, whether it be via Twitter, Facebook or a landline number. An optional add on is a "cash reward" message at the bottom of the wallpaper, providing a small incentive to return the lost valuable.

Think of it also as a portable, digital business card that you don't have to keep in your wallet. It's a neat little idea. The pack, by AJ Troxell, is freely available at the source below and includes a .PSD file for customisation.

Source: AJ Troxell  Thanks AJ!

More →
1
loading...
0
loading...
26
loading...
0
loading...

An interesting thing happened yesterday which we chose to not cover in detail. In short, someone published an app to the Windows Phone Marketplace that was pirated. Specifically it was a popular GPS navigation app which cost a good amount of money.  The person responsible presumably ripped the original XAP from the Marketplace and simply re-submitted it, pawning it off as their own.

Did they try to make money from it? Nope, they did something possibly worse--they offered it for free.

More →
0
loading...
0
loading...
47
loading...
0
loading...

Computer and mobile device security is a tough business. There's hype and then there are real threats and so far most in mobile have been hype (but see AVG-gate). Still, Android is either an OS with a lot of security vulnerabilities or everyone just likes to pick on it. Either way, between Carrier IQ earlier this week and now this paper from North Carolina State University, the little robot is having a tough time.

Computer scientists at NCSU created an app called 'Woodpecker' that would search for app vulnerabilities in Androids's permission-based security model. In short, when you install an app in Android, it tells you what that app can access e.g. user info, data, geolocation, recording sound, etc. Basically if you don't think a wallpaper app should have access to say, recording sounds, you prevent the app from installing. The problem is this: apps can unknowingly grant permissions to other apps, allowing a seemingly innocuous program to gain access to functions not agreed to by the user.

More →
0
loading...
0
loading...
68
loading...
0
loading...

If you haven't been following the Carrier IQ saga, let us try to re-cap it for you. Going back to October, it was reported that software on HTC Android phones was recording data and as Android Central lightly put it, "storing it sloppily". Information that was collected included phone numbers, geolocation and account names. It doesn't identify you per se with your name, but rather your device ID. Still, people rightly raised a storm. Turns out that software had a name: Carrier IQ.

Fast forward to last week when Trevor Eckhart -- aka TrevE -- wrote in detail what Carrier IQ was actually doing on the phone. The company Carrier IQ did not like this, made some legal threats against him, prompting the Electronic Frontier Foundation to step in. Carrier IQ (or just CIQ) quickly backed down and things looked to be at a stand off. CIQ then put out a press-release stating that their software

  • Does not record your keystrokes.
  • Does not provide tracking tools.
  • Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
  • Does not provide real-time data reporting to any customer.
  • Finally, we do not sell Carrier IQ data to third parties.

Now, Eckhart has just published a second video (after the break) in response to CIQ's press release which seemingly contradicts just about all of the above. In the 17 minute long video (it gets good at about 8 minutes), Eckhart goes through and in real-time shows how keystrokes are recorded including phones numbers dialed, HTTPS data is sent unencrypted, text message data is accessed and of course that you really don't know that this app is running. All of this is performed on a stock Sprint EVO 3D and EVO 4G. What makes all of this troubling is the fact that (a) you aren't told about it (b) can't uninstall the software. You need to root the phone and load on a new, custom OS to get rid of it...

More →
8
loading...
124
loading...
64
loading...
0
loading...

To fight off the inevitable, RIM is looking to expand into security services to other mobile platforms which they hope will add some much needed cash to their dwindling reserves. The service, called Mobile Fusion, is expected to launch in Q1 on iOS and Android. Citing security concerns and their robust history of delivering device management via their NOC servers, RIM is looking for a new angle in the mobile industry. The new service will allow "...corporate IT staff to set and monitor rules for passwords, apps and software on a range of devices" and will also add remote find, lock and erase features.

"We will take full advantage of whatever security capabilities are provided by the core operating system. We're not going to hold that back in any way, shape or form."

Windows Phone is currently not on their plans for support, but they do note that if there is enough demand, they will certainly consider adding Windows Phone. That's fine for RIM and we're glad they're moving beyond smartphones, which is clearly not their forte anymore. But do we really need their services? We suppose from an IT perspective, if they can control iPhones, Androids and Windows Phone with all the same "switch" that my be a good sell, but obviously Windows Phone has a lot of this already built in via the Find My Phone feature. private Marketplace for app distribution and Exchange support.

So RIM, thanks but no thanks for reinventing the wheel. Still, Windows Phones does need beefier security (device encryption, etc.) which RIM can't fix as it's too deep in the OS. So Microsoft, we're looking at you.

Source: Reuters

More →
0
loading...
1
loading...
23
loading...
0
loading...

One of our readers, David (aka SilverSharkDev), as informed us about a Mango app he’s been working on called Content Shield. The purpose of the app is to store various kinds of data and protect it should someone else get hold of your phone.

Content Shield stores the following kinds of information:

  • Passwords – Store various kinds of passwords so you don’t forget them. Categories include Facebook, Twitter, etc. Passwords can be copied and then pasted directly into the phone’s web browser.
  • Jokes – Add text jokes of your own or download them from the developer’s Twitter feed.
  • Agenda – Add items to your to-do list, categorize them, and then move them to the Completed page when done. To help remind users of uncompleted tasks, the most recent task appears at the top of the Content Shield Main Menu. Tapping on it jumps straight into the Agenda. The number of incomplete tasks also appears on the app’s Live Tile.
  • Shopping – Create shopping lists in various categories, including groceries and birthdays. Any item in your list can be instantly searched for in the web browser. Don't forget to buy Christmas presents for the WPCentral staff!

The protection aspect of Content Shield comes down to password protecting individual sections of the app. Create a password and a reminder, and then assign it to anything or everything so that other people can’t view or change things. Me, I simply rely on my phone’s lock screen password to protect my stuff, but this could be useful for people who share their phones for whatever reason.

The developer promises to add more features over time. Content Shield will appear on the Marketplace soon, and it will be free.

Head past the break for a second video preview that demonstrates Content Shield’s Agenda and Shopping functions.

More →
0
loading...
0
loading...
9
loading...
0
loading...

Microsoft has recently made changes to its geographic location service, which we reported on not so long ago as having a lack of safeguards and a privacy flaw. Elie Bursztein, a researcher at Stanford University, created a web page that allowed visitors to search the database at Live.com for locations using device MAC addresses.

Reid Kuhn, a Partner Group Program Manager on the Windows Phone engineering team, made the announcement today over at Technet and stated that while it was not possible to track a roaming mobile phone or laptop using its MAC address, they aware of the fine line Microsoft was treading on with regards to privacy issues surrounding geolocation.

"Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings. We thank Elie and his team for working with us on this issue."

Kudos to Microsoft in taking measures to address the issue head on.

Source: Microsoft, via: WinRumors

Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service offerings.  We thank Elie and his team for working with us on this issue.
More →
2
loading...
0
loading...
9
loading...
0
loading...

CNET previously reported on Microsoft's lack of privacy safeguards for their database at Live.com, which both Google and Skyhook Wireless now sport. A researcher at Stanford University, Elie Bursztein, has created a web page that allows one to look up MAC addresses for pin-point location results provided by Windows Phone 7 handsets and Microsoft's army of Wi-Fi recording vehicles as to where they last connected to this device address.

Is it really that much of a problem for the average web user? We have social networking with location-based services that display where the user is currently situated and people are connecting with the www more each year. I would, however, like to see a global opt-out option for Google, Microsoft and all other data collection services should I not wish for my location to be given out.

We're not quite sure if this works with device specific addresses or simply those that are acting as a wireless access point (routers, tethered phones, MiFi, etc.). Bursztein plans to discuss his findings with two other researchers at the Black Hat security conference, being held at Las Vegas next week. Have you attempted to search for your MAC addresses and are you concerned about this information being publicly viewable?

Source: Elie Bursztein, via: CNET

More →
0
loading...
0
loading...
0
loading...
0
loading...
1

Kik Messenger communicating without SSL

While nothing to be fearful about, I wouldn't recommend sending your bank account number and sort code via Kik Messenger for Windows Phone anytime soon, not that you would anyway. While the user's password is sent either hashed or encrypted, it's reported that Kik is sending user email addresses and messages in clear-text, viewable by any middle man, over an open connection (i.e. unsecured WiFi).

Mike Cardwell, a well established IT specialist, reported a year ago how Kik was insecure with Blackberry, Android and iOS. Kik has since resolved these issues this year and have commented on an article over at Within Windows covering the WP7 client:

 "Hi Rafael, Corry from Kik here. Thanks for your analysis.We are aware of this issue and plan to add WP7 message encryption in a future release. We want to reiterate that the password is not being sent in clear-text, and that our Android and iPhone clients feature full SSL encryption (login info + messages), as Mike Cardwell mentioned in his comment."

At least our passwords are safe, although we do recommend using multiple passwords for your online accounts, especially between social networks and e-commerce sites. Hopefully security will be added for emails and messages in Kik at some point in the near future. Use over 3G should be fine since the signal is encrypted.

Source: Within Windows and Mike Cardwell, thanks insi for the tip!

More →
1
loading...
0
loading...
11
loading...
0
loading...

The other day we mentioned an openly available tool, Dropbox Reader, that is designed to circumvent security measures on your DropBox account. We are now hearing that over the weekend, no tool was needed to access DropBox accounts.

For a brief period of time, users could log into accounts using any password. Just type in an email address and wing it with a password and you were in. DropBox has confirmed this breach and states it left everything vulnerable from 1:54pm PDT to 5:46pm PDT this past Sunday (06/19/2011). The fix only took five minutes to put into place once DropBox became aware of things.

In a statement on DropBox's blog, the cloud storage service reports,

"We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us atsecurity@dropbox.com.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again."

If you're a DropBox client, you may want to check your account to see if any files were accessed during the time frame or have gone missing. Changing your password might not be a bad idea either.

Glitches in security happen but it sure does seem like DropBox has been snake bitten here lately. 

source: TechCrunch via: Gizmodo

More →
0
loading...
1
loading...
24
loading...
0
loading...

Security is always a cause for concern, whether it be with online banking or simply ordering a Domino's pizza. Passwords used online for applications or services are no different, especially with the amount of cyber crime occuring since the boom of the world wide web. Google have published an article on their blog outlining recent attacks being made on Gmail accounts and how users can protect themselves further.

One way to further protect your email account is to use OTP (One Time Password) via the web interface when logging on across multiple machines, networks and/or locations. For your Windows Phone (and other devices) you can use application specific passwords, which are password that are randomly generated and are used per device. You don't need to remember it and it doesn't affect your main login credentials. Think of it as an access key your device requires to be able to gain access to your account.

Check out the video after the break for the step-by-step walkthrough on using two-step verification and creating an application specific password for your Gmail account on your device. 

More →
1
loading...
0
loading...
0
loading...
0
loading...

Looks like the planned May update is being rolled out, version 7.0.7392.0. This update addresses the fraudulent third-party digital certificates that could lead to potential phishing attacks or intercept web browser connections (man-in-the-middle). The update simply moves these certificates into the "Untrusted Publishers" certificate storage on your device.

More information on the update is available over on the update history page. Have you received the update notification yet?

Updated: According to Microsoft, this update is at the discretion of carriers, again, meaning some of us may not see this until it is tied with another, future update: "How you get 7392 depends on your mobile operator and what updates you’ve installed...If you’ve already installed the March update, you’ll receive 7392 as a standalone download or bundled with a future update."

Source: Microsoft Windows Phone; via WPSauce

More →
0
loading...
0
loading...
0
loading...
0
loading...

Pages