Robot. Image courtesy of Shutterstock.The US Federal Trade Commission (FTC) has launched a pair of competitions to stimulate research into technological approaches to the problem of robocalls.


The contests will focus on two branches of the problem - identifying robocalls, and analysing data from honeypots previously set up to harvest such calls.


Robocalls are the telephonic equivalent of spam - automated voice calls generally pushing telemarketing messages but in some cases used for legitimate purposes such as emergency warning systems.


Semi-automated dialling systems were developed as far back as the 1940s, and have become an ever bigger problem over the years as technology has broadened their reach.


While early systems required a human operator to fire off each stage of the process, and used basic pre-recorded messages to help telemarketers get calls started, modern versions can fire off huge numbers of calls at once with worldwide reach, thanks to low-cost internet telephony.


They may also use sophisticated speech generation rather than simple pre-recorded human voices, to produce custom messages more likely to deceive their victims.


For most of their history they have been a blight on households and businesses, but mobile phones have brought the menace of unwanted messages into our pockets as well, providing a booming market for people who don't mind irritating their prospective customers.


In parallel with their technological evolution, they have also diversified into a range of purposes, with a variety of scams and "vishing" (voice phishing) added to the standard arsenal of sales and marketing messages.


Robocalls are particularly associated with politics and elections, occasionally for legitimate reasons but more often than not for highly suspect ones.


The FTC has been battling the problem for some time, launching its first crowd-sourcing technical contest in 2012 and running it again in 2013.


Last year, a three-part contest looked at both the honeypot and data-analysis phases included in this year's effort, and also added a section for work reproducing what devious robocall designers may be doing, trying to circumvent existing robocall detection and monitoring systems.


The need for this third phase reflects an ongoing arms race, as the perpetrators of unwanted calls evolve their technology to defeat obstacles put in their way.


This year, the two stages will operate separately. Qualifying for the honeypot section, called "Robocalls: Humanity Strikes Back", went live yesterday with submissions open until 15 June.


Participants will need to design a system allowing phone users to spot robocalls and either block them or forward them to a honeypot. The five best ideas will go on to a final round, taking place during the DEF CON convention in August. They will share prize money of up to $50,000, with $25,000 going to the system which attracts the most spam calls.


The second part, focusing on data analytics, is dubbed "DetectaRobo" and will run on the "National Day of Civic Hacking" on 6 June.


Contestants will be given two sets of data - one in which probable robocalls have been marked and one in which they haven't. They will have 35 hours to develop methods of classifying the second set based on features and patterns observed in the first.


There's no cash prize for this one, with the winners instead being rewarded with the respect and gratitude of a world being plagued with unwanted pestering wherever it turns.


The tools and techniques produced by contestants will be given away as open source resources to help anyone involved in the fight against this great evil. (The products of the last contest are available on the FTC's Github page.)





Image of robot courtesy of Shutterstock.





Thanks to Rowland Yu of SophosLabs for the behind-the-scenes effort he put into this article.


Another Android SMS virus has been doing the rounds, masquerading as an Amazon Rewards app.


It's called Gazon, and it follows in the footsteps of earlier Android viruses like Selfmite and Heart App.


The Heart App story ended quickly and abruptly, with the alleged perpetrator busted by Chinese police in just 17 hours.


It seems he wasn't a hardened cybercriminal, but a youthful malware creator of the old school, who was bored during his college vacation and wanted to show off at other people's expense.


As far as we know, the crooks behind Selfmite weren't quite so obvious about their own identities, and have eluded detection so far.


Viruses and worms...


A virus, remember, differs from the usual sort of malware threat because it doesn't just infect your device, but can actively distribute itself onwards to infecte others.


In the 1980s and 1990s, most malware was viral, because that was a good way of spreading in the days when many people weren't on the internet at all, and when most of those who went online did so only intermittently.


Of course, the very act of spreading automatically often made viruses more obvious than their non-self-spreading counterparts (known simply as Trojan Horses, or Trojans).


So, from about 2000 onwards, viruses began to die out because crooks could simply use giant spam runs, or poisoned websites, to trick people into downloading and installing malware, one victim at a time.


SMS viruses


On Android, some malware has combined these techniques in order to create mobile viruses.


Unlike viruses that email a complete copy of themselves as email attachments, this family of malware takes a hybrid approach, sending your contacts an SMS with a link to the virus.


Gazon, for example, arrives like this:



That means the infection can spread even though SMses are limited to less than 200 bytes. (The virus itself is 2.5MB.)


It also means that the poisoned link arrives from someone whose contact list you are part of.


That, in turn, means you're probably more likely to click the link, even if you're only thinking of taking a quick look-see.


Protected by Play


Many of you, especially if you stick to our guidelines, are protected from this sort of infection by Google's default behaviour of allowing Google Play apps only.


Google Play isn't immune to malware, but your risk is very much lower if you stick to its vaguely-walled garden.



Google not only performs various security checks before allowing apps into its Play store, but also stands ready to block malicious apps retrospectively.


So even if Google misses a dodgy app at the start, it can change its mind later, stopping any future spread of the malware and withdrawing it from circulation on any devices that have already installed it.


However, reliance only on Google Play doesn't cut it for everyone, not least in regions like China, where Play doesn't exist.


The Gazon risk


If you do live your Android life "off-Google," then you are at risk of malware like Gazon.


If you install it, the icon might give you the impression that it really is all about Amazon Rewards:



But Gazon's primary goal seems to be to make cents-at-a-time revenue by taking you to online ads for things reward cards, movie vouchers, free games, and so on.


Sample popups seen by SophosLabs include the following:



The main problem with Gazon, at least for business users, is probably a social one: it aggressively advertises your insecurity to your contacts.


Unlike earlier SMS viruses, it doesn't limit itself to your top five, or 20, or even 99 contacts: it tells as many people as it can.


That almost certainly includes people who do business with you, as well as just your friends and family.


Do you really want to announce to your customers that your phone is "crook-friendly"?


Jump to our '10 Tips for Preventing Mobile Malware'...




FREE DOWNLOAD


Free download (no registration, no time-limit)...






FB jail. Image courtesy of ShutterstockBad things happen when we publicly post things that upset our bosses.


Sometimes, posts result in getting fired.


Sometimes, posts lead to losing a job before it starts.


But for a Florida man who posted about the company he worked for in the United Arab Emirates, the outcome was far more severe: it resulted in getting tossed into a Middle Eastern jail.


The Associated Press reports that Ryan Pate, a helicopter mechanic from Belleair Bluffs, Florida, had a mixup over sick leave with the company he was working for, Global Aerospace Logistics.


Pate, 30, told the AP that he had traveled home to Florida in December to spend the holidays with his family and to propose to his girlfriend, Jillian Cardoza.


He was also hoping, while in Florida, to get treatment for a back injury.


But seeing a doctor would have meant extending his leave, and that's where the disagreement boiled up.


After one particularly thorny phone call, Pate took to Facebook to complain about Global Aerospace Logistics.


Pate can't remember exactly what he wrote. He does remember throwing the word "backstabbers" into the post, which warned other contractors not to work for his employer.


Then, without giving it much further thought, he returned to Abu Dhabi to file paperwork required to end his employment, to empty out his apartment, and to sell his car.


Soon after he arrived, he got a call from the police, telling him to come to the station. That's when police showed him screenshots of his comments.


Officers arrested Pate for breaking an Emirates law against slandering his employer.


Cardoza said Pate sent her this text from the station:



I'm being arrested. I'm so sorry. I love you.



Pate spent about 10 days in jail. As of Thursday, he was free on bail, awaiting his trial on 17 March.


If convicted, he's facing up to five years in prison and a steep fine.


Pate's congressman, Rep. David Jolly, is working on his constituent's behalf, lobbying the State Department and Emirates officials for help.


Jolly has written to the Emirati attorney general, pointing out (respectfully) that, since the posts occurred while Pate was on US soil, the Emirati laws shouldn't apply.


A State Department spokeswoman, Marie Harf, told the AP that a consular officer had visited Pate in prison and that the embassy in Abu Dhabi would continue providing assistance.


In a phone interview with the AP, Pate said he's so accustomed to First Amendment protection of free speech that he never imagined his post could lead to such a serious outcome:



I just couldn't register it in my head because as an American growing up in the United States, the First Amendment right is just ingrained in my brain.

I never even entertained the fact that I would wind up in prison out here for something I put on Facebook in the United States.



He also said that he's remorseful for letting his emotions get the better of him.


Pate certainly isn't the first to suffer the consequences of unwise postings.


A high-profile case of people who've had their careers shoved into the mud came up earlier this week when Curt Schilling named and shamed Twitter trolls, leading to nine trolls who've been fired or kicked off athletic teams.


But while Pate isn't the first to regret a post, his is one of the most egregious outcomes.


To paraphrase Schilling, in the real world, you get held accountable for the things you say.


If you're not careful, accountability can be severe, whether it's getting fired, getting suspended from college, or even imprisonment.


Please learn from Pate's example, and don't forget: the First Amendment, or whatever law protects free speech in your own country, stops at the borders.





Image of jail bars courtesy of Shutterstock.
















Recently discovered "FREAK " vulnerability that apparently went undetected for more than a decade is reportedly affecting all supported versions of Microsoft Windows, making the flaw more creepy than what we thought.



FREAK vulnerability is a disastrous SSL/TLS flaw disclosed Monday that allows an attacker to force SSL clients, including OpenSSL, to downgrade to weaken ciphers that can be easily broken and then supposedly conduct Man-in-the-Middle attacks on encrypted HTTPS-protected traffic passing between vulnerable end-users and Millions of websites.



FREAK IN MICROSOFT RESIDES IN SECURE CHANNEL

Microsoft issued an advisory published Thursday warning Windows users that Secure Channel (Schannel) stack — the Windows implementation of SSL/TLS — is vulnerable to the FREAK encryption-downgrade attack, though it said it has not received any reports of public attacks.



When the security glitch first discovered on Monday, it was believed that the Windows system was immune to FREAK attacks. But now if you're the one using Windows, attackers on your network could force the software using Schannel component such as Internet Explorer to use weak encryption over the web.

"Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows," the company said in a security advisory. "The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems."

FREAK ENCRYPTION-DOWNGRADE ATTACK

FREAK — short for Factoring attack on RSA-EXPORT Keys — made it significantly easier for hackers and cyber criminals to easily decode intercepted HTTPS connections, revealing sensitive information such as login passwords, login cookies, and even banking information.



However, this is only possible if the website or service at the other end is still supporting 1990s-era "export-grade" cryptography or 512-bit RSA, which were approved by the U.S. government for overseas export. It was assumed that most servers no longer supported weak 512-bit RSA keys, but unfortunately, Millions of websites and services are still available on the Internet using them.



AFFECTED WINDOWS VERSIONS

The FREAK vulnerability (CVE-2015-1637) in Windows Secure Channel component dramatically increases the number of users previously known to be vulnerable. Affected versions of Windows include:



  • Windows Server 2003

  • Windows Vista

  • Windows Server 2008

  • Windows 7

  • Windows 8 and 8.1

  • Windows Server 2012

  • Windows RT


MICROSOFT WORKING ON PATCH

Microsoft said it is "actively working" with its Microsoft Active Protections Program partners to protect its users from FREAK, and once the investigation get over, it would "take the appropriate action to help protect customers."



So, Windows users can either expect an out-of-band patch or a security bulletin released on a regular Patch Tuesday .



MORE THAN 36% WEBSITES VULNERABLE

In recent weeks, security researchers scanned more than 14 million websites that support the SSL/TLS protocols and found that more than 36 percent of them were vulnerable to the decryption attacks that support RSA export cipher suites.



Yesterday, Google developers released an updated version of Chrome for Mac that can't be forced by attackers to use the older, weaker 512-bit RSA cipher, effectively patching the FREAK vulnerability. Additionally, Safari on Mac OS and iOS aren't vulnerable to the creepy bug.



At the time of writing, the list of affected web browsers included Internet Explorer, Chrome on Android, the stock Android browser, BlackBerry browser, Opera on Mac OS X and Opera on Linux. Users can visit freakattack.com to determine their browser exposure.







week-weather.jpg Matt Elliott/CNET


It takes imagination and creativity to stand out with a weather app, but developer Wolfgang Augustin has done just that with Week Weather. The app costs 99 cents, £0.79, or AU$1.29 --though that is classified as a introductory offer.


Week Weather presents a seven-day forecast in a manner resembling a bar graph. Each day gets its own vertical bar, which is divided into various blocks according to changes in temperature and various weather conditions. Six tabs along the bottom -- General, Temperature, Clouds, Precipitation, Wind and Humidity -- let you view different weather conditions.


The time of day is given along the left edge in 3-hour blocks. The middle of the screen expands the time blocks so you can get a better view of a particular time of day, and by scrolling up and down you can drag different times of day into the expanded middle area. There is also a highlighted section of the forecast that shows you a rough visual of daylight hours. That is, the shaded areas at the top and bottom of the screen are the hours before sunrise and after sunset, respectively.


You can scroll all the way down to reveal current conditions. You can also tap on anywhere on the forecast for a detailed forecast for that time and day.


week-weather-screens.jpg Screenshot by Matt Elliott/CNET



Data for Week Weather is provided by the Norwegian Meteorological Institute. Tap on the settings button in the upper-left corner to choose your unit of measure, which is set to Celsius by default. In settings, you can also choose either the Light or Colorful lighting scheme, though the differences are subtle. You can add additional locations by tapping the button in the upper-right corner.


For a more traditional weather app, I would direct you to Weather Underground's Storm app. Alternatively, you can get a laugh along with your forecast with Funny Or Die Weather.


Via AppAdvice.





storm-app.jpg Matt Elliott/CNET


Perhaps the current and ongoing winter we are experiencing in the Northeast inspired the title of Weather Underground's new iOS app, Storm. The app is free and universal, though it'll cost you $1.99 | £1.49 | AU$2.49 a year to get rid of the banner ads that run along the top.


Storm puts radar front and center and a ton of weather information at your fingertips. When you launch the app, you get a picture of the current radar with a belt of additional information at the bottom. Tap on the radar image to access past and future radar animations and a layers button that lets you select different layers such as radar, satellite, wind speed and temperature and map overlays such as storm tracks, weather stations and wind stream.


If you allow the app to know your location, it'll center the radar map around your location. You can save additional locations (and then access them) by tapping on the button to the left of the name of the location current displayed above the map.


storm-screens.jpg Screenshot by Matt Elliott/CNET


The belt below the radar features current conditions, the hourly forecast, and a daily forecast. You can tap on each for more information. The daily forecast, for example, expands from four days to ten days, and you can tap on each day for more detailed information. Swipe sideways on the belt and you will see a button to upgrade to the to the ad-free version and settings. In settings, you can choose your preferred units of measurement along with which types of alerts you'd like to receive.



I don't know if Storm will unseat Yahoo Weather as my go-to iPhone weather app, but I may keep it on hand for the rest of the winter to keep a better eye on approaching storms. I really like the responsive, high-resolution radar it provides and the expansive map layer options.


If you'd like a laugh with your weather forecast, check out the Funny or Die Weather app, which is also powered by Weather Underground (and comedians).





dsc0470.jpg Sarah Jacobsson Purewal/CNET


Open up the Windows 10 Technical Preview (Build 9926), and you'll probably notice something about the new hybrid Start menu/screen: under Places, there are three links: File Explorer, Documents, and Settings.


Wait a minute -- Settings? Click on Settings, and the new Windows 10 Settings menu pops up. It's clean, with big, touch-friendly icons and simple descriptions, and it looks similar to the PC settings menu in Windows 8. But the PC settings menu in Windows 8 was hidden in the Charms bar (Charms > Settings > Change PC settings), and this new Settings menu is right there on the Start screen.


The new Settings menu looks like a mash-up of Windows 8's PC settings menu (most of the actual PC settings can be found under the System tab) and the more old-school Control Panel. So, it appears that Microsoft is trying to make a user-friendly menu that can help people find and change settings without having to dive into the Control Panel.


But it also appears that perhaps Microsoft is trying to get rid of the Control Panel altogether: While many of the settings in the new Settings menu can also be changed in the Control Panel (if you know where to look), not all of them can. For example, Windows Update is completely gone from the Control Panel -- it now exists only in the Update & recovery section of the new Settings menu. And several of the privacy settings (such as app permissions for webcams and microphones) never existed in the Control Panel to begin with.


Here's a deeper look at each of the sections in the new Settings menu:



The System tab


The Devices tab


The Network & Internet tab


The Personalization tab


The Accounts tab


The Time & language tab


The Ease of Access tab


The Privacy tab


The Update & recovery tab


As you can see, the new Settings menu is still a work in progress, and the Control Panel is still a major feature in Windows 10. But that may not be the case when the final version of the new operating system drops. Keep checking back -- we'll be updating each of these pieces as Microsoft releases new preview builds.





dsc0345.jpg Sarah Jacobsson Purewal/CNET


The new Windows 10 Settings menu is a bit of a mash-up between Windows 8's PC settings and the Control Panel. The Privacy tab, however, has a bunch of privacy settings you won't find in the traditional Control Panel, because a lot of these settings are more for tablets and phones than they are for laptops and desktops. Windows 8.1 users will recognize the Privacy tab from PC settings, but Windows 10's version has a couple of extra features, including a new section where you can configure privacy settings for Cortana.


general.png Sarah Jacobsson Purewal/CNET


The General section is where you'll be able to quickly change basic privacy settings - for example, you can choose whether to let apps access your name, photo, and other account info; you can let Windows track your typing and give you word suggestions based on what you write; and you can allow websites to access your language list and use that information to give you "locally relevant content." All of these general privacy settings are turned on by default, so you'll want to go in here and turn them off if you're not a fan of, well, hyper-relevant advertising. Some of the settings are useful, however, such as "Turn on SmartScreen Filter to check Web contents (URLs) that Windows Store apps use," especially if you're in the habit of clicking before you think.


At the bottom of the screen, there's a link to Microsoft's personalized ads page, where you can tweak your ad settings and read the Microsoft privacy statement.


location.png Sarah Jacobsson Purewal/CNET



Location is more of a concern for laptop and tablet users -- this is where you'll be able to turn your location settings on and off, and choose to let apps access that data. You can also clear your location history (apparently, Windows stores up to 24 hours' worth of location data on your device, which can be accessed by any apps you've given location permissions to). A link at the bottom of this page takes you to Microsoft's Location awareness page for Windows Phone users.


webcam.png Sarah Jacobsson Purewal/CNET


In the Webcam section, you can turn your webcam on and off, and choose which apps have permission to access your webcam. While most apps that want to use your webcam will prompt you for permission, they usually won't discard those permissions once you're done using the app (sort of like when a photo app on your phone asks to access your camera). This is where you can revoke unnecessary webcam permissions -- for example, why does Search, aka Cortana, need to access my webcam in the first place?


microphone.png Sarah Jacobsson Purewal/CNET


Microphone is just like the webcam section, but for your mic. Here, you can turn your mic on and off, and revoke (or grant) individual app permissions.


other.png Sarah Jacobsson Purewal/CNET


Other is like the webcam and microphone sections, but for other peripherals that allow you to control app access. I don't have any plugged in, but this might include input devices, other types of cameras, fingerprint scanners and so forth.


feedback.png Sarah Jacobsson Purewal/CNET


In Feedback, you can choose how frequently you want Microsoft to ask for feedback: "Automatically" (default), "Always," "Once a day," "Once a week," and "Never."


speech-inking-typing.png Sarah Jacobsson Purewal/CNET


Speech, inking, & typing is a completely new section (most of the other sections can be found in the Windows 8 PC settings menu, albeit with a slightly different setup) that relates to Windows' digital assistant Cortana. Here, you can get rid of Cortana by clicking Stop getting to know me. Do this, and Windows will stop collecting "info like contacts, speech and handwriting patterns, and typing history." You'll also turn off Cortana's speech feature, so you'll no longer be able to say "Hey Cortana" if you want to search for something (though you'll still be able to input search terms by typing or handwriting).


Simply clicking Stop getting to know me doesn't get rid of all the data Cortana has already logged. If you want to do that, click Clear under Clear info from this device to completely wipe the personal info Cortana has collected on you from the device.




Previous PostOlder Posts Home