Protests as Condi Rice joins Dropbox

11 April 2014 Last updated at 15:06

The appointment of ex-US Secretary of State Condoleezza Rice to the board of technology firm Dropbox is being criticised by some service users.

Protests on social media say she is a controversial figure after revelations of widespread wiretapping on US citizens during her time in office.

A petition has been launched inviting supporters to boycott the firm.

However some analysts claim the bigger concerns for the file-sharing company are competing services.

Following the launch of Mailbox for Android and the wider implementation of Dropbox for Business, the company also announced the addition of Condoleezza Rice as a new board member.

Continue reading the main story

We're honoured to be adding someone as brilliant and accomplished as Dr Rice to our team."

End Quote Dropbox

Ms Rice, who served as former President George W Bush's Secretary of State from 2005 to 2009 and National Security Adviser 2001 - 2005, was appointed by the company to expand its global footprint, according to its official blog.

However, this has been condemned by some Dropbox users who have launched a campaign.

Voicing concerns on social media, some have said it is inappropriate for the file-sharing company to hire Ms Rice, accusing her of being involved in widespread wiretapping during her time in office.

Those pressing Dropbox to revoke Ms Rice's appointment are using the hashtag #DropDropbox in an attempt to boycott the company. A petition has also been created which amassed approximately 3,000 signatures in its first few hours.

Another site said: "This is deeply disturbing, and anyone - or any business - who values ethics should be concerned," before listing a number of Dropbox alternatives for those who wish to boycott the company.

It also says Ms Rice should not hold power at Dropbox because of her role in the Iraq war.

'Short-term'

However, Chris Green, Principal Technology Analyst of Davies Murphy Group, told the BBC that most users probably wouldn't be concerned over Ms Rice's appointment.

"The vast majority of the company's 275 million users are unlikely to be swayed or concerned by the short-term negative PR that Condoleezza Rice's appointment is generating for Dropbox," he said.

"The backlash is fuelled far more by pent-up anger at the administration she served in than a genuine concern for the security of Dropbox users' data.

The bigger concern for Dropbox, says Mr Green, is the growing competition it faces, which includes big names such as Microsoft, Google and Amazon.

All of them "are offering competing services with either more free storage or more compelling commercial packages than Dropbox offers."

The company has yet to release an official statement addressing the backlash, but a recent Dropbox blog post said: "We're honoured to be adding someone as brilliant and accomplished as Ms Rice to our team."

09.10 | 0 komentar | Read More

BBC 'complacent' over IT failure

10 April 2014 Last updated at 00:46

The BBC was "far too complacent" in its handling of a failed IT project that cost licence fee payers £98.4m.

The Digital Media Initiative (DMI) was intended to move the BBC away from using and storing video tape.

But it was scrapped, with almost no results, after five years of development.

After investigating the demise of the project, the Public Accounts Committee (PAC) has branded the programme "a complete failure".

Chairman Margaret Hodge said the BBC needed to "overhaul" its approach to such projects, to "safeguard licence fee payers' money".

The BBC originally approved DMI in 2006. It was supposed to produce new editing tools, an online archive of the BBC's programmes and a new database.

Technology company Siemens was hired to develop the project in February 2008, and it was expected to be completed the following year.

Continue reading the main story

• Contractors - £46.7m
• IT - £37.2m
• Siemens costs - £24.9m
• Consultancy - £8.4m
• BBC staff - £6.4m
• Other - £2.3m

However, after a series of delays, the project was brought in-house, There it floundered until last May, when the BBC's incoming director general, Tony Hall, admitted it had "wasted a huge amount of licence fee payers' money".

The gross estimate of the amount spent on DMI was £125.9m, although the BBC claims to have recouped £27.5m of that.

The BBC's technology chief, John Linwood, was sacked in July 2013 over the project's demise.

A previous report, by the National Audit Office (NAO), blamed "confusion and a lack of planning" for the failure.

It said that senior executives failed to take control of the project when it ran into trouble and "did not appear to appreciate the extent of the problems until a late stage".

Apology

The PAC published its own findings on Thursday. It reiterated several of the points raised in earlier reports and criticised the BBC for its failure to alert MPs of the problems.

"When my committee examined the DMI's progress in February 2011, the BBC told us that the DMI was... absolutely essential... and that a lot of the BBC's future was tied up in the successful delivery of the DMI," said Ms Hodge.

"The BBC also told us that it was using the DMI to make many programmes and was on track to complete the system in 2011 with no further delays.

"This turned out not to be the case. In reality the BBC only ever used the DMI to make one programme, called Bang Goes the Theory.

"The BBC was far too complacent about the high risks involved in taking it in-house. No single individual had overall responsibility or accountability for delivering the DMI and achieving the benefits, or took ownership of problems when they arose."

A BBC spokesman said: "Tony Hall was right to scrap the DMI project when he took over as director general last year. As we said at the time, the BBC didn't get DMI right and we apologised to licence fee payers.

"Since then we have completely overhauled how these projects are delivered so that there is crystal clear accountability and transparency."

A spokeswoman for the BBC Trust, the corporation's governing body, said: "As we have said before, this represented an unacceptable loss to licence fee payers.

"Acting on the conclusions of previous reports into DMI, we have strengthened reporting to the Trust so that problems are spotted early and dealt with quickly.

"We are also carrying out follow up reviews once projects are completed to make sure the lessons from DMI are being implemented."

09.10 | 0 komentar | Read More

'RoboClam' could anchor submarines

10 April 2014 Last updated at 01:33 By James Morgan Science reporter, BBC News

A new burrowing robot for anchoring miniature submarines has been developed - inspired by the humble razor clam.

"RoboClam" could be used to lay undersea cables, and potentially even destroy mines, its inventors say.

The device mimics the digging action used by razor clams to turn solid soil into liquid "quicksand", helping them slide through.

A prototype is described in the journal Bioinspiration and Biomimetics by engineers from MIT in Boston, US.

Continue reading the main story

The cool thing is this technology is already 10 times more efficient than any anchor"

End Quote Dr Kerstin Nordstrom University of Maryland

They set out to design a new low-power, light-weight anchor for autonomous underwater vehicles.

"Luckily, nature had already done the work for us," said Dr Kerstin Nordstrom, of the University of Maryland, who collaborated on the research.

The answer was poking out of mudflats off the coast at nearby Gloucester, MA.

The Atlantic razor clam, Ensis directus, has been dubbed "the Ferrari of underwater diggers".

An animal of its modest frame (10-20cm) should only be strong enough to penetrate 2cm into packed sand. But it can burrow up to 70cm in just over a minute.

Compared to existing anchor technology "the razor clam is about 10 times more efficient," Dr Nordstrom told the BBC's Science in Action.

To dig for half a kilometre, it would only use the energy in an AA battery.

"But when you try plunging the shell into the sand, it doesn't actually penetrate very far," said Dr Nordstrom.

"What this shows is the clam must be actively doing something to the ground when it digs."

To find out the razor clam's secret, they studied its digging action and modelled it mechanically.

The repeated open-shut of the clam's valves turned the hard-packed soil around it into quicksand.

"The clam's trick is to move its shells in such a way as to liquefy the soil around its body, reducing the drag acting upon it," said Amos Winter, of MIT's Department of Mechanical Engineering.

"Pushing through sand costs a lot of energy. But if the sand is excited, it's actually very easy. That's the trick," added Dr Nordstrom.

By mimicking the action of the razor clam, they built their own robotic prototype - which has achieved the same digging speed - about 1cm per second.

The first "RoboClam" can only reach 20cm, and requires a significant rig of machinery to propel it.

But having demonstrated the principle, the team now aims to develop a larger, self-contained unit, that can burrow more than 10 metres.

This could be used to anchor larger vessels, and may have military applications - such as detonating mines, the researchers suggest.

"The cool thing is this technology is already 10 times more efficient than any anchor. If we can keep scaling things up, some day it will affect big boats," said Dr Nordstrom.

"Also - undersea cable installation is happening more and more frequently. If we can do it more efficiently we can save costs and cause less disturbance to the environment," she said.

Amos Winter agrees: "Having a system that could just latch onto the cable, work its way along, and automatically dig it into the soil would be great," he said.

09.10 | 0 komentar | Read More

US card thief faces lengthy jail term

10 April 2014 Last updated at 17:24

A key member of a gang that traded stolen and fake credit cards could face years in jail after pleading guilty to racketeering charges.

Cameron Harrison of Georgia, US, was part of a large card fraud ring centred around the Carder.su website.

About $50m (£30m) in losses have been attributed to the group that used the Carder.su site.

The group was broken up by US law enforcement in 2012 and so far, 55 of its members have been charged.

The ring leaders of the group, which was run via Russia, are still believed to be at large.

The case is believed to be among the first to use racketeering laws against cybercriminals. Before now the laws were used against members of more traditional organised crime groups.

Harrison, aka Kilobit, joined the group in 2008 and was instrumental in helping it steal credit cards, IDs and engage in financial fraud.

Documents filed by the US Department of Justice against Harrison show that he has been indicted under two counts of racketeering and one of making and selling fake ID documents.

US guidelines suggest he will face decades in prison when he is sentenced later this year because those rules inflate prison terms if a crime affects more than 250 victims or involves losses higher than $50m.

The US government is also seeking to make Harrison and other former Carder.su members pay $50m in restitution to the four credit card firms they stole from - Visa, Discover, American Express and MasterCard.

09.10 | 0 komentar | Read More

Google Glass on sale for one day

11 April 2014 Last updated at 14:53

Google Glass will go on sale to the US public on 15 April for a single day, the company has announced.

Users must be 18 years old and are required to fill in an online form in order to be eligible to buy the device.

The eyewear will cost $1,500 (£894) and the BBC understands UK developers may have access as early as May.

The high price will be likely to deter many enthusiasts, who may be forced to wait for price reductions.

The tech giant sold the device to 8,000 individuals in 2013 as part of their Explorer programme. Google will now give more people the opportunity to test the computer, a sign that the company is getting closer to an official release.

The BBC understands that UK developers may have access to the device as early as May or June, making Britain the first country outside the US to gain additional prototypes.

Continue reading the main story

[Google] doesn't actually want average Joes using it until it's a much more mature product"

End Quote Evan Kypreos Editor of TrustedReviews

The Glass team said they were "excited to meet our new Explorers, and we can't wait to hear your thoughts about Glass."

'Limited functionality'

While the £894 asking price seems high, Steven Graves, deputy editor of Stuff.tv, told the BBC this was likely to change: "The thing you have to bear in mind is it is still in development and that people are buying into that development.

"I think it's quite a high price but that doesn't necessarily reflect what the price will be when it is eventually released to consumers. At this stage they just want to get it in a few more hands."

Google Glass will be sold on a first-come, first-served basis after an initial online sign-up process.

Evan Kypreos, editor of TrustedReviews, said: "$1,500 is far too expensive for something that has very limited functionality at the moment.

"Google is targeting just a few early adopters to understand how to further develop Glass and doesn't actually want average Joes using it until it's a much more mature product.

"It's similar to how mobile phones came about," explains Mr Kypreos. "In the 80s, only a handful of people used them. They were bulky, expensive and could only be used to make calls. Thirty years later and most of the population has a smartphone that can do pretty much anything a PC can."

Early adopters of the wearable headset include BBC's Rory Cellan-Jones, who has been blogging about his experience.

09.10 | 0 komentar | Read More

NSA denies it knew of Heartbleed bug

12 April 2014 Last updated at 18:51

The US National Security Agency has denied it knew about or exploited the Heartbleed online security flaw.

The denial came after a Bloomberg News report alleging the NSA used the flaw in OpenSSL to harvest data.

OpenSSL is online-data scrambling software used to protect data such as passwords sent online.

Last year, NSA leaker Edward Snowden claimed the organisation deliberately introduced vulnerabilities to security software.

Continue reading the main story

'A mistake'

A German computer programmer has accepted responsibility for the emergence of the Heartbleed bug, according to a report in the Sydney Morning Herald.

Robin Seggelman, a 31 year old from Oelde - 120 miles (193km) north of Frankfurt - is reported to have made the mistake while trying to improve the OpenSSL cryptographic library on 31 December 2011.

"It's tempting to assume that, after the disclosure of the spying activities of the NSA and other agencies, but in this case it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he told Fairfax Media.

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

The bug, which allows hackers to snatch chunks of data from systems protected by OpenSSL, was revealed by researchers working for Google and a small Finnish security firm, Codenomicon, earlier this month.

OpenSSL is used by roughly two-thirds of all websites and the glitch existed for more than two years, making it one of the most serious internet security flaws to be uncovered in years.

"[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report," NSA spokeswoman Vanee Vines said in an email, adding that "reports that say otherwise are wrong."

A White House official also denied the US government was aware of the bug.

"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House national security spokeswoman Caitlin Hayden said in a statement.

"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet," she insisted, adding: "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."

Bloomberg, citing two people it said were familiar with the matter, said the NSA secretly made Heartbleed part of its "arsenal", to obtain passwords and other data.

It claimed the agency has more than 1,000 experts devoted to finding such flaws - who found the Heartbleed glitch shortly after its introduction.

The claim has unsettled many.

"If the NSA really knew about Heartbleed, they have some *serious* explaining to do," cryptographer Matthew Green said on Twitter.

The agency was already in the spotlight after months of revelations about its huge data-gathering capabilities.

Documents leaked by former NSA contractor Edward Snowden indicated the organisation was routinely collecting vast amounts of phone and internet data, together with partner intelligence agencies abroad.

President Barack Obama has ordered reforms that would halt government bulk collection of US telephone records, but critics argue this does not go far enough.

Separate to its denials regarding the NSA, the US government also said it believes hackers are trying to make use of the flaw.

Continue reading the main story

Dangerous or not?

Internet security firm Cloudfare has cast doubt on the scale of the danger posed by Heartbleed, saying it has been unable to exploit it to obtain the secret SSL keys that would put people's data at risk.

The US company was one of those given early warning of the bug before Monday's announcement, and had 12 days to carry out tests.

"Note that is not the same as saying it is impossible to use Heartbleed to get private keys," blogged software engineering leader Nick Sullivan.

"However, if it is possible, it is at a minimum very hard."

The news prompted news site The Verge to lead with the headline: "Heartbleed security flaw may not be as dangerous as thought"

But the security firm that sounded the first alert stands by its warning.

"We know what we found," Codenomicon chief executive David Chartier told the BBC.

"Access to memory is a very serious vulnerability and it's great that people are taking quick action to upgrade and remediate the problem.

"If you search on the internet you will find many people have replicated the problem."

The Department of Homeland Security advised the public to change passwords for sites affected by the flaw, once they had confirmed they were secure, although it added that so far no successful attacks had been reported.

Several makers of internet hardware and software also revealed some of their products were affected, including network routers and switches, video conferencing equipment, phone call software, firewalls and applications that let workers remotely access company data.

The US government also said that it was working with other organisations "to determine the potential vulnerabilities to computer systems that control essential systems - like critical infrastructure, user-facing and financial systems".

The bug makes it possible for a knowledgeable hacker to impersonate services and users, and potentially eavesdrop on the data communications between them.

It only exposes 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted. Crucially, an attack would not leave a trace, making it impossible to be sure whether hackers had taken advantage of it.

09.10 | 0 komentar | Read More

Smartphones 'black market' exposed

14 April 2014 Last updated at 06:15 By Guy Lynn and Ed Davey BBC News, London

Please turn on JavaScript. Media requires JavaScript to play.

More than 30,000 phones have been stolen in London in the last year

A black market of shops and traders willing to deal in stolen smartphones has been exposed by a BBC London undercover investigation.

Intelligence was received that some shops across a swathe of east London were happy to buy phones from thieves.

Two traders were filmed buying Samsung S3 and iPhone 4 devices from a researcher posing as a thief - despite him making it clear they were stolen.

The shops involved have declined to comment.

Continue reading the main story

THE LAW

Alex McBride, a criminal barrister and author, said: "Handling stolen goods is an offence under the Theft Act, and depending on the value of the goods, it can certainly be a serious offence. If you were handling £250,000 worth of stolen phones a year it would amount to pretty serious criminality. It's irrelevant that you didn't actually do the taking - you are encouraging people to go thieving and robbing by monetising their ill-gotten gains on the black market. In my view, handling stolen goods is just as serious as theft. It carries a 14-year maximum prison sentence."

On receiving tip-offs about numerous rogue businesses, eight used smartphones were acquired by lawful means.

Each smartphone was personalised with images and backgrounds with contacts added, calls made and messages sent.

They were then all blocked or reported stolen to the networks.

The undercover researcher then offered the phones for sale - typically with messages on the screens reading: "This mobile has been stolen. This phone has now been locked. You have been reported to the authorities."

The researcher offered a phone to London Mobiles Ltd in Ilford, saying: "I not buy, I steal, yeah?"

When shown the screen message, the employee laughed and said: "It's stolen. It's very dangerous."

That did not stop him offering cash for the phone.

Nearby Ask Mobiles and Computers in Seven Kings, bought four "stolen" mobile phones from the BBC, making the researcher leave the shop before concluding the deals for up to £40.

This was despite the researcher saying on his second visit: "Yeah bruv, I stole two more."

One worker even gave the researcher tips on evading arrest.

He said: "You're mental man, just turn it off, they can track you.

Continue reading the main story

"Start Quote

Just a few mouse clicks and the phone is turned from a paper weight back to a useable device again"

End Quote Grant Roughley Essential Forensics

The researcher asked: "Turn it off?"

'Absolutely astounding'

And he was told: "Yeah 'cos they got Sim card inside, throw away the Sim."

The BBC showed its footage to John O'Connor, a former commander of the Met's Flying Squad.

He said: "You have got people so confident and so casual in dealing with what they believe to be stolen property - and encouraging robberies.

"I find it absolutely astounding.

"By providing a conduit for the thieves to be able to convert those stolen phones into money, they're encouraging the commission of offences."

All the phones used had 'find-my-phone' style blocks activated, and in theory their IMEI numbers mean they are not useable once reported stolen.

But Grant Roughley, of Essential Forensics, demonstrated to the BBC how simple it was to get around such features - using only a laptop.

He was able to give a device a new IMEI number - effectively changing the phone's fingerprint - meaning it could be used as normal.

And restoring the phone's default software removes "find-my-phone" protection.

Mr Roughley said: "Just a few mouse clicks and the phone is turned from a paperweight back to a useable device again.

Continue reading the main story

STOLEN PHONES IN LONDON

Over the past 12 months:

• 30,430 phones taken in thefts - down 12% on previous year
• 13,724 phones taken in robberies
• Equivalent to 80 phones a day being taken
• More than half of all the thefts on the Tube are of mobile phones

Source: Metropolitan Police and British Transport Police

"A phone stolen this morning could be back on the streets by this afternoon, packaged up as a second hand legitimate phone."

A fundamental redesign of smartphones to place the IMEI number on a 'read-only' part of the device would prevent this. But Mr Roughley said manufacturers have been reluctant to do this.

Samsung and Apple have made no comment.

Carving knife

In total, the BBC received intelligence on some eight shops willing to trade in stolen smartphones.

And it is the victims of street robberies who know the true cost of the crimes rogue phone merchants encourage.

Alex Causton-Ronaldson, 25, a marketing manager, was left so traumatised after being held up with a carving knife in Clapham that he relocated from London to Norfolk.

He recalled: All of a sudden he came out with this huge knife.

"He said, 'Give me your phone now or I am going to stab you'.

"And all of sudden five other guys just appeared out of nowhere."

Mr Causton-Ronaldson added: "I broke down in tears.

"That's why I can't walk down the street at night on my own any more, it's ridiculous."

09.10 | 0 komentar | Read More

Dutch unveil glow in the dark road

14 April 2014 Last updated at 13:20

Glow in the dark road markings have been unveiled on a 500m stretch of highway in the Netherlands.

The paint contains a "photo-luminising" powder that charges up in the daytime and slowly releases a green glow at night, doing away with the need for streetlights.

Interactive artist Daan Roosegaarde teamed up with Dutch civil engineering firm Heijmans to work on the idea.

The technology is being tested with an official launch due later this month.

It is the first time "glowing lines" technology has been piloted on the road and can be seen on the N329 in Oss, approximately 100km south east of Amsterdam.

Once the paint has absorbed daylight it can glow for up to eight hours in the dark.

Encourage innovation

Speaking to the BBC last year about his plans Mr Roosegaarde said: "The government is shutting down streetlights at night to save money, energy is becoming much more important than we could have imagined 50 years ago. This road is about safety and envisaging a more self-sustainable and more interactive world."

Mr Roosegaarde's projects aim to help people and technology to interact. His past projects have included a dance floor with built-in disco lights powered by dancers' foot movements, and a dress that becomes see-through when the wearer is aroused.

"I was completely amazed that we somehow spend billions on the design and R&D of cars but somehow the roads - which actually determine the way our landscape looks - are completely immune to that process," Mr Roosegaarde said.

Heijmans was already working on projects involving energy-neutral streetlights when Mr Roosegaarde teamed up with the company.

"I thought that was updating an old idea, and I forced them to look at movies of jellyfish. How does a jellyfish give light? It has no solar panel, it has no energy bill.

"And then we went back to the drawing board and came up with these paints which charge up in the daytime and give light at night," he said.

Heijmans says that the glow in the dark technology is also "a sustainable alternative to places where no conventional lighting is present".

Pilot project

Innovation on roads needs to be encouraged said Professor Pete Thomas, from Loughborough University's Transport Safety Research Centre but new technologies need to prove themselves.

"We have some high visibility markings already on roads in the UK, plus cats-eye technology etc. So the question is how much better than these is this alternative?

"If we put this technology on all unlit roads that would be a lot of kilometres and it would be a big investment so if safety improvement is the target then we need hard evidence about how this compares to what we already have and to back up any safety claims," he said.

Initially the team also had plans to develop weather symbols that appeared on the road once the temperature reached a certain level. A temperature-sensitive paint mixture would be used to create giant snow flake-shaped symbols on the tarmac to warn users that the road may be icy.

The current stretch of glow in the dark road in Oss does not include this temperature sensitive technology.

It is a pilot project at this stage and is expected to expand internationally later this year. Dutch media report that Heijmans is keen to use the paint on other roads but has not yet negotiated any contracts.

09.10 | 0 komentar | Read More

Pentagon eyes drone wi-fi hotspots

14 April 2014 Last updated at 15:22

The Pentagon is planning to turn old drones into wi-fi hotspots.

The equipment needed for long-range high-bandwidth wi-fi is often unavailable to troops in the field.

Engineers hope this will be remedied with airborne wi-fi hotspots that can remain close to isolated troops.

The move is similar to Facebook's initiative to bring the world online with blanket wi-fi, but some critics fear the drones will compromise security.

Getting access to a secure, stable and fast internet connection might become easier for remote US troops if the Defense Advanced Research Projects Agency's (Darpa) latest wi-fi hotspot programme successfully launches.

Continue reading the main story

Again we see drones being used to enable the projection of lethal military force in remote locations"

End Quote Chris Cole Drone Wars UK

Engineers at Darpa recently completed the first of three test phases, which saw the development of key technologies to be integrated into a complete system.

"We're pleased with the technical achievements we've seen so far in steerable millimetre-wave antennas and millimetre-wave amplifier technology," said Dick Ridgway, Darpa programme manager.

"These successes - and the novel networking approaches needed to maintain these high-capacity links - are key to providing forward deployed units with the same high-capacity connectivity we all enjoy over our 4G cell-phone networks."

The accomplishments of the initial phases include: smaller, steerable antennas; signal boosters; increased power efficiency and a light pod to carry the device on the unmanned aerial vehicle (UAV) itself. The network is said to be potentially capable of a 1 gigabit per-second (Gb/s) capacity, which is as fast as Google Fiber's.

'More war, less security'

Darpa's move is reminiscent of Mark Zuckerberg's recent announcement that he wishes to connect the two-thirds of the world that has no net access, using drones, satellites and lasers - albeit for different reasons.

However, Chris Cole editor of Drone Wars UK, has criticised Darpa, warning that the drones will ultimately provide less security.

"Again we see drones being used to enable the projection of lethal military force in remote locations.

"Regardless of whether drones are delivering weapons or wi-fi it seems that the growing use of unmanned systems simply means more war and less overall security in the future."

09.10 | 0 komentar | Read More

Android devices await Heartbleed fix

14 April 2014 Last updated at 16:24 By Leo Kelion Technology desk editor

Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public.

Google announced last week that handsets and tablets running version 4.1.1 of its mobile operating system were at risk.

The search giant has since created a fix, but it has yet to be pushed out to many of the devices that cannot run higher versions of the OS.

It potentially places owners at risk of having sensitive data stolen.

In addition security firms warn that hundreds of apps available across multiple platforms still need to be fixed.

These include Blackberry's popular BBM instant messaging software for iOS and Android.

Continue reading the main story

Last week internet security firm Cloudfare questioned if Heartbleed was as dangerous as claimed.

The company - which had been one of the select few to be informed of the bug before it was made public - said it had been unable to exploit the flaw to reveal the server certificate private keys that would make sites vulnerable to impersonation.

On Friday it announced a test for others to try, but warned that it believed the task was "likely impossible".

It did not take long for the firm to be proved wrong.

The same day Russian security researcher Fedor Indutny managed to "steal" an SSL key from Cloudfare's servers. He said that it took him less than three hours to do so.

Since then a further three people - including a computer security researcher at the University of Cambridge - have completed the challenge.

"This result reminds us not to underestimate the power of the crowd and emphasises the danger posed by this vulnerability," blogged Cloudfare's software engineering leader Nick Sullivan.

The Canadian firm has said that it will not issue a fix until Friday, but said there was only an "extremely small" risk of hackers exploiting the bug to steal its customers' data.

In the meantime the program remains available for download from Apple's App Store and Google Play.

Data theft

News of the vulnerability with recent versions of the OpenSSL cryptographic software library was made public last Monday after researchers from Google and Codenomicon, a Finnish security firm, independently discovered the problem.

OpenSSL is used to digitally scramble data as it passes between a user's device and an online service in order to prevent others eavesdropping on the information.

It is used by many, but not all, sites that show a little padlock and use a web address beginning "https".

The researchers discovered that because of a coding mishap hackers could theoretically access 64 kilobytes of unencrypted data from the working memory of systems using vulnerable versions of OpenSSL.

Although that is a relatively small amount, the attackers can repeat the process to increase their haul.

Futhermore, 64K is enough to steal passwords and server certificate private keys - information that can be used to let malicious services masquerade as genuine ones.

Press reports initially focused on the risk of users visiting vulnerable websites, but attention is now switching to mobile.

At-risk handsets

Google's own statistics suggest that fewer than 10% of Android devices currently run version 4.1.1.

However, since close to one billion people currently use the OS that is still a significant number.

Some of those device owners can protect themselves by upgrading Android to a more recent version.

But several machines are unable to be upgraded higher than 4.1.1.

Customer websites indicate these include Sony's Xperia E and Xperia J handsets, HTC's One S, Huawei's Ascend Y300 and Asus's PadFone 2.

"Privacy and security are important to HTC and we are committed to helping safeguard our customers' devices and data," said the Taiwanese firm.

"We're currently working to implement the security patch issued by Google this week to the small number of older devices that are on Android 4.1.1."

Asus said its device was "expecting an update imminently". Sony and Huawei were unable to comment.

Tab grab

Google has now created a fix to address the problem. However, manufacturers still need to adapt it for their devices and this software will need to be tested by the various operators before they release it.

Users can check which edition of Android they are running by going to the "about phone" or "about tablet" option in their Settings app.

Alternatively several free apps have been released that can scan phones and tablets to say if they are vulnerable.

Lookout - a security firm behind one of the products - explained how hackers might take advantage of a vulnerable handset.

"Someone could build a malicious website or advert designed to steal data from your memory," Thomas Labarthe, the firm's European managing director, told the BBC.

"If you happen to be browsing it and have other tabs open in your browser, it could take data from a banking site - for example.

"No-one could steal a whole document - they can only take 64K of data - but that's still enough to steal your credentials."

'Forgotten about'

Another security firm, Trend Micro, has focused on the issue of vulnerable apps.

These can affect any mobile operating system because the problem is caused by the servers that send data to the apps not having been updated to the latest version of OpenSSL.

Trend Micro said it was currently aware of 6,000 such risky apps, including shopping and bank-related services. That is 1,000 fewer than its figure for Friday - suggesting some server operators are addressing the problem.

But it acknowledged that it was hard for members of the public to know which of the hundreds of thousands on offer were safe to use.

"Some of these are services that were set up and then forgotten about," said senior malware researcher David Sancho.

"There's no way from using an app you can know if it's good or bad.

"So, for the moment, the best thing to do is use the ones from the major vendors that we know have been patched... but for the minor ones that have said nothing, be wary."

09.10 | 0 komentar | Read More