Hackers use Android 'master key'

 Chinese app Symantec said the exploit has been added to two Chinese health apps A security firm says it has identified the first known malicious use of Android's "master key" vulnerability.

The bug - which was first publicised earlier this month - allows attackers to install code on to phones running Google's mobile operating system and then take control of them.

Symantec said its researchers had found two apps distributed in China that had been infected using the exploit.

Google has already taken moves to tackle the problem.

A fortnight ago it released a patch to manufacturers, but it will not have been sent to all handset owners yet.

Google also scans its own Play marketplace for the exploit, but this will not protect consumers who download software from other stores.

Premium texts
The vulnerability was first reported by security research firm BlueBox on 3 July.

All Android apps contain an encrypted signature that the operating system uses to check the program is legitimate and has not been tampered with.

But BlueBox said it had found a way to make changes to an app's code without affecting the signature.

It warned the technique could be used to install a Trojan to read any data on a device, harvest passwords, record phone calls, take photos and carry out other functions.

According to Symantec, hackers have now exploited the flaw to install malware called Android.Skullkey, which steals data from compromised phones, monitors texts received and written on the handset, and also sends its own SMS messages to premium numbers.

It said the Trojan had been added to two legitimate apps used in China to find and make appointments with a doctor.

Android phones The fragmented nature of the Android market means updates take time before they become available
"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," its report warned.

"Symantec recommends users only download applications from reputable Android application marketplaces."

The firm added that affected users could manually remove the software by going into their settings menu.

One telecoms consultant said the news highlighted the difficulty Google had in distributing changes to Android.

"When Google releases its updates, manufacturers want to check them and then network operators also want to certify the code as well," said Ben Wood, director of research at CCS Insight.

"It's a consequence of having so many different firms making Android devices, with most running their own user interfaces on top.

"By contrast, Apple just pushes its updates directly to consumers."

Master the command line: how to use man pages

If you’ve read Macworld for any length of time—particularly our OS X Hints blog or any other story that asks you to use Terminal—you may have wondered to yourself: How do you learn about all those mysterious commands, such as ls or cd? Is it some kind of arcane knowledge, handed down only to initiates after grueling initiations? Well, no. Actually, anyone can learn about Terminal commands, if they know where to look. Today, I’ll tell you where.

The key to Terminal wisdom is the man command. It summons manual (or man) pages for almost any command; they’re the equivalent of a help system for the command line. In fact, man itself is a command, whose role is to format and display this documentation.

If you type man pwd, for example, Terminal will display the man page for the pwd command.

The beginning of the man page for the pwd command.
All man pages have a common format. They begin with name (the name of the command) and a brief description of what it does. The pwd command I looked at above shows the following:

pwd—return working directory name

Next comes synopsis, which shows the command any any options, or flags, that you can use with it. For pwd, there are two options: -L and -P. These options are explained in the description section:

DESCRIPTIONThe pwd utility writes the absolute pathname of the current working directory to the standard output.Some shells may provide a builtin pwd command which is similar or identical to this utility. Consult the builtin(1) manual page.The options are as follows:-L Display the logical current working directory.-P Display the physical current working directory (all symbolic links resolved).If no options are specified, the -L option is assumed.
As you can see here, each of the two options is explained, and a final sentence tells you that the command assumes that the -L option is desired if no other option (and there’s only one) is specified.

As you work from the command line, you’ll find that reading up on the options available for different commands is really important. You’ll learn the myriad ways you can use these tools, and some man pages also contain examples to help you understand them.

When you look at a man page, you do so in Terminal through another command, called a pager; by default, this is the less command. What a pager does is allow you to view content in Terminal page by page, or line by line. When you’re viewing a man page, you will most often not see the entire page at once. You’ll need to page down to see more.

There are two ways to do this with less. If you press Return, the page will move down one line. And if you press the spacebar, the page will scroll one page (the number of lines visible in your Terminal window). You can tell that there’s more to come by the : (colon) visible at the bottom of the window.

Try it on your Mac: Open Terminal, type man ls, then press Return. The ls command’s man page is quite long, and you’ll need to press the spacebar several times to get to the bottom.

Sometimes, when you’re viewing a man page, you need to go back up and look at something that’s no longer visible. Depending on your Terminal settings, you may be able to scroll the Terminal window. If not, press Control-B to go back a page, and the spacebar, or Control-F, to go forward a page.

When you get to the end of a man page, you’ll see this: (END). You’ll notice that you can’t do anything at that point; you need to quit the less command; do this by pressing the q key.

If you don’t want to read man pages in Terminal, there are other ways to view this content. Carl Lindberg’s free ManOpen is a simple app that lets you view man pages in a more attractive way than in Terminal. Press Command-O, enter the name of a command, and click Open. ManOpen is especially useful because you can choose specific sections to view from a popup menu, and you can navigate more easily than in Terminal with the less command.

ManOpen lets you view man pages in a friendlier interface than Terminal.
But you can also find man pages on the Web. Just type man and the name of a command into your favorite search engine, and you’ll get plenty of hits. Apple has a documentation repository with man pages here. You can click Alphabetic Index to get a list of all commands, then search for the one you want. Apple’s man pages are useful because a popup menu near the top of the page lets you choose an OS X version, so if you need to see the man page for an older version of OS X, you can do so.

No matter which route you choose, man pages open the door to a goldmine of information about the command line. Use them and you’ll learn all the ins and outs of the commands you use.

Anyone can master these top online security tips

Concerns about online privacy have reached new heights since reports revealed that the U.S. National Security Agency has been monitoring millions of phone logs and social media accounts as part of several top-secret programs. In light of the revelations, many people are wondering how they can protect themselves from snooping.
I had the opportunity to talk with Steve Santorelli, a security expert at research firm Team Cymru and a former Scotland Yard detective. I asked him to share his own measures for staying as safe as possible while using the Internet.
Several days later, he sent me his tips. First off, nothing will protect you from government surveillance if a service provider agrees to cooperate in the investigation, he said. Those providers could include your ISP or Google.
However, that doesn’t mean you should dismiss safety measures — cybercriminals are a real threat. He recommended a few simple measures to protect your privacy online.
Here are Santorelli’s top nine tips:
1. Software patches
Patch your OS and all your applications, especially your browser and plug-ins such as Java and Flash. “This one step will likely give you 90 percent protection, as infections, which lead to privacy compromise, often rely on exploiting known vulnerabilities in your operating system,” said Santorelli. Set up automatic updates whenever possible.
2. Two-factor authentication
Use two-factor authentication for as many accounts as you can. This means you must provide both a password and a second form of identification, such as a code that’s sent to your phone, to log in to an account. Most of the major free service providers, such as Twitter and Gmail, have enabled this capability.
3. Antivirus
Use antivirus software, and update it regularly. “While it’s only about 30 to 50 percent effective, it’s still well worth doing,” said Santorelli. Many ISPs will give you a license for free. And there are several free apps.
4. Web browsers
Santorelli said that you can stay safe using any of the modern browsers — Internet
Explorer, Safari, Chrome and Firefox — as long as you update them “rigorously.” You should remove plug-ins that can execute code, such as Adobe Flash and Java. This may not be practical in all cases, however. “Most people don’t do this because they find the Internet very boring without these plug-ins,” said Santorelli. You won’t miss much with Java turned off — the only widely used online applications that really need Java these days are Web-conferencing things like GoToMeeting. But many websites still use Flash for displaying video.
5. Scripts
Use a script-blocker plug-in for your browsers, such as the free No Script for Firefox or NotScripts for Chrome. These plug-ins will block many ads and many types of active content, such as pop-ups that occur when you hover over highlighted text and other elements based on JavaScript. This is a popular way for attacks to enter your computer.
6. Firewall
Use a software firewall on your system. Most modern operating systems, such as Windows and Mac OSX, include a built-in firewall, but you may have to enable it.
7. Password control
Do not use the same password for everything. Santorelli recommends using a password-management tool, such as RoboForm Everywhere, to generate different passwords for each of your accounts. At the very least, he said, have separate sets of passwords for different types of accounts: one for banking accounts, one for free email accounts, etc.
8. Mobile-app permissions
“Beware of mobile apps that ask for massive control over your device, far in excess of what could be justified for what the app apparently does,” said Santorelli. For example: Why would a game need access to your photos and contacts? “Remember, if the app is free, that sometimes means that (your information is) the product being sold,” he said.
9. Linked accounts
Beware of online accounts that link to other accounts. Many Twitter apps do this. Once you stop using these apps, they represent a forgotten route into your Twitter account, said Santorelli. “Do a quick check, and you might be surprised how many forgotten apps have access to some of your accounts,” he said. “Delete them.” To see the apps that access your Twitter account, visit twitter.com/settings/applications — the length of the list may astound you.
According to Santorelli, if you protect yourself from the traditional acquisitive criminals, who are using the same tools as folks with less traditional motives, you are going to be as safe as you can be online.
Ogden-based TopTenREVIEWS.com guides consumers by comparing products in the world of technology, including electronics, software and Web services. Have a question for TopTenREVIEWS? Email Leslie Meredith lesliemeredith@technewsdaily.com.