More Android malware distributed through mobile ad networks

Mobile ad networks can provide a loophole to serve malware to Android devices, according to researchers from security firm Palo Alto Networks who have found new Android threats being distributed in this manner.

Most mobile developers embed advertising frameworks into their applications in order to generate revenue. Unlike ads displayed inside Web browsers, ads displayed within mobile apps are served by code that's actually part of those applications.

The embedding of code for the advertising network into a mobile application itself ensures that ads get tracked and the developers get paid, but at the same time this third-party code represents a backdoor into the device, said Wade Williamson, senior security analyst at Palo Alto Networks, in a Monday blog post.

"If the mobile ad network turns malicious, then a completely benign application could begin bringing down malicious content to the device," Williamson said. "What you have at that point is a ready-made botnet."

There are precedents for this type of attack. In April, mobile security firm Lookout identified 32 apps hosted on Google Play that were using a rogue ad network later dubbed BadNews. The apps were benign, but the malicious ad network was designed to push toll fraud malware targeting Russian-speaking users through those apps. The malware masqueraded as updates for other popular applications.

According to Williamson, researchers from Palo Alto Networks recently came across a similar attack in Asia that involved using a rogue ad network to push malicious code through other apps without being detected by mobile antivirus vendors.

The malicious payload pushed by the ad network runs quietly in the device memory and waits for users to initiate the installation of any other application, Williamson said. At that point, it prompts users to also install and grant permissions to the malware, appearing as if it's part of the new application's installation process, he said.

"This is a very elegant approach that doesn't really require the end-user to do anything 'wrong'," the researcher said.

Once installed, the malware has the ability to intercept and hide received text messages, as well as to send text messages in order to sign up users for premium-rate mobile services, Palo Alto Networks said in a description of the attack sent via email.

Such attacks are probably specific to certain geographic regions, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, Tuesday via email.

Botezatu expects the distribution of malware through mobile ad networks to become more common, especially in countries where mobile devices can't access the official Google Play store or where users have difficulties in purchasing applications in a legitimate manner, causing most Android devices to be configured to accept APKs (Android application packages) from unknown sources.

That doesn't mean that apps that deliver malware through ad networks can't make it into Google Play, as the BadNews incident has shown.

Google Play checks APKs for malware before approving them, so getting an infected APK uploaded there can be very hard, Botezatu said. However, a malicious ad server could lay dormant until after the application is approved and then start delivering malware, he said.

Botezatu believes that users are more likely to fall victim to "malvertising" -- malicious advertising -- attacks launched through mobile apps than Web browsers. That's because there have been many incidents of ad-based malware infections on computers and users are probably more careful about what they click on inside their browsers, he said.

Android users should make sure that their devices are not configured to allow the installation of apps from unknown sources and should run a mobile antivirus product, which might be able to detect malicious apps delivered through ad networks, he said.

Following attacks, Networks Solutions reports MySQL hiccups

Network Solutions warned on Monday of latency problems for customers using MySQL databases just a week after the hosting company fended off distributed denial-of-service (DDoS) attacks.

"Some hosting customers using MySQL are reporting issues with the speed with which their websites are resolving," the company wrote on Facebook. "Some sites are loading slowly; others are not resolving. We're aware of the issue, and our technology team is working on it now."

Network Solutions, which is owned by Web.com, registers domain names, offers hosting services, sells SSL certificates and provides other website-related administration services.

On July 17, Network Solutions said it came under a DDoS attack that caused many of the websites it hosts to not resolve. The company said later in the day that most of the problems had been fixed, and it apologized two days later.

"Because online security is our top priority, we continue to invest millions of dollars in frontline and mitigation solutions to help us identify and eliminate potential threats," it said.

Some customers, however, reported problems before Network Solutions acknowledged the cyberattacks. One customer, who wrote to IDG News Service before Network Solutions issued the MySQL warning, said he had problems publishing a website on July 16, before the DDoS attacks are believed to have started.

Several other customers who commented on the company's Facebook page reported problems going back to a scheduled maintenance period announced on July 5. The company warned customers they might experience service interruptions between 10 p.m. EST on July 5 and 7 a.m. the next morning.

Donna Marian, an artist who creates macabre dolls, wrote on the company's Facebook page on Monday that her site was down for five days.

"I have been with you 13 years and have not got one word about this issue that has and is still costing my business thousands of dollars," Marian wrote. "Will you be reimbursing me for my losses?"

Company officials could not be immediately reached for comment.

Most enterprise networks riddled with vulnerable Java installations, report says

Despite the significant Java security improvements made by Oracle during the past six months, Java vulnerabilities continue to represent a major security risk for organizations because most of them have outdated versions of the software installed on their systems, according to a report by security firm Bit9.
Bit9's report was released Thursday and is based on data about Java usage collected from approximately 1 million enterprise endpoint systems owned by almost 400 organizations that use the company's software reputation service.

The data shows that Java 6 is the most prevalent major version of Java in enterprise environments, present on more than 80 percent of enterprise computers that have Java installed.

Java 6 reached the end of public support in April, and only Oracle customers with a long-term support contract will continue to receive security updates for it. Java 7, the version that is the focus of Oracle's recent security strengthening efforts, was only found on around 15 percent of endpoint systems sampled by Bit9.
Furthermore, most companies that run Java 6 on their systems don't have the latest security updates for it, the security firm found.

The most widely deployed Java version, according to Bit9's data, was Java 6 Update 20, which was installed on a little over 9 percent of endpoints. This version of Java is vulnerable to a total of 215 security issues, 96 of which have the maximum impact score on the Common Vulnerability Scoring System (CVSS) scale, Bit9 said.

The last publicly available security update for Java 6 is Java 6 Update 45, which was released in April at the same time as Java 7 Update 21, the latest version of Java available when Bit9 collected data for its report.
Only 3 percent of enterprise endpoint systems were running Java 7 Update 21, the company said. However, those endpoints belonged to only 0.25 percent of the sampled organizations, which seems to indicate that organizations with a larger number of endpoints are more likely to have the latest version of Java installed on their systems.

Another issue is that many enterprise systems have multiple versions of Java running on them. Around 65 percent of systems had more than two versions of Java installed at the same time, and approximately 20 percent had more than three versions.

According to Bit9's report, on average, organizations have more than 50 distinct versions of Java installed in their environments. About 5 percent of organizations have more than 100 versions.

This problem mainly stems from how the Java installation and updating process deals with older versions.
The Java 7 updater will attempt to remove existing installations of Java 6, but a clean installation of Java 7 won't remove older versions, said Harry Sverdlove, Bit9's chief technology officer. Java 5 versions are not removed during Java 7's installation or update processes, he said.

The Bit9 data showed that 93 percent of organizations have a version of Java on some of their systems that's at least five years old. Fifty-one percent have a version that's between five and 10 years old.

The problem with having multiple versions of Java installed at the same time on a system is that attackers can target the older and vulnerable versions to hack into that computer. Once that happens, the security of the newer Java versions doesn't help.

Code that enumerates all Java versions installed on a system for reconnaissance purposes has already been seen in real attacks, Bit9 said in the report.

Having different Java versions on a system increases usability because customers can run legacy applications, but from a security perspective it's a nightmare, Sverdlove said. Every version that is installed introduces yet another set of known vulnerabilities that attackers can target, he said.

Sverdlove compared the situation of companies running five-to-10-year-old versions of Java to running Windows 95. This practice might be convenient for compatibility reasons, but it's a horrible security risk, he said.
In most cases, this kind of Java version fragmentation inside enterprise environments is probably not even intentional, as many companies don't understand or keep track of how many versions they have installed, Sverdlove said.

First and foremost, organizations should get an assessment of what Java versions they have in their environments and where, Sverdlove said. The next step should be for them, as a matter of security policy, to stop and seriously consider whether they need Java, and if they do, for what purposes, he said.

The results of this assessment will vary among organizations, Sverdlove said. Some companies might find that a particular version of Java is needed to run legacy applications, but only on certain computers. Others might discover that certain websites that require Java work with the latest version of the software, and some might find that Java is only needed on their servers and not on desktops, he said.

Regardless of their individual Java needs, organizations should create a Java deployment policy and enforce it, Sverdlove said. If their policy is to not have Java, then they should use tools to block it from running; if they determine that they only need Java on certain machines, then they should remove it from all other machines, he said.

The most common way for hackers to attack Java installations is through the software's Web browser plug-ins by using exploits hosted on websites.

The Bit9 report did not contain specific information about how many of the Java installations identified on enterprise endpoints were accessible through the Web browsers on those computers. However, the majority of the sampled endpoint systems were desktops and laptops, so the likelihood of those Java installations being exposed to Web attacks is high, Sverdlove said.

Review: Nextly brings together the best of RSS, social networks, and Web browsing

Google Reader is dead. It changed forever the way we read our news, and it's gone for good, leaving the arena open for other players to attempt the same feats. Nextly, an innovative reading app based on streams, takes regular RSS feeds, strips them of everything that's annoying about the format, and provides a new reading experience that combines RSS with regular website browsing and social-network surfing.

Nextly turns any webpage or feed into a stream you can easily browse through.
To personalize the experience further, sign into Nextly using Facebook or Twitter. This will give you access to the My Collection and Favorites features, but will also enable Nextly's social Web browsing. Let's say you connected Nextly with your Twitter account; you can now use Nextly's stream to browse your Twitter feed and lists, automatically accessing all tweeted links as full articles. In other words, your Twitter (or Facebook) feed will be miraculously transformed into an easy-to-browse stream, complete with reply, retweet, and other sharing options.

This is all great, you might be thinking, but browsing single feeds doesn't sound too exciting in a post-Google-Reader, Feedly-inspired world. This is where Favorites come in. Once signed in, you can add any stream (or website) to your favorites, which then acts as a regular RSS reader for all intents and purposes.

Bookmark any webpage to your collection, or share it using a unique link.
All your favorite websites are listed under the Favorites tab, and while you can't sort these into folders like you can in other readers, Nextly makes up for it with full articles—no "read more" links—and a built-in social browser. Although Nextly displays full webpages in its streams, these are all pre-loaded, so you never have to wait for them to load while you browse.

Nextly also includes a built bookmarking feature called My Collection, to which you can add articles, tag them, and put them aside for later reading. You can also use the My Collection feature to save important articles for quick reference, and browse it at any time just like any other Nextly stream.

With Nextly, your Twitter feed turns into an RSS feed, with full webpages for each link.
Nextly is still in beta, but you won't notice this most of the time. The only bug I encountered, and this too was rare, was Web elements that failed to load correctly, mostly special ones like an iOS 7 live demo I was trying to check out. There's also no way that I could find to add streams manually if you can't find them in the Explore tab or by using the nextly.com/websitename method. While I was able to browse the vast majority of websites I tried using one of these two methods, I could not browse the ones I failed to find. With that said, if you're tired of truncated RSS feeds and traditional RSS readers, Nextly is sure to brighten your day.

Ad networks agree to take steps against online piracy

A group of U.S. companies operating Internet advertising networks has pledged to bar websites trafficking in pirated goods from using their services and to take other steps to fight online copyright infringement.

Eight companies operating online ad networks, including Google, Microsoft, Yahoo and AOL, have agreed to best practices for fighting Internet piracy, they announced Monday.

The ad networks will prohibit websites “principally dedicated to selling counterfeit goods or engaging in copyright piracy” from advertising with them, according to the best practices. The networks will also allow copyright owners to file complaints about piracy websites running ads, in a process reminiscent of copyright takedown notices under the Digital Millennium Copyright Act.

However, the ad networks may consider “any credible evidence” provided by the accused website in deciding whether stop running its advertising.

Victoria Espinel

President Barack Obama’s administration “strongly supports voluntary efforts by the private sector to reduce infringement and we welcome the initiative brought forward by the companies to establish industry-wide standards to combat online piracy and counterfeiting by reducing financial incentives associated with infringement,” Victoria Espinel, the U.S. intellectual property enforcement coordinator, wrote in a blog post. “We believe that this is a positive step and that such efforts can have a significant impact on reducing online piracy and counterfeiting.” Ad networks and copyright owners must also protect privacy, free speech and fair process in their antipiracy efforts, Espinel wrote. “We encourage the companies participating to continue to work with all interested stakeholders, including creators, rightholders, and public interest groups, to ensure that their practices are transparent and fully consistent with the democratic values that have helped the Internet to flourish,” she wrote. The agreement will help prevent copyright infringement, participants said. “Ultimately, we want to create and maintain a healthy online space, promote innovation, and protect intellectual property,” Laura Covington, Yahoo’s vice president for intellectual property policy, wrote in a blog post. “The best practices we have committed to will help all of us get there.”

The Recording Industry Association of America and the Motion Picture Association of America both praised the agreement.

“The presence of advertisements by well-known brands on rogue websites that illegally distribute movies and television shows creates the false impression that such sites are legitimate, fostering consumer confusion and harm,” Chris Dodd, the MPAA’s chairman and CEO, said in a statement. “The announcement today is recognition by online advertising networks of the important role they play to help ensure a safe and secure Internet for all.”