New generation phones to have 'Kill switches'.

So-called kill switches are software to disable the phone if it is lost or stolen.

NEW YORK (CNNMoney) - Google and Microsoft will include a so-called kill switch in the next version of their smartphone operating systems, authorities announced Thursday.

The technology allows for a stolen Google (GOOG) Android and Microsoft (MSFT,Tech30) Windows Phone-powered Nokia (NOK) device to be disabled, making it useless to the thief.

With Google and Microsoft on board, kill switches will be available for 97% of the smartphone market, said New York Attorney General Eric Schneiderman, who made the announcement.

Newer versions of Apple's iOS currently include a kill switch called Activation Lock and tracking software that requires a password before the iPhone or iPad is reset. In May, Samsung launched a similar system it calls Reactivation Lock.

Schneiderman issued a report citing data that showed the number of smartphone thefts were on the rise, but that thefts of devices with kill switches were decreasing.

Although the technology is spreading, some older phones can't or likely won't be updated.

"With the majority of phones still without a kill switch, smartphone-related thefts and violence remain a tragic reality," Schneiderman's office said. "Criminals now target devices not likely to be equipped with a kill switch, increasing the importance of immediately implementing the life-saving technology across all manufacturers."

Schneiderman's initiative pushing for kill switches, Save Our Smartphones, also included officials from California and London. 

The article, "Kill Switch' coming to Google, Microsoft phones" with a different title here, was originally published on the CNN website by By Gregory Wallace  @gregorywallace for CNNMoney.

Google's Android security about to get even smarter.

Computerworld - Android security is always a hot-button issue. "Dangerous malware" and "new threats" make for great headlines, after all -- and companies that make money selling anti-malware software are always happy to feed fear-inducing fodder to stats-loving reporters (go figure!).

The truth, though, is that Android security is one of the most sensationalized and misunderstood subjects you'll read about in the tech media today. Plain and simple, a theoretical breach and a meaningful threat that's actually putting users at risk are two very different things.

Google's made a lot of progress in separating one from the other over the years -- and the company's about to take another step in making nearly every Android device even more secure.

Android security: The next phase

Over the next couple of weeks, Google will be rolling out a universal update that'll enable constant on-device monitoring for potentially problematic apps. It's an upgrade to the platform's Verify Apps function that first launched with Android 4.2 in 2012, as I reported exclusively at the time, and then spread to all devices with Android 2.3 and up last July.

As it stands now, Verify Apps watches your device for any new applications -- particularly those that you download and install directly ("sideload") instead of installing from the Google Play Store. Anytime a new app appears, the system instantly checks it for potentially harmful code and warns you of any dangers it discovers.

What's changing is that Verify Apps will soon continue to monitor your applications even after they're installed, thereby extending its level of protection.

"We're constantly updating what [threats] we're aware of, so being able to detect those things where we've improved our coverage is valuable," Android Lead Security Engineer Adrian Ludwig tells me.

Ludwig says the newly expanded system will also help identify issues with apps installed before Verify Apps became available -- or those installed without a person's knowledge while, say, someone else was borrowing a device.

"We want to make sure that if that were to happen, a user would be made aware of it after the fact," Ludwig explains.

Just like it does now, the updated Verify Apps system will run silently in the background; Google suspects the majority of users will never even know it's there. And if you'd rather not have the protection in place, you can always disable Verify Apps altogether in your device's system settings.

Beyond a single system

Remember, too, that Verify Apps works in conjunction with a server-side system that scans all apps uploaded to the Google Play Store. And both systems take advantage of something Google calls the Android Safety Net, which detects everything down to SMS abuse and blacklists sources that have exhibited shifty behavior in the past.

"At this point, there really is a collection of services that we're starting to think about as the Google security services for Android," Ludwig says. "We want to make sure there is no single point of failure within our platform so users can be protected."

That "no single point of failure" concept is important: With last year's "Master Key" vulnerability, for instance -- publicized, coincidentally enough, by a company that sells anti-malware software for Android -- Google implemented protection for its Play Store scanning system within a day of learning about the exploit and for its on-device Verify Apps system a few weeks later.

Even though OS-level patches didn't start hitting devices for another few months, those initial layers of protection were available to everyone almost instantly -- and according to Google's internal data, not a single real-world exploit attempt occurred before they were in place. In other words, the real-world risk related to the vulnerability was already next to none, as I pointed out at the time -- and once the Play Store and Verify Apps protection kicked in, it dropped even lower.

And there's the dull truth of this domain: When it comes to security, real-world assessments make for far less sexy headlines than sensational shouting based on theoretical threats.

The next steps

The expanded Verify Apps system will be rolling out as part of an upcoming update to Google Play Services, which means it'll automatically hit all devices with Android 2.3 or higher. That covers almost every phone and tablet out there -- nearly 99 percent of actively running products, according to Google's latest platform measurements -- and thanks to Google's ongoing deconstruction of Android, the update will happen behind-the-scenes and without the need for any manufacturer or carrier interference.

So what's the broad takeaway from this? It's the same thing I've been saying for years: Now more than ever, malware on Android is far less significant of a real-world issue than some reports would lead you to believe. In the real world, the killer viruses that are so good for headlines actually affect next to no one. And now, even if you don't exercise basic common sense -- even if you carelessly download shady-looking stuff from unofficial sources out in the wild -- your phone will automatically protect you even more than it already did.

Anti-malware software vendors will undoubtedly keep preying on ignorant reporters and consumers, but all it takes is a little bit of knowledge to keep the big bad virus monsters in perspective -- and out of your nightmares.

The article, "How Google's Android security is about to get even smarter" with a different title here, was originally published on the Computerworld website by JR Rapheal.

Windows malware tries to infect Android devices connected to PCs

Researchers from Symantec found a Windows Trojan program that uses ADB to install online banking malware on Android devices..

IDG News Service - A new computer Trojan program attempts to install mobile banking malware on Android devices when they're connected to infected PCs, according to researchers from Symantec.

This method of targeting Android devices is unusual, since mobile attackers prefer social engineering and fake apps hosted on third-party app stores to distribute Android malware.

"We've seen Android malware that attempts to infect Windows systems before," Symantec researcher Flora Liu, said Thursday in a blog post. "Android.Claco, for instance, downloads a malicious PE [portable executable] file along with an autorun.inf file and places them in the root directory of the SD card. When the compromised mobile device is connected to a computer in USB mode, and if the AutoRun feature is enabled on the computer, Windows will automatically execute the malicious PE file."

"Interestingly, we recently came across something that works the other way round: a Windows threat that attempts to infect Android devices," Liu said.

The new malware, dubbed Trojan.Droidpak by Symantec, drops a DLL file on the Windows computer and registers a new system service to ensure its persistence across reboots. It then downloads a configuration file from a remote server that contains the location of a malicious APK (Android application package) file called AV-cdk.apk.

The Trojan program downloads the malicious APK, as well as the Android Debug Bridge (ADB) command line tool that allows users to execute commands on Android devices connected to a PC. ADB is part of the official Android software development kit (SDK).

The malware executes the "adb.exe install AV-cdk.apk" command repeatedly to ensure that if an Android device is connected to the host computer at any time, the malicious APK is silently installed on it. However, this approach has a limitation -- it will work only if an option called "USB debugging" is enabled on the Android device.

USB debugging is a setting normally used by Android developers, but it's also required for some operations that are not directly related to development, like rooting the OS, taking screen captures on devices running old Android versions or installing custom Android firmware. Even if this feature is rarely used, users who turn it on once to perform a particular task may forget to disable it when they don't need it anymore.

The malicious APK distributed by this Windows malware is detected by Symantec as Android.Fakebank.B and masquerades as the official Google Play application. Once installed on a device, it uses the name "Google App Store" and the same icon as the legitimate Google Play app.

The malware appears to target online banking users from South Korea.

"The malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions," Liu said. It also intercepts SMS messages received by the user and sends them a remote server.

The targeting of online banking apps and the theft of SMS messages that can contain transaction authorization sent by banks suggest the motivation of this malware's authors is bank fraud.

Even if this particular threat targets users from a single country, malware coders commonly borrow ideas from each other and replicate successful attack methods.

Liu advised users to turn off the USB debugging feature on their Android devices when it's not needed and to be wary of connecting their mobile devices to computers they don't trust.

The article above was originally published on the Computerworld website by Lucian Constantin

"Windows XP disaster inevitable" - says Microsoft.

Makes obvious prediction -- since it's calling the shots -- that ending support for XP will mean 'more systems will get compromised'.

Computerworld - Microsoft today used the hoary practice of predicting next year to drive another nail into Windows XP's coffin.

In an eight-item prognostication from several security professionals on its anti-malware and Trustworthy Computing teams, Microsoft forecast an increase in cybercrime that exploits unsupported software.

Microsoft's No. 6 prediction put the spotlight, and the onus, on Windows XP.

"This venerable platform, built last century, will not be able to keep pace with attackers, and more Windows XP-based systems will get compromised," prophesied Tim Rains, director of Trustworthy Computing, in a long post to Microsoft's security blog on Thursday.

Windows XP isn't quite "last century," at least to users; it may be old, very old in OS terms, but it wasn't released until September 2001.

Still, it is creaky, as any 12-year-old operating system would be. (By comparison, the same-aged Mac operating system would be OS X 10.1, aka Puma, a long-dead OS that required just 128MB of system memory; ran on the long-deserted PowerPC processors co-designed by Apple, IBM and Motorola; and was handed out as a free upgrade from OS X 10.0, or Cheetah.)

Microsoft has set Windows XP's end-of-support party for April 8, 2014, less than four months from now, and has given absolutely no hint that it will backtrack from that schedule.

Even if the end of support kills -- or allows infections for -- millions of still-used PCs.

According to analytics vendor Net Applications, Windows XP powered 34% of all Windows PCs last month. And with a two-month stall in decline, it now appears inevitable that the antique OS will be running more than one in every four PCs come April.

"The most effective way to protect systems in the current environment, where drive-by download attacks are so popular with attackers, is to keep all software installed on them up-to-date with security updates," said Rains.

True. But easier said than done.

Nor was Microsoft's 2014 prediction a trip to the ledge's edge: Rains has rained on Windows XP's parade before. In October, he extrapolated data on PC infection rates to conclude that XP users will face a dramatic uptick, perhaps a hike by two-thirds, in attacks after April 8 because patches won't be provided to the public.

And like some predictions, Rains' was self-fulfilling. Microsoft is, after all, the one pulling the plug on users. Users aren't abandoning XP, at least not in numbers large enough to suit Microsoft.

But most outsiders don't see Microsoft letting this prediction fall flat: Even analysts who once believed the company might be forced by events to continue patching have retracted those statements as Microsoft has failed to breathe a word of any last-minute lifeline.

If a bookie will take Rains' bet, put down some money. It's as certain as the sun coming up tomorrow.

This article, Microsoft bets on Windows XP disaster with a different title here, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

Google's dreaded 'blacklist'

If Google detects persistent malware on a site, it will block the website, potentially freezing traffic until the problem is fixed.

NEW YORK (CNNMoney)  Small businesses are reeling from an increase in cybercrime, but a hacked website can have even greater consequences if Google lists you as "infected."

The search giant is constantly scanning the web's 60 trillion URLs for malware and phishing scams. If it deems a site suspicious, businesses can say goodbye to their customers until the problem is resolved.

"If Google blacklists an infected website, you're basically off the Internet until the website is fixed," said Peter Jensen, CEO of StopTheHacker.com.

Google (GOOG, Fortune 500) estimates that it flags and quarantines 10,000 websites daily (it doesn't use the term "blacklist"). It not only scans Google's search results and ads, but also flags suspicious URLs typed into browsers. The search engine Bing, run by Microsoft(MSFT, Fortune 500), treats infected sites in a similar fashion.

Related: Small businesses are easiest prey for cybercriminals

Being blacklisted can quickly decimate a small firm's reputation and sales.

"Businesses say they're not at fault and shouldn't be penalized. Google [says] it wants to keep the Internet safe for its users," said Jensen, whose firm is contacted 20 or 30 times a day by businesses that have been blacklisted.

Google spokesman Jason Freidenfelds emphasized that point. "About 1 billion people receive protection against phishing and malware every day because of the warnings we show users about unsafe websites," he said.

Margo Schlossberg owns an online handbag business in Washington D.C. that was hacked in September. A Google search for her website still says, "This site may be hacked."

The impact: Traffic to her site dropped 50% in the past month and her sales have been minimal.

"It's the worst time to go through this," said Schlossberg. "The holiday season is very important for my sales, but now I've been blacklisted by Google."

Schlossberg hired an expert to fix her site, which cost $1,000 (although it can cost as much as $10,000 depending on the extent of the damage).

Related: Cyber attacks devastated my business

Hackers had attacked several pages, and it's taken a few weeks to clean up her website. She's finally ready to resubmit her site to Google.

StopTheHacker says the process to clean up infected sites typically involves several steps: Identify the malware and how to remove it, determine where the attack originated, change passwords and relaunch the website once it's clean.

Google says it takes about a day to restore websites once it confirms they're clean. But sometimes a company can think its site is clean, but Google's review will find otherwise. This can draw out the process.

Eric Erickson's company sells eco-friendly pest control products online. When his site was attacked in 2009, it effectively paralyzed his business. He said it took 60 days to get back on track and cost several thousand dollars in lost sales.

His site was attacked again in March, but this time he was prepared. "We caught it early because we had enhanced our security," he said. The website stayed off the blacklist.

Web hosting provider DreamHost regularly checks the sites of its 350,000 customers -- 40% of whom are small businesses -- for malware and other security threats. In September, DreamHost identified almost 100,000 infected websites in its network of 1.3 million sites. If customers aren't able to fix the problems themselves, co-founder Dallas Kashuba recommends StopTheHacker to help clean up the site.

Related: New startups are prime targets for cyberattacks

Lynda Zugec's HR consultancy site was flagged and quarantined by Google earlier this year. Hackers had obtained her hosting password and inserted malware into her website.

It took her nearly two weeks to get back online. Even more than an economic impact, Zugec worries the experience could have hurt her reputation with clients.

But even with the financial and logistical hardships, most say Google's hardline is necessary.

"Google has its neck on the line, too," Erickson said. "When people click on your website, Google doesn't want to worry that something malicious will happen to its users."

His advice: "Don't go cheap with your security. You have to invest in it."

The above article was originally published on the CNN website by By Parija Kavilanz for CNNMoney

These are dark times for online privacy.

Online privacy is dead.

NEW YORK (CNNMoney) -- The U.S. government is spying on its own citizens' online activities. The FBI was able to suss out and shut down the anonymous black market Silk Road. Even the Internet-within-the-Internet called the Tor network -- the most secretive way to browse the Web -- is being monitored by the National Security Agency.

Silk Road serves as a prime example. It operated as a hidden service on Tor, an anonymizing tool that helps users and sites keep their identities secret. Everyone buying and selling drugs, weapons and other illicit items on the site thought they couldn't be tracked.Strong passwords and encrypted email services were never truly enough to protect users' online privacy. But recent revelations about government surveillance even throw into doubt the effectiveness of far-out measures of data encryption used by the most careful people surfing the Web.

But federal agents managed to track down a computer server Silk Road used, and the FBI monitored more than 1.2 million private communications on the site.

Related story: Facebook kills search privacy setting

If online privacy can't stand up to good, old-fashioned police work, it doesn't stand a chance against some of the more potent tools the government uses:

• The NSA figured out how to track down who's who on Tor by exploiting weaknesses in Web browsers, according to documents former NSA contractor Edward Snowden leaked to The Guardian -- a bug that was only recently fixed.
• PRISM, the government's hush-hush mass data collection program, lets even low-level NSA analysts access email, chats and Internet phone calls.
• The U.S. government issues frequent, secret demands for customer data from telecommunications companies.

It's no wonder, then, that many have declared the death of online privacy.

"Unfortunately, online anonymity is already dead," said Ladar Levison, founder of e-mail service LavaBit that closed its doors in the wake of the NSA's PRISM controversy. "It takes a lot more effort and skill than most have in order to keep your anonymity today."

Remaining unrecognizable and keeping conversations private online is immensely important. It's not just an issue for civil libertarians -- online privacy is crucial for crime victims, whistleblowers, dissidents and corporations trying to keep secret the latest high-tech research.

The result has been tantamount to a cryptographic arms race. On one side are independent programmers usually writing free software. On the other are a dozen U.S. intelligence agencies supported by a $52.6 billion black budget.

And while some claim unbreakable encryption is coming, large-scale availability is still years away.

"It's an open question how much protection Tor or any other existing anonymous communications tool provides against the NSA's large-scale Internet surveillance," said Roger Dingledine, Tor's lead developer.

Still, Aleecia McDonald, a privacy expert at Stanford University's Center for Internet & Society, said there's still a benefit to guarding yourself with a network like Tor. At least you make it harder to get spied on.

"The NSA has to attack Tor users one by one, not en masse as they do with non-Tor users," she said. 

The article above was originally published on the CNN website by Jose Pagliery  @Jose_Pagliery of CNN Money.

Uncertain future for BlackBerry's dwindling users.

CNN -- Since the dawn of the iPhone age in 2007, loyal BlackBerry users have watched their favorite device maker stumble into an ever-steepening decline.

Some of the collapse is due to the consumer changeover to Apple and Google Android products, but the company -- once known as Research In Motion -- hasn't helped itself with poor planning and delayed product introductions.

On Monday, the company that once blazed the trail in the smartphone market announced it's being taken private by its largest shareholder, Fairfax Financial, a Canadian insurance company.

The move comes on the heels of an announced $1 billion quarterly loss and layoffs of 4,500 employees. Its future as a maker of smartphones may be in doubt.

Now the dwindling numbers of loyal BlackBerry users must decide: Is this the last straw?

"You can tear my Blackberry's real keyboard out of my cold dead fingers," user Charles Wright of Toronto wrote on Twitter.It's no idle question. For all the attention paid to BlackBerry's fall and the rise of iPhone and Android, there's still a sizable BlackBerry market out there. Forbes magazine estimates that there are in excess of 50 million BlackBerry users, and they remain fiercely devoted to their phones, with their secure e-mail software and physical keyboards.

BlackBerry: Why breaking up is hard to do

Ronen Halevy, an IT security professional who runs the site BerryReview.com, still prefers his BlackBerry because it "focuses on communications first" -- even though he's familiar with both Android and iPhone platforms.

"They're very good devices to consume information, but the main point of the phone is that it's more like a computer," he says of the Apple and Google phones. BlackBerrys, he says, are better at "flow" from e-mail to calendar to other applications.

He hopes that the company returns to its roots.

"I think that Fairfax should double down on BlackBerry 10 and the combination of corporate and consumer market that appreciated the rock solid communication platform it offered," he wrote on BerryReview.com. "This means an end to the 'me too' additions of features to BlackBerry 10 and instead appealing to the market that made BlackBerry take off."

One commenter observed, however, that the company will be hard pressed to win new converts.

"Not good news for consumers, people hate the BB name and what it stands for. Self-inflicted suicide," kingbernie wrote. He suspected that becoming a corporate-focused software business might be the company's best way out of the wilderness -- even if it means leaving the consumer market behind.

From CrackBerry to 'depressing': The BlackBerry's 5-year fall

Chris Umiastowski, a tech analyst and regular contributor to the BlackBerry boards on CrackBerry.com, says BlackBerry fans should remain wary.

"Going private doesn't necessarily change the outcome for the company. All it is guaranteed to change is the ownership structure," he said via e-mail. "It's not a nail in the coffin, nor is it some massive opportunity to fix themselves. No matter who owns the shares they still have to compete with solid competitors. Going private just lets them operate outside of so much public scrutiny."

For those who want to put their BlackBerrys in a drawer next to their PalmPilots but want to keep a physical keyboard on their devices, your options are limited. The Motorola Photon Q and the Motorola Droid 4 are Android-compatible and have relatively large slide-out keyboards, but reviewers have taken issue with their camera capabilities.

In addition, BerryReview.com's Halevy observes, those keyboards -- which are landscape-oriented instead of the portrait-style versions on BlackBerrys -- seem like "afterthoughts."

"Even if you're in an e-mail and you want to hit the 'delete' button to delete an e-mail -- you think that's logical -- it doesn't work," he says.

The NEC Terrain, another Android phone with a physical keyboard, is marketed for its "rugged innovation" but, says Halevy, he doesn't think it's really aimed at the general consumer.

That leads to the host of smartphones with virtual keyboards, including the new iPhone 5S and 5C, the Android-compatibleSamsung Galaxy S4 and the Android HTC One, among many others. All have their pros and cons, whether it's your comfort with their operating systems or your desire for certain accessories.

But for those, like Umiastowski, who want to stick with BlackBerry, it will hard to get them to change.

His household includes a number of Apple items -- including his wife's iPhone -- but he prefers the BlackBerry. He's frustrated by the lack of apps for the device but still prefers the overall experience.

"BlackBerry has always been (and still is) the best experience for communicating. At first it was push email and physical keyboards. Now I'm on a Z10 and I find the multitasking + software keyboard + email experience is second to none," he wrote. "An iPhone would feel like a step backwards on those things which matter to me."

Besides, says Halevy, he likes how the BlackBerry creates community.

"The one thing you notice immediately when people change from BlackBerry to other devices is you never hear from them anymore," he says.

 The article above was originally published on the CNN website by Todd Leopold.