Samsung TVs fail to encrypt voices

18 February 2015 Last updated at 18:51 By Leo Kelion Technology desk editor

Samsung has acknowledged that some of its smart TV models are uploading their owners' voices to the internet in an unencrypted form.

The apparent oversight makes it easier for hackers to spy on customers' activities.

The matter was brought to the public's attention by UK-based cybersecurity experts.

Samsung told the BBC it planned to release new code that would encrypt the voice commands to protect its users.

"Samsung takes consumer privacy very seriously and our products are designed with privacy in mind," the company said in a statement.

Reassure consumers

"Our latest Smart TV models are equipped with data encryption and a software update will soon be available for download on other models."

The revelation is the latest in a series of PR problems for the South Korean company's smart TV division.

On 10 February it felt compelled to update its privacy policy after the original language raised concerns that its TVs were recording and transmitting everything said in front of them.

The blog post that clarified under what limited circumstances voice commands were shared specifically made mention of Samsung's use of "industry-standard security safeguards and practices, including data encryption" as part of its efforts to reassure consumers.

Last week it also said it was investigating why some of its sets were adding adverts to programmes and films where they did not belong.

'Easy to solve'

Concerns that Samsung was not always using encryption, as indicated, were raised by Ken Munro and David Lodge, from the London-based Pen Test Partners on Monday.

During their tests of one of Samsung's older internet-connected TVs, they discovered that it was uploading audio files of their commands to the voice recognition specialist Nuance in an unencrypted form alongside information about the TV, including its MAC address, which could act as an identifier.

Furthermore, when a transcribed copy of what had been said was sent back to the TVs - allowing the screen to act on the commands - this was also in an unencrypted form.

This meant that a hacker could read the words off a screen if they managed to hijack the data connection, rather than having to listen to each recording.

Samsung believes that such hacks would not be easy to achieve, and wants to reassure owners of older sets that they should not be too concerned.

But Mr Munro said he believed the flaw was serious.

"Intercepting those communications could be done over wi-fi by neighbours and/or hackers outside your house, if you use the wireless feature of the TV to hook up to the internet," he said.

"It could also be carried out by your ISP [internet service provider], and by anyone else that has access to internet backbones. I'm thinking governments, law enforcement.

"This is an easy problem to solve. The communications should be encrypted using SSL [Secure Sockets Layer cryptographic protocols] just like other sensitive internet communications are."

23.34 | 0 komentar | Read More

Lenovo in row over hidden spyware

19 February 2015 Last updated at 12:30 By Jane Wakefield Technology reporter

Computer maker Lenovo has been forced to remove hidden adware that it was shipping on its laptops and PCs after users expressed anger.

The adware - dubbed Superfish - was potentially compromising their security, said experts.

The hidden software was also injecting adverts on to browsers using techniques more akin to malware, they added.

Lenovo faces questions about why and for how long it was pre-installed on machines - and what data was collected.

The company told the BBC in a statement: "Lenovo removed Superfish from the preloads of new consumer systems in January 2015. At the same time Superfish disabled existing Lenovo machines in the market from activating Superfish.

Complaining

"Superfish was preloaded on to a select number of consumer models only. Lenovo is thoroughly investigating all and any new concerns raised regarding Superfish."

Users began complaining about Superfish in Lenovo's forums in the autumn, and the firm told the BBC that it was shipped "in a short window from October to December to help customers potentially discover interesting products while shopping".

User feedback, it acknowledged, "was not positive".

Last month, forum administrator Mark Hopkins told users that "due to some issues (browser pop up behaviour, for example)", the company had "temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues".

He added it had requested that Superfish issue an auto-update for "units already in market".

Superfish was designed to help users find products by visually analysing images on the web to find the cheapest ones.

Such adware is widely regarded in the industry as a form of malware because of the way it interacts with a person's laptop or PC.

Security expert from Surrey University Prof Alan Woodward said: "It is annoying. It is not acceptable. It pops up adverts that you never asked for. It is like Google on steroids.

"This bit of software is particularly naughty. People have shown that it can basically intercept everything and it could be really misused."

According to security experts, it appears that Lenovo had given Superfish permission to issue its own certificates, allowing it to collect data over secure web connections, known in malware parlance as a man-in-the-middle attack.

"If someone went to, say, the Bank of America then Superfish would issue its own certificate pretending to be the Bank of America and intercept whatever you are sending back and forth," said Prof Woodward.

Ken Westin, senior analyst at security company Tripwire, agreed: "If the findings are true and Lenovo is installing their own self-signed certificates, they have not only betrayed their customers' trust, but also put them at increased risk."

Clean install

Although Lenovo has said that it has removed Superfish from new machines and disabled it from others, it was unclear what the situation would be for machines where it had already been activated.

Prof Woodward said: "Lenovo is being very coy about this but it needs to explain how long it has been doing this, what the scale is and where all the data it has collected is being stored.

"There will be remnants of it left on machines and Lenovo does not ship the disks that allow people to do a clean install."

It raises wider questions about the deals that computer manufacturers do with third parties and the amount of software that comes pre-installed on machines.

Mr Westin said: "With increasingly security and privacy-conscious buyers, laptop and mobile phone manufacturers may well be doing themselves a disservice by seeking outdated advertising based monetisation strategies."

Users were particularly angry that they had not been told about the adware.

One Lenovo forum user said: "It's not like they stuck it on the flier saying... we install adware on our computers so we can profit from our customers by using hidden software.

"However, I now know this. I now will not buy any Lenovo laptop again."

The problem also caused a storm on Twitter, where both Lenovo and Superfish were among the most popular discussion topics.

23.34 | 0 komentar | Read More

Malware on menu on Jamie Oliver site

18 February 2015 Last updated at 14:06 By Kevin Rawlinson BBC News

Jamie Oliver's website was affected by a "malware problem", a spokesman for the celebrity chef has acknowledged.

Malicious code sought to exploit vulnerabilities in users' systems and install malware, researchers found.

If installed, that malware could give hackers control of users' computers, said one security consultant.

A spokesman for the Jamie Oliver Group played down the seriousness of the problem and told the BBC that it had been fixed.

According to Malwarebytes, unknown hackers either broke into Mr Oliver's site and placed malicious code there, or exploited existing code.

The script would direct unsuspecting users to a Wordpress site that hosted yet more malicious code. That would then run an exploit kit that would seek to find vulnerabilities in any user's system and install malware called Dorkbot.

'Tricked'

Online security consultant Graham Cluley said the hackers could then gain control of a user's system and direct fake searches.

"In other words, you may think you're googling but, in fact, you are being redirected against your will to search results that earn the attackers affiliate cash," he told the BBC.

"In addition, you may find that you are tricked into installing bogus security updates on your computer or told to ring what is claimed to be technical support - although you would actually be speaking to scammers after your credit card details."

Continue reading the main story

Users would hope that there was tight security in place on the website to prevent this kind of attack from happening"

End Quote Graham Cluley Online security consultant

According to a spokesman for Jamie Oliver, only 10 users had written to the site about the issue in the past couple of days.

He said that a "low-level malware problem" was identified and dealt with and that the site was now "safe to use".

The spokesman added: "The Jamie Oliver website is regularly checked for vulnerabilities by both our in-house team and an independent third party, and they quickly deal with anything that is found.

"The team is confident that no data has been compromised in this incident, but if anyone is worried do please use the contact form on the site.

"We apologise to anyone who was at all worried after going on the site."

The spokesman confirmed that existing code on the site was modified by a hacker, but said the website team was still trying to work out when that had happened.

'Serious'

The celebrity chef's site has 10 million visitors per month and is ranked 515th in Britain, according to an analyst.

Mr Cluley said that its sheer popularity made the problem "serious".

He said: "Users would hope that there was tight security in place on the website to prevent this kind of attack from happening - but it appears that things went badly wrong on this occasion."

Jerome Segura, of Malwarebytes, uncovered the issue. He said that, during tests, the malware sought to exploit Adobe Flash, Microsoft Silverlight and Oracle Java.

Mr Cluley advised users to run up-to-date antivirus software and the latest patches to secure applications.

He added that users should avoid running their computers with admin privileges, "as this is more attractive for attackers".

23.34 | 0 komentar | Read More

Bank apps to use fingerprint tech

18 February 2015 Last updated at 01:13 By Kevin Rawlinson BBC News

Two banks are allowing their customers to access accounts on their smartphones using fingerprint recognition technology, in a UK industry first.

RBS and NatWest customers must activate the feature with their security information, but would only need to use Apple's Touch ID thereafter.

The banks said that, after three failed login attempts, customers would have to re-enter their passcodes.

But a security expert expressed concern that Touch ID is not secure enough.

The banks, both part of the Royal Bank of Scotland Group, said that the feature would be available on the iPhone 5s, 6 and 6 Plus. Customers would have to enable the feature using their existing login details.

Some of the in-app features used to pay money that required additional verification would continue to do so and limits were set on new payments, the banks said.

They said that around 880,000 of their customers currently use the apps on those handsets.

The feature, which uses fingerprint recognition to grant access to iPhones, was criticised soon after it was introduced with the launch of the iPhone 5 in 2013.

A group of hackers managed to get around it only a day after the launch by making a fake finger from a photograph of a fingerprint left on a glass surface.

'Easy to spoof'

While Apple insisted that TouchID was secure, it said it was not a total replacement for traditional security measures and was meant to make unlocking the phone more convenient. In a similar vein, the banks have now said they wanted to make it "even easier and more convenient for customers".

Ben Schlabs, of SRLabs, a German hacking think tank, told the BBC: "The security implications are the same, it is just as dangerous... I think it has been shown that it is pretty easy to spoof it and the risks aren't fully understood."

He said that using TouchID alone to gain access to a banking app introduced dangers that were not present when using passwords or Pins.

"Just the fact that you are carrying the key around with you and leave copies of it exposed everywhere you go makes it a very different risk to something that is inside your brain. The risks are poorly understood."

However, he said that most people would have little need to worry, adding: "There have not been any reports that I know of with the iPhone sensor of actual crimes being enabled by it".

'Revolution'

According to a British Banking Association report, banking apps have been downloaded more than 12.4 million times in Britain.

The Way We Bank Now study, which was released last June, showed that people were making "around 5.7 million transactions each day using smartphones and other internet-enabled technology".

According to the banks, nearly 50% of their combined customer base of 15 million people used online banking and that around three million accessed their accounts via an app each week.

Stuart Haire, managing director, RBS and NatWest Direct Bank, said: "There has been a revolution in banking, as more and more of our customers are using digital technology to bank with us.

"Adding TouchID to our mobile banking app makes it even easier and more convenient for customers to manage their finances on the move and directly responds to their requests."

23.34 | 0 komentar | Read More

Google faces Android probe in Russia

18 February 2015 Last updated at 12:46 By Leo Kelion Technology desk editor

Google faces the prospect of a fresh competition investigation after Russia's biggest search engine filed a complaint with the authorities.

Yandex alleges that its rival has an unfair advantage because it insists device-makers set Google as the default search setting if they want to pre-install its Play store.

Google Play is promoted as the safest and best-stocked marketplace for apps and other media for Android devices.

Google has yet to respond.

The BBC understands the US company has yet to see the complaint filed with the Russian Federal Antimonopoly Service (FAS).

However, Google may try to defend itself by noting that manufacturers are free to install rival services if they choose not to pre-load its other software.

It is also likely to argue that customers can carry out searches via other software - including Yandex's search app - after buying an Android handset or tablet.

In the past, Microsoft and others have made similar complaints about Android to the European Commission, claiming that the operating system acts as a Trojan horse for Google's services.

Last year, the commission said it would "probably" launch a formal investigation into the claims if it did not get an "adequate" response from Google.

EU anti-trust watchdogs are already carrying out a separate investigation into Google's search and advertising business.

Market share drop

Yandex said that it had decided to act after three electronics comapnies - Prestigio, Fly and Explay - contacted it between last November and last month to say they were "no longer able" to pre-install Yandex's services on their Android devices because of Google's restrictions.

It said these included a take-it-or-leave-it rule, under which the manufacturers were forced to choose between installing the complete set of Google Mobile Services apps - including Google Play, Gmail, YouTube, Google Translate and Google Drive - and setting Google as the automatic search service, or opting out altogether.

The Moscow-based company added that Google was "increasingly" prohibiting device-makers from pre-installing competitors' services.

A spokesman for Yandex acknowledged that it was possible for customers to subsequently download its own app. But he noted that, unlike in Apple's iOS operating system, users could not later reset the default search service from being Google in their settings menu.

The spokesman also told the BBC that Yandex's share of searches carried out via Android devices in Russia had fallen - down from 52% in February last year to 44% now - despite rising on iOS over the same period.

"We believe that device manufacturers should have a choice as to which search provider to set as the default or which services to have preinstalled on the device," added Yandex's PR director, Ochir Mandzhikov.

"This is why we are talking about the need to unbundle Google's Android operating system from Google Search and its other end-user services."

Regulators at the FAS said they intended to respond to Yandex's complaint within a month.

"After the review, a decision will be made on launching a case or rejection," they said in a statement.

23.34 | 0 komentar | Read More

Plusnet investigates billing faults

18 February 2015 Last updated at 14:23

BT's Plusnet home broadband service has apologised after some of its customers incorrectly received emails telling them they were being billed extra for going over their traffic allowance.

The problem began on Tuesday, when subscribers' accounts started adding gigabytes of unused data.

Plusnet said that its engineers were "investigating the root cause".

It added that the issue had only affected "a small number" of its users, but did not say how many.

One customer contacted the BBC to report the problem.

"At 22 minutes past midnight this morning I received an email, and it said you are approaching your usage allowance, and once you've used your 40GB we'll charge you an extra £5 for every 5GB," Steve Rogers said.

"And then at 8.42am I got an email saying you've exceeded your usage, we've added some more.

"And then it happened again at 9.51am.

"I thought I haven't been doing anything out of the ordinary... I wonder if my wife has been downloading loads of stuff."

A check of Mr Rogers' account, using Plusnet's View My Usage tool, revealed that 28.2GB of data had been added to his tally yesterday and a further 14GB on Wednesday morning - far in excess of his actual usage.

Plusnet has put an answerphone message on its hotline and a note on its support page acknowledging the problem.

A spokeswoman also issued a statement to the BBC.

"Yesterday, a small number of Plusnet customers on 'limited' broadband packages received email notifications regarding their broadband usage," it said.

"The emails incorrectly stated that customers had gone over their usage limits. The issue has now been resolved.

"We are confident that no customers have been overcharged. However, if any customers have any concerns, please visit the Member Centre on our website or feel free to get in touch with us."

Plusnet's service page notes that maintenance work was carried out on its back-end systems on Sunday evening, but the firm said that this was not linked to the fault.

23.34 | 0 komentar | Read More

Motorola boss at odds with Jony Ive

18 February 2015 Last updated at 16:05 By Leo Kelion Technology desk editor

Motorola's president has defended its "build-your-phone" programme after harsh words from Apple's lead designer.

Jony Ive appeared to attack the Moto Maker scheme in an interview in which he criticised the idea of giving consumers huge choice over how their handsets were made to appear.

Rick Osterloh, president of Motorola, told the BBC his company had a "different philosophy".

And he criticised Apple in turn, calling its prices "outrageous".

Sir Jonathan specifically asked the New Yorker magazine not to name the company he had been "scathing about", but a campaign launched by Motorola in late 2013 matches the description he gave.

"Their value proposition was, 'Make it whatever you want. You can choose whatever colour you want,'" Sir Jonathan is quoted as saying.

"And I believe that's abdicating your responsibility as a designer."

Motorola promotes Moto Maker as offering shoppers "thousands of ways" to customise its Android-powered Moto X handsets. Choices include the colour of the model's back, the type of metal trim used and the option to include a variety of leathers in its design.

Mr Osterloh of the scheme: "Our belief is that the end user should be directly involved in the process of designing products.

"We're making the entire product line accessible.

"And frankly, we're taking a directly opposite approach to them [Apple]."

He added that he believed this difference in strategy went wider than design.

"We do see a real dichotomy in this marketplace, where you've got people like Apple making so much money and charging such outrageous prices. We think that's not the future," he said.

"We believe the future is in offering similar experiences and great consumer choice at accessible prices.

"The mobile phone industry's greatest failure is also its greatest opportunity: to make really good, affordable devices for people who don't want to spend a lot of money.

"A great smartphone, and a great mobile internet experience, shouldn't be an expensive luxury. It should be a simple choice for everyone."

Motorola launched Moto Maker while owned by Google, but it has since become a division of China's Lenovo.

'Insipid' cars

Sir Jonathan - who was knighted in 2012 for his services to design - was also critical of another brand, in the New Yorker article, suggesting Toyota's Echo model was "shocking".

"It is baffling, isn't it? It's just nothing, isn't it? It's just insipid," he said of the vehicle, which is also sold as the Yaris.

A spokeswoman for Toyota declined to comment.

Sir Jonathan did, however, praise Bentley's vehicles, saying he "loved" their designs.

According to reports by the Financial Times and the Wall Street Journal, Apple is working on a car as a possible follow-up to its forthcoming smartwatch.

23.34 | 0 komentar | Read More

New HTTP/2 protocol to speed up web

18 February 2015 Last updated at 19:09

A new web protocol that promises to speed up internet browsing has been approved.

The changeover to HTTP/2, when it happens, will be the first major update to the standard in 15 years.

The Internet Engineering Steering Group (IESG) has accepted the protocol, one of its senior members wrote in a blogpost on Wednesday.

The standard will now go on to be edited before being applied, Mark Nottingham added.

Its developers believe the new standard will represent a big step forward because it will make pages load quicker and improve encryption.

Compatible

In another blogpost, written in January last year, Mr Nottingham - who chairs the Internet Engineering Task Force's (IETF) HTTP working group - wrote about the proposed benefits of HTTP/2.

Instead of trying to reinvent the protocol, he said that the group was seeking to make the new one compatible with the old.

"Making HTTP/2 succeed means that it has to work with the existing web. So this effort is about getting the HTTP we know on the wire in a better way," he wrote then.

Hypertext transfer protocol - HTTP - is the means by which browsers communicate with servers to render pages.

The new version, Mr Nottingham wrote, would make it easier to use the web's encryption technologies, encouraging more websites to do so.

'Not pixie dust'

But he added that HTTP/2 was not "magic Web performance pixie dust".

Instead of improving webpage loading times by half, it was "more accurate to view the new protocol as removing some key impediments to performance", he wrote.

"Once browsers and servers learn how and when to take advantage of that, performance should start incrementally improving."

The protocol is based on a Google technology called SPDY, which has been used in recent years. Google will switch to HTTP/2 in its Chrome browser.

23.34 | 0 komentar | Read More

'Revenge porn' mogul pleads guilty

19 February 2015 Last updated at 11:56

The man behind a "revenge porn" website has pleaded guilty to hacking and identity theft, in Los Angeles.

Hunter Moore, 28, faces between two and seven years in prison, according to the US Attorney's Office.

He ran IsAnyoneUp.com, on which pictures were posted of naked women without their consent, and was once called "the most hated man on the internet".

Another man allegedly involved has pleaded not guilty and faces trial.

As well as running the site - where people often posted pictures of their ex-lovers, coining the term "revenge porn" - prosecutors said Moore had also enlisted a hacker to steal nude photos from email accounts.

Photos posted between 2010 and 2012 included pictures of an American Idol finalist, the daughter of a major US Republican party donor and a woman in a wheelchair, according to a 2012 article in Rolling Stone magazine.

Moore alleged in the agreement that he had paid Charles Evens to hack email accounts and steal photos.

Mr Evens, 26, of Los Angeles, pleaded not guilty and is scheduled for trial in March. He refused to comment.

Moore is due in court on Wednesday 25 February, although the Attorney's Office spokesman said sentencing could be postponed until March. Moore will also be required to inform his parole officer every time he uses a new device capable of accessing the internet.

Moore was arrested in January 2014 after an FBI investigation. He had previously been ordered to pay $250,000 (£170,000) in damages for defamation after a civil lawsuit.

He was found to have made false claims on Twitter that James McGibney, the chief executive of an anti-bullying website, was a paedophile who possessed child pornography.

23.34 | 0 komentar | Read More

Oscars films see online piracy surge

19 February 2015 Last updated at 15:09 By Leo Kelion Technology desk editor

American Sniper would win best picture and Birdman's Alejandro Inarritu best director if the Oscars were determined by online piracy rates, a study says.

It suggests being nominated in one of the four major categories has a particularly profound effect on illegal downloads of indie and art house films.

The authors suggest that producers of such movies become more flexible about how and when their titles are released.

But one industry expert said that was easier said than done.

The report was carried out by Irdeto, a US company that sells piracy controls to the pay-TV sector.

It used "crawler" software to monitor downloads via Bittorrent peer-to-peer file-sharing services around the world and says its figures represent the minimum number of illegal downloads.

As part of the study, the company compared the amount of piracy in the week before nominations with the week after.

Selma, Wild, American Sniper, Still Alice and Birdman saw some of the biggest swings in popularity, and each accounted for more than 100,000 downloads.

By contrast, two other films that had been tipped for the awards but failed to secure nominations in the major categories did not experience similar demand: Mr Turner has been downloaded 9,086 times since 15 January, and Inherent Vice has been downloaded 53,008 times, according to the study.

Title	Illegal downloads since nomination	Piracy rate increase	Major nominations
Source: Irdeto, covering the period running up to 14 February
American Sniper	1,389,819	230%	Picture, actor
Gone Girl	1,252,074	83%	Actress
Birdman	796,697	192%	Picture, director, actor
The Theory of Everything	776,239	161%	Picture, actress, actor
The Grand Budapest Hotel	636,292	41%	Picture, director
The Imitation Game	467,700	175%	Picture, director, actor
Whiplash	325,782	171%	Picture
Boyhood	244,270	23%	Picture, director
Wild	163,652	(pre-nomination piracy not detected)	Actress
Selma	144,075	1033%	Picture
Foxcatcher	118,323	78%	Director, actor
Still Alice	108,660	194%	Actress
Two Days, One Night	85,166	73%	Actress

For comparison's sake, the study also provided download figures for three big-budget mainstream films over the same post-nomination period:

• Interstellar - 1.4 million downloads
• The Hobbit: The Battle of the Five Armies - 1.3 million downloads
• John Wick - 1.3 million downloads

Collapsed windows

Irdeto suggests the Oscar nominations and resulting media coverage drove many users to search for the films on illegal sites, and it noted the DVDs used to let Academy Awards voters watch and judge the movies sometimes became the source of the pirated files.

The company acknowledged that not every download represented a lost sale, but it suggested the activity was particularly damaging to films that would not be classed a conventional "blockbusters".

"The Oscars are traditionally a time for independent and less mainstream movies to generate significant revenues," said Rory O'Connor, the company's vice-president of sales.

"In the past, such high quality movies could be funded through the Oscars mechanism by reaching a broader public - [distributors] might not have had such a big budget to publicise the films first time round, but they could then piggyback the Oscars media campaign.

"But that mechanism is breaking down because of piracy."

He added that a solution would be for "windows" - used to stagger a film's initial cinema release and its later screenings in other countries and sale on other formats - to be "collapsed".

So, if a film was nominated, it could be offered for rent or sale around the world shortly after, to provide an alternative to piracy.

"People are willing to pay premium pricing for good quality and early availability [on their home TV], so I think there is an opportunity to compensate for the revenue that may be lost from a cinematic release," Mr O'Connor said.

'Caught in a bind'

However, an adviser to the Independent Film and Television Alliance said its members had less latitude to act than the major studios, which control their own films' releases.

Bertrand Moullier said smaller movies often relied on funding from local distributors who bought the release rights before filming started.

These distributors might be unwilling to suddenly change their plans, he said, because of concerns the films would then clash with others coming out locally at the same time.

"We are caught in a bit of a bind because [the idea of] beating piracy by releasing a movie everywhere in a saturation-release pattern to beat the peer-to-peer sharers is logically right," said Mr Moullier.

"Unfortunately, it also goes against the grain of how independent films must be assembled and put together.

"But [relying on local distributors] is also a very effective way of making sure a film gets the right adapted marketing strategy in each of the cultures where it's shown."

23.34 | 0 komentar | Read More