Apple tackles iPhone one-tap spyware flaws

Flaws in Apple's iOS operating system have been discovered that made it possible to install spyware on a target's device merely by getting them to click on a link.

The discovery was made after a human rights lawyer alerted security researchers to unsolicited text messages he had received.

They discovered three previously unknown flaws within Apple's code.

Apple has since released a software update that addresses the problem.

The two security firms involved, Citizen Lab and Lookout, said they had held back details of the discovery until the fix had been issued.

Rare attack

The lawyer, Ahmed Mansoor, received the text messages on 10 and 11 August.

The texts promised to reveal "secrets" about people allegedly being tortured in the United Arab Emirates (UAE)'s jails if he tapped the links.

Had he done so, Citizen Lab says, his iPhone 6 would have been "jailbroken", meaning unauthorised software could have been installed.

"Once infected, Mansoor's phone would have become a digital spy in his pocket, capable of employing his iPhone's camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements," said Citizen Lab.

"We are not aware of any previous instance of an iPhone remote jailbreak used in the wild as part of a targeted attack campaign, making this a rare find."

The researchers say they believe the spyware involved was created by NSO Group, an Israeli "cyber-war" company.

"[It is] the most sophisticated spyware package we've seen," said Lookout.

"It takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile - always connected (wi-fi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists."

---

Analysis: Dave Lee, BBC North America technology reporter

This is in many ways a textbook case of the cybersecurity community acting precisely as it should. Researchers were alerted to a vulnerability, investigated it, and made Apple, the company responsible for fixing it, aware so it could issue a fix. Apple, to its credit, understood the severity and acted quickly - it took them just 10 days.

These types of vulnerabilities are rare and extremely lucrative. A genuine "zero day" - the name given to previously unknown security flaws - can be sold for upwards of $1m when it affects a major piece of software like Apple's iOS. In this case, it looks like several zero days were combined to make a hugely sophisticated attack package.

Now attention is shifting to the secretive organisation said to be behind the attack, the NSO Group, described by researchers as a cyber arms dealer, and described by itself as firm capable of being a "ghost" on victims' devices - working undetected but gathering enormous amounts of private data.

According to Privacy International, NSO Group has sold its products to clients in Mexico and in Panama - but little is known about other deals involving the company which is said to be worth more than $1bn.

Pressure is also being put on Francisco Partners Ltd, the San Francisco-based venture capital firm that has a controlling stake in NSO Group. It is yet to comment on the controversial attack.

---

NSO has issued a statement acknowledging that it makes technology used to "combat terror and crime" but said it had no knowledge of any particular incidents and made no reference to the specific spyware involved.

"These are rather rare zero-day flaws," commented security expert Prof Alan Woodward, referring to the technical name for previously unknown vulnerabilities.

"To have several found at once is even rarer. As can be seen from how these have been exploited to date, it represents a serious threat to the security and privacy of iOS users.

"Apple has been remarkably responsive in providing fixes for these issues, so I would encourage any iOS users to update to the latest version of the operating system."

For its part, Apple has limited itself to saying: "We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5. We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits."

Read More

Is Windows ​10’s ‘Hidden Administrator Account’ a security risk?

We have two types of user accounts: local and Microsoft accounts. Over the years from Windows XP through Vista, Windows 7 and up to 8.1, I have always used local accounts, where you could easily control the security of your operating system by using a password-protected standard user account. However, to get the real benefits of Windows 10 requires creating a Microsoft account. (Of course, one way to ensure privacy is to create a new outlook.com account and just use it for log in purposes.)

From what I understand, Windows 10 automatically generates another super or elevated Administrator account during installation, and this account is hidden by default for security reasons. Unlike the normal Administrator account, this runs all programs with admin rights by default, without that annoying UAC box appearing when you attempt to run a program. What is to stop any malware installing itself on your PC?

Also, is it best to enable the hidden Administrator account should it become necessary to access it for any reason? Marcus

The appearance of every new version of Microsoft Windows usually creates panic in people who think they’ve found something new, when it’s actually something old. Windows 10’s privacy settings, for example, are more or less identical to the ones in Windows 8. The email-based Microsoft Account logon system was also introduced four years ago, in 2012.

The “Hidden Administrator Account” has been around even longer. It first appeared in its current form in Windows Vista a decade ago, and has been in every version of Windows since. It was even in Windows XP, but you had to boot Windows in Safe Mode – or edit the registry – to see it.

Windows XP was – and still is – famously insecure. One reason for its insecurity was that most people logged on using what Unix users would call a “root account” with the power to do anything. Unix, Linux and Unix-based Apple Mac OS X users generally used less powerful accounts, which meant any malware couldn’t cause as much damage.

Right from the beginning, Windows XP had exactly the same design, with an Admin (root) account and less powerful user accounts. Unfortunately, few people used them, partly because of badly-written third-party software that could only be installed from root accounts. Many programs had been converted from DOS-based Windows where that was the norm: in Windows 95, Windows 98/98SE and Windows ME, every user could modify everything.

Enter the UAC

Advertisement

Microsoft stopped this by introducing UAC (User Account Control) in Windows Vista. This made users run a safe user account by default. If something needed Admin privileges, UAC would grey the screen and pop up a box, asking you to escalate to Admin level. As a result, badly written third-party software popped up loads of UAC interruptions, which eventually pressurised suppliers to rewrite their software to avoid them.

Of course, Microsoft also provided a get-out so that impatient and arrogant users could turn down the level of UACs or turn them off, making their PCs less secure. But the UAC and other security improvements still led to a dramatic reduction in the number of Windows virus infections in Vista and Windows 7.

The “Hidden Administrator Account” has survived because it has a purpose. It allows you to upgrade Windows 7 to Windows 10 or whatever without running into a snowstorm of UAC pop-ups. Once the operating system is installed, the hidden account is disabled. You don’t need to know it’s there, and under normal circumstances, you should never need to use it.

However, you should never run a copy of Windows 7 to 10 with only one Admin account – which will usually be the first account you set up. If you use that Admin account all the time and it gets corrupted, you’re in trouble. You might be able to regain access by using the hidden admin account, but that’s turned off by default, and the process is obscure and prone to failure.

So, my advice is to forget all about the Hidden Administrator Account. Instead, create a second Admin account that you can use if your original account is corrupted, or you forget the password, or something bad happens.

User accounts

You already know the dangers of working with a full Admin or root account. For this reason, Microsoft has provided several alternatives with different levels of security and control.

All the adults that use a Windows 10 PC should have their own standard user account. As the sole administrator of one or more PCs, you can set these up by going to Start, running the Settings app and clicking Accounts. Select “Family & other users” from the left hand menu, and choose whether to “Add a family member” or “Add someone else to this PC”. If you choose “Add a family member”, you then get two options: Adult and Child.

When you add a non-family member, they should use their own MSA. That way they will have access to their own apps, but they won’t have access to family information. If you set up a child account, you can have it monitored: they can only access websites and apps that you have approved, and you can set time limits and curfews. You can also provide accounts with access to school or work networks, including device management networks (MDM).

Further, you can provide “assigned access” so that a user can use only one Windows Store app, such as Skype. You could use this to enable a child to play a single game, or for gathering information, etc. For example, a club could use it for a survey.

When you limit what people can do on a PC, you limit the amount of damage that they can do, and the amount of damage that malware can do.

Using a Microsoft Account

You are correct in saying that you need to log on to Windows 10 with a Microsoft Account (MSA) to make full use of its features. This applies whether the account is an Admin account, a standard account, or a child account, etc, and I don’t think it makes a significant difference to your security.

Windows 10 is a mobile operating system delivered and maintained from the cloud. Using an MSA enables Windows 10 to get your email automagically, and lets you save files to your OneDrive cloud. It means apps are securely installed and updated from the online Windows Store – exactly like Google Android and Apple iPhone and iPad apps.

It means you can “roam”, signing on with your MSA on different PCs, sync data, or get a whole new PC set up like an old one, with the same apps and settings. Indeed, a Microsoft Account also works across Xbox One games consoles, Windows smartphones, and dozens of apps on Apple iOS and Android devices.

You are correct in saying that you can open a new email account at outlook.com for your log-on to Windows 10, and this does not require any personal information. You don’t have to use it for email and, unlike Google, Microsoft does not data-mine your emails for advertising purposes.

Alternatively, you can use a non-Microsoft email address to set up your MSA, but this gives Microsoft more information than it would get from a token outlook.com address. If you use, say, a Gmail address, Windows 10 will still work with OneDrive, Microsoft’s free online Office suite and related programs. However, as soon as you click the email tab, Microsoft will create an outlook.com email service that can send emails “from” your Gmail address.

You can also use a purely local account, without an email link. However, you will eventually end up using one with the Microsoft Store. As with the Apple and Google stores, you have to log on, even if you never intend to buy anything.

At least the Microsoft ecosystem supports both local and cloud-based computing across all the leading platforms, stretching from USB compute sticks to giant server farms. Neither Apple nor Google does that.

Read More

Tech Startups Struggle to Close Deals With IT Buyers

When Haier America’s Deanna Johnston needs to update or fill gaps in the company’s information-technology systems, she looks at products and services offered by startups.

But even after a trial run, she rarely buys them, Ms. Johnston said.

Instead the appliance maker’s chief information officer said she often uses cheaper prices offered by startups as a bargaining chip in price negotiations for similar tools sold by large enterprise IT vendors.

As Haier and other large corporations become increasingly digital, they are spending more time checking out technology offered by small, independent tech firms. Yet startup products and services for enterprises, while more accepted than a few years ago, still face significant resistance on the path toward revenue, CIOs and industry analysts say.

“I won’t take a risk on something that isn’t from a proven enterprise technology company,” especially for key functions, such as sales, human resources, cybersecurity or even office email, said Ms. Johnston. “Some startups are just so cheap or free, you’re nervous to go with it. What if they go out of business?”

Only 23% of 112 large corporations in a recent survey said working with startups was very important, according to MassChallenge, a startup accelerator, and software consulting firm Imaginatik PLC. Respondents included insurers, manufacturers and software firms, among other companies across a range of industries, roughly half of which had at least 10,000 employees and more than $5 billion in annual revenue.

Jonathan Lehr, managing director of Work-Bench Ventures, an accelerator and venture-capital firm for enterprise tech startups, said the problem can be simply “getting in the door and then demonstrating value,” rather than offering lots of free trials that don’t convert into paid licenses.

He said many tech startups, especially those in the software-as-a-service market, can have trouble selling to Fortune 1000 firms if their product doesn’t scale, they don’t have proper security controls in place, or they don’t have a robust sales and support team.

A handful of enterprise IT startups are fetching billion-dollar valuations. In North America, 51 of 94 startups with valuations over $1 billion—known as “unicorns”—sell business technology, according to CB Insights.

Cloud software maker Okta Inc., for instance, raised its valuation over the $1 billion mark in September, following a $75 million funding round with such high-profile investors as Andreessen Horowitz, Greylock Partners and Sequoia Capital. In June, Twilio Inc., which enables developers to build applications that can interact with customers, raised $150 million in an initial public offering that valued the company at $1.2 billion.

Twilio this month reported total revenue of $64.5 million for the second quarter, up 70% from a year ago, and 30,780 active customer accounts, up from 21,226. Okta, which doesn’t disclose revenue, said new paying customers this year include Pitney Bowes Inc. andFlextronics International Ltd., among other large firms, according to a spokeswoman.

But early enthusiasm for an IT startup is no guarantee of widespread adoption or revenue growth down the road, according to Ted Schadler, a principal analyst at Forrester who focuses on application development and delivery.

Adding to the risks for corporate IT buyers: valuations for tech startups are falling as investors get picker, he said. There were at least 53 startups that by August last year had raised capital at a valuation of $1 billion or more for the first time, according to VentureSource. So far this year there are only nine, in part reflecting the challenges of turning investor cash into revenue.

“Investors have bet on revenue and profit growth that may well prove unrealistic if not fantastical,” Mr. Schadler said in a recent research note.

Revenue-generating IT startups can become attractive targets for acquisitions, leaving CIOs to speculate about the fate of fledgling products and services once they are swallowed up by larger vendors, said Jim Ferrato, CIO of call center operator IBEX Global Solutions PLC.

“Some of the more interesting startups get acquired and integrated in ways that take their product road maps in a different direction,” he said.

Though Mr. Ferrato isn’t currently using any startup technology, he said startups can offer an opportunity to address a strategic niche, rather than key enterprise functions, such as handling customer payments, logistics or marketing. He said he has had good experiences in the past deploying startup technology in areas such as speech analytics and customer experience management apps.

Haier’s Ms. Johnston said she agrees that startups are best deployed for functions that aren’t essential to core business operations. For instance, the company is currently using a free employee iPad check-in tool developed by a startup, she said.

“If they go out of business, we’ll just switch over to a paid version with little disruption,” she adds.

Read More

How to Take Windows 10 Screenshots with the Snipping Tool

There are several ways to take Windows 10 screenshots. Some, like the physical button combo for Windows tablets, are relatively new. Others, such as the famous Print Screen key, have been around for years. But many Windows users don’t know that the operating system includes a handy utility called the Snipping Tool, which allows for the creation and annotation of screenshots in a much more granular way. Here’s how it works.

To launch the Snipping Tool in Windows 10, simply search for it via the Start Menu. The Snipping Tool is also available in earlier versions of Windows, and can be launched via Start Menu (Windows 7) or Start Screen (Windows 8) searches.

When launched, the Snipping Tool displays a small window with just four buttons. But don’t let its diminutive appearance fool you. There’s quite a bit of power hidden in those buttons.

To use the Snipping Tool, first decide exactly what you’d like to screenshot. Aforementioned methods for Windows 10 screenshots such as Print Screen only capture the entire screen. The Snipping Tool, on the other hand, lets you capture a specific window or a user-defined section of the screen as well.

As an example, let’s say that we want to capture a screenshot of the Windows 10 calculator app. We’ll first launch Calculator and resize or configure the app’s window as desired. Next, click the downward arrow next to New and select Window Snip.

Hover the mouse cursor over the desired window. The screen will dim everything except for the application window underneath the mouse cursor, which will be outlined in red. When you’re ready, simply click once to grab a perfect screenshot of the chosen window. The resulting screenshot will appear inside the Snipping Tool window, beneath the buttons. If you need to capture more than just a window, you can select Free-Form or Rectangular Snip from the New Menu to capture a specific area of the screen, or Full-Screen Snip to grab the entire thing.

Once you have your screenshot captured, you can either save it to your PC as a GIF, JPEG, or PNG file (the floppy disk icon), copy the image to your clipboard (the two documents icon), or attach it to an email using your default mail application (the envelope and letter icon). Before taking any of these actions, however, you can also annotate the screenshot with a digital pen or highlighter by clicking on the corresponding icons. If you’re not happy with the screenshot and want to try again, just click New to discard your existing image and grab a new shot.

Capture the Perfect Moment

Sometimes you need to capture a screenshot of an app performing a certain action or responding to user input. In cases like these, you can use the Snipping Tool’s Delay feature to give yourself up to five seconds to prep the app or perform an action.

Just choose a delay time in seconds from the Delay drop-down menu and then choose one of the capture options under the New menu. The tool will silently count down the designated number of seconds and then freeze everything to take the type of screenshot you selected. There’s no audible or visible countdown during the delay, however, so you’ll need to act fast and keep count in your head.

Third Party Tools for Windows 10 Screenshots

The Snipping Tool certainly provides more flexibility than something like the Print Screen key, but third party screenshot utilities may be the answer if you need even more advanced capabilities. There are dozens of paid and free screenshot utilities on the market, but here are a few we’ve used and like:

WinSnap ($30): In addition to the standard screenshot options, WinSnap can capture multiple windows at once from different applications and includes more advanced editing tools, such as the ability to add drop shadows, reflections, and watermarks to captured images.

PicPick (Free): Offers an assortment of image editing tools to modify your screenshots, as well as some unique capture modes, such as capturing the entire output of a scrolling window.

Greenshot (Free): It includes all of the basic capture methods of the previous utilities, but Greenshot excels at sharing captured images, with built-in integration for most of the popular file sharing services and social networks.

As mentioned, there are many more tools of varying quality available, but those above are options with which we have personal experience. Most users will find the capabilities of the Snipping Tool to be more than adequate for their Windows 10 screenshot needs, but if you find yourself wanting more, the above utilities are a great place to start.

Read More

How to get more storage in Android: Not enough storage? Here's a fix

If your Android smartphone or tablet is running low on storage for your apps, photos, video, music and other files - perhaps you have received an error message suggesting you have insufficient storage available - there are several ways to get around it. Here's how to get more storage on an Android phone or tablet. See also: what is the best Android phone?

How to get more storage in Android: microSD card

The easiest way to add storage to your Android phone or tablet is with a microSD card - even if it doesn't support one.

Assuming it does, when buying a microSD card for your phone or tablet you should first check the manufacturer's specification or reviews of that device to see what type of cards it will accept. Many budget phones, for example, will accept only 32GB, while higher-end devices typically handle 128GB. You certainly don't want to pay out for a 128GB card only to find it won't work in your phone.

You'll find manufacturers offer various types of microSD card, with some claiming to be faster or more secure than others. For simple storage of your files any microSD card will do, but note that fakes can be found online, so be wary of anything too cheap or brands you haven't come across before. Also see: How to spot fake tech.

If your phone or tablet doesn't natively support MicroSD, it's easy to attach one to make use of on an ad-hoc basis using a microSD card reader, which connects to your phone's Micro-USB port.

Another option is to use a wireless microSD card reader, such as the Verbatim MediaShare Wireless Mini, which is available for £31 from Amazon UK. It looks like a USB flash drive - and, indeed, can be inserted into your PC's USB port where it will act as such, allowing you to drag and drop files on to it - but inside is a microSD card, which supports the transfer of files but also content streaming.

By downloading the Verbatim MediaShare Wireless Mini app (free from Google Play or the App Store), you can connect it to your Android phone or tablet over Wi-Fi to access the contents of the microSD card.

The great thing about using the wireless connection on the Verbatim is that up to five people can share that connection, and you can password-protect access to the drive. An internal battery lasts for up to three hours and is recharged over the USB connection. 

How to get more storage in Android: USB OTG storage

You might not realise it, but many Android phones and tablets support USB OTG (On The Go), which allows you to plug in peripherals such as storage drives, just as you would with a PC.

Whether or not a device supports OTG won't always be listed in its spec. A quick and easy way to check whether your device supports OTG is to download to it the USB OTG Checkerapp, free from Google Play.

Once you've established that your device supports OTG you simply need an OTG adaptor such as the Inateck HB3001G. It costs just £12.99 from Amazon, and has an assortment of USB slots and card readers for letting you attach peripherals to your phone or tablet. If you're going to use it simply to insert a microSD card to a phone that doesn't support removable memory then the phone should be able to power the device by itself. However, if you want to add an external hard drive you'll probably need to also power the OTG adaptor (a USB power cable is provided).

How to get more storage in Android: Delete unwanted apps and clear your app cache

Sometimes you don't really need more storage, you just need to make better use of what you've got. Your phone or tablet probably came with several apps you have no interest in using, and you've probably since installed even more that you never use.

If you don't use them, uninstall them. If you later decide you need them then just download them again - any apps you've paid for at Google Play will be available to any Android device on which you're logged into your Google account.

Even the apps you want to keep can be taking up more space than they require. Over time every app on your phone fills space with cached files, and clearing these out can free up some room without you resorting to one of the other methods listed here. Clearing your app cache can also help to solve problems with misbehaving apps - perhaps you're getting messages that 'Samsung Galaxy has stopped', for example.

Clearing your app cache won't delete any important files on your phone, but keeping things backed up is never a bad idea.

In clearing your app cache you have two choices. You can go to Settings, Apps and go through each app, clearing the cache as required, or you can wipe the whole lot at once.

We're not referring to a factory reset (although that will solve your storage problems by returning your device to its out-of-box state), but to wiping the app cache. In order to do this you need to enter Android's Recovery mode and choose to wipe the app cache.

It's not exactly the same process for all phones, so it's worth Googling your exact model to see how you enter recovery mode. On my HTC Desire Eye, for example, you need to switch it off, then press and hold volume down, then press and hold the power button to enter recovery mode. You then press and hold volume up and power to access recovery options. An option here offers to wipe the cache partition (make sure you don't choose wipe data/factory reset). 

How to get more storage on Android: cloud storage

Another really good option for freeing up space on your Android is to embrace cloud storage on your smartphone or tablet.

Cloud storage apps such as Dropbox can automatically back up all your photos to the storage site, or you can upload only those you want to store online. Once in the cloud you can free up space by deleting them from your phone or tablet.

The only down side to using cloud storage is that you will be able to access those files only when you have an active internet connection.

Take a look at our article on 2015's best cloud storage services to see which is is best for you.

Google offers several apps that are usually built into your phone or tablet for storing online your music, photos and more. For example, Play Music lets you store all your tunes in the cloud for accessing on any device, and if you need to hear them offline you can also download them to your phone or tablet. Similarly, Google Drive lets you store online all your word documents and spreadsheets.

Using a service such as Spotify is an alternative to storing tracks on your own device. This music-streaming service offers a free service (with ads) that will let you listen to almost any tune you like.

How to get more storage in Android: Wireless hard drive

One final option you have for getting access to more storage on your Android device is by using a wireless hard drive. A wireless hard drive is exactly the same as a normal portable hard drive, but you connect to it via Wi-Fi. Loads of options are available, and they're becoming more affordable, too. 

Read More

Check out the world's 1st web page, from 25 years ago, on Internaut Day

What did web pages look like 25 years ago? Well, 25 years ago today, there was only one that the public could see — the very first.

And it wasn't much more than a few pages of text with some hyperlinks — describing what the World Wide Web was envisioned to be.

The first web page was created by Tim-Berners Lee, a British scientist at CERN, the European Organization for Nuclear Research, located on the French-Swiss border near Geneva. The page went live at CERN on Dec. 20, 1990, and was opened up to the high-energy physics community on Jan. 10, 1991. But it wasn't until August of that year that Berners-Lee made the project public by posting a summary of it on several online forums, lastly on Aug. 22.

Some time later, Aug. 23, 1991, was named "Internaut Day," which is now celebrated annually to recognize the launch of the World Wide Web ... although Berners-Lee is not sure why that date was chosen.

Read More

Can't wait for Android Nougat? Here is a trick to get it right now

Google has unveiled the final version of Android 7 aka Android Nougat and it will be reaching the Nexus 5X, Nexus 6P and Nexus 6 users in the coming days. But as it happens with any software coming from Google, not everyone gets it immediately. Instead the release is rolled out to people in batches.

The Android Nougat update too will be reaching consumers in the coming weeks. It will be available as an over the air update. But what if you don't want to wait? There is a way.

To get immediate Nougat update on a Nexus 5X or a Nexus 6P, you have to make use of the Android Beta Program. This was launched by Google earlier in March by when it unveiled the alpha version of Nougat as a way to try out the unfinished software on the phones used by actual users.

"The Android Beta Program gives you an opportunity to try out pre-release versions of Android and provide feedback. Devices that you opt into the program will receive an over-the-air (OTA) update to the latest beta version of Android N," Google explained at that time.

But now there is no pre-release version of Android Nougat - only the final version. In fact, last night when Google released the Nougat, the first users to get it were those who were enrolled in  the beta program.

Now, you too get it through the beta channel. To get Android Nougat immediately on your Nexus 5X or the Nexus 6P, here is what you need to do:

-- Open https://www.google.com/android/beta

-- Log into your Google account

-- Check the list of eligible devices

-- Enrol your device into the beta program

As soon as your device is part of the beta program, you will get an over the air update for the Nougat. Earlier this update was the pre-release version of the Nougat. But now, users are getting the final version. 

Read More