I recently signed up for Pinterest.com, a hip, trendy pin board style website that allows beefed up sharing of your interests with friends via a large visual bulletin board style forum where fans of a particular subject can post what they find compelling, and want to share. Then other friends can weigh in on the subject “pinned”, thereby creating a crowd-ranked list of what folks in that sector are talking about, with the more popular, relevant, and timely pins rising toward the top. The service is heavily integrated with other social media venues, specifically Facebook and Twitter. In fact, you’ll need your account information from one of them to sign up. This means much of the personalized information you may already have on Facebook, for example, might be used to form a composite of what you might also be interested in on Pinterest.

Is it popular? The numbers have been going crazy lately. Who knew? Other than some half-starved startup team somewhere who hit it big, the idea is sickly engaging and addictive, likely because the site is all about you and what others following your same interests find, well, interesting. I also thought Twitter was a hard sell, but now, well, the numbers speak for themselves on that crazy 140 character status update app that's also addictive and successful.

Here in this article we dive into Pinterest.com, show you what's involved in signing up, securing your profile and feeling your way around the world of Pinterest, with an eye toward your own privacy, security, and best practices.

One thing to note: If you're in a hurry and just click through the default options without an eye for security, privacy, and the possible spread of personal information (either semi-automatically or inadvertently aided by unwitting friends), you may end up with more than you bargained for. Allowing your information to be shared with nearly everyone by default might cause heartache down the road, so locking things down a bit seems like a good stance to take.

Let’s Get Started

If you haven't signed up already, it's tougher than it looks. First, you have to sign up for a waiting list to be invited, or better yet, get someone on the service already to invite you. This hearkens back to the early days of gmail, which was pretty successful as well, despite the curious process.

Once you’ve received your invite, continue the process like:

creating an account – facebook login prompt

I opted in this test to sign up using Facebook, so when you click the Facebook link, you are directed to the Facebook login on behalf of Pinterest.com, like:

facebook login for pinterest

Once you login, you are faced with the option to go back to Pinterest, or fine tune your Facebook interface settings. Notice the default selection is to share with friends.

default settings for friend sharing

Note the notification that says by default this app will share “other activity” on Facebook. That seems like a very broad term for information sharing. If you are more privacy/security conscious, it may be a good idea to restrict the visibility like:

update friend preferences

I changed it to look like this:

share to “only me”

When you are finished customizing your Facebook sharing settings, select the “Go to App” button and it will take you back to the Pinterest.com signup page to continue the process of creating an account there.

create pinterest account

Since there really isn’t a way to sign up without a Facebook or Twitter account as well, it would be difficult to totally isolate the information flow from those sources. Your best bet is to review your account settings in Facebook, and make sure you’re only sharing what you intend to share, as default permissions tend to be set more lenient than security/privacy fans might prefer.

Now you’ll have a chance to tell Pinterest.com what interests you might have:

define likes

This will continue to build a profile of what/who you might be interested in following.

You now have a chance to create your own Boards:

create your own boards

On the same screen it will highlight those who you may be already following. Next there is a screen where you can customize your tastes, again building the profile the service will target for specific interests:

create your first pinboard

Once you enter your interests, the next time you visit, you’ll see more subjects presented that relate to these preferences.

You now have an option to integrate Pinterest preferences with your browser, for another level of integration:

add to browser

Now let’s look at some of the settings you might choose to adjust. You have access the settings under the menu shown below:

user settings

On the settings page you will see options to control how Pinterest.com integrates with Facebook/Twitter:

link to facebook / twitter

Notice that they are set to integrate by default. For those who want more privacy/security, it may be wise to disable the buttons above, thereby segregating the services a bit more. Notice how tightly the sharing may be integrated, including a feature to tap into your Facebook Friends yet another way.

Summary:

While Pinterest grabs market share and your friends become familiar with the service, expect more fine-tuned controls to be available. Being aware of these settings may help you have a more secure profile and sharing stance while using the service. It also may prevent sharing more information than you planned on, both now and in the future.

What else to watch for:

As with many websites that soar to popularity, we are already seeing scams like fake apps bundled with borderline or outright malicious functionality that users could download for smartphones like Android. The folks at gottabemobile.com point out an app, purportedly for using Pinterest on Android, was not an app at all, but a platform for scams. Many users would simply click through the installation prompts, only to find out later they’ve gotten more than they bargained for.

As Pinterest.com continues to catch on, expect more scams that try to do things like tricking users into revealing credentials through fake notifications, spam texts to your mobile devices, efforts at phishing and other emerging scams. As Pinterest.com grows, we will revisit this in a security series about the platform, helping to keep users safe online.

Read this article:
Pinterest.com security – step by step howto

Today we released our Fourth Quarter 2011 Threat Report, revealing that malware surpassed the our estimate of 75 million unique malware samples last year. Although the release of new malware slowed a bit in Q4, mobile malware continued to increase and recorded its busiest year to date.

Malware

The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The cumulative number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with Android firmly fixed as the largest target for writers of mobile malware.

Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.

Web Threats

In the third quarter McAfee Labs recorded an average of 6,500 new bad sites per day; this figure shot up to 9,300 sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were malicious. This brings the total of active malicious URLs to more than 700,000.
The vast majority of new malicious sites are located in the United States, followed by the Netherlands, Canada, South Korea and Germany. Overall, North America housed the largest amount of servers hosting malicious content, at more than 73 percent, followed by Europe-Middle East at more than 17 percent and Asia Pacific at 7 percent.
Spam

At the end of 2011, global spam reached its lowest point in years, especially in areas such as the United Kingdom, Brazil, Argentina and South Korea. Despite the drop in global levels, McAfee Labs found that the present spearphishing and spam are highly sophisticated.

Overall botnet growth rebounded in November and December after falling since August, with Brazil, Columbia, India, Spain and the United States all seeing significant increases. Germany, Indonesia and Russia declined. Of the botnets, Cutwail continues to reign supreme, while Lethic has been on a steady decline since last quarter. Grum made a significant comeback after a long decline, surpassing Bobax and Lethic by the end of Q4.

Data Breaches

The number of reports of data breaches via hacking, malware, fraud and insiders more than doubled since 2009, according to privacyrights.org, with more than 40 breaches publicly reported this quarter alone. The leading network threat this quarter came via vulnerabilities in Microsoft Windows remote procedure calls. This was followed closely by SQL injection and cross-site scripting attacks. These remote attacks can be launched at selected targets around the globe.

Download McAfee’s Threats Report: Fourth Quarter 2011.

Read the original here:
McAfee Q4 Threats Report Shows Malware Surpassed 75 Million Samples in 2011

Hacktivism has become very popular in recent years; one of its leading agents is the online community Anonymous. Hacktivist groups use digital tools to perform denial of service (DoS) attacks for pursue political ends or to protest against controversial laws in countries around the world. One of the most common tools they use Low Orbit Ion Cannon (LOIC), an open-source computer program written in C# that can run different types of DoS attacks. LOIC can send a large amount of TCP/UDP packets to a specific URL/IP address in a short amount of time. The same tool has been ported to JavaScript to perform a DoS directly from a browser. The existence of Web LOIC, along with anonymous web hosting services such as pastehtml, has made it possible for any user on the Internet to participate in those attacks with just one click.

Recently the same attack has been easily ported to one of the most popular mobile platforms: Android. Anonymous social network accounts promote the new attack in Latin America as “LOIC para Android by Alfred”:

By “easily” ported I mean that it is not necessary to have any programming skills to create the Android application because it was generated with a free online service that creates Android apps with just a URL, HTML code, or a document (DOC or PDF). In this case, the attack was created with only the URL of a specific pastehtml website that has a JavasScript version of LOIC to perform a DoS attack against the Argentinian government. The attack is part of the operation #opargentina, run by an Anonymous cell in South America. Once the tool is downloaded and installed, the following icon appears in the applications menu:

When it is executed, a WebView component shows the contents of the URL, which is basically an HTML web page with a JavaScript that sends 1,000 HTTP requests with the message “We are LEGION!” as one of the parameters. (The web page does not fit in the Android screen, probably because the tool that creates the application does not adjust the size of the web page inside WebView.)

Creating Android applications that perform DoS attacks is now easy: It requires only the URL of an active web LOIC–and zero programming skills–thanks to automated online tools. Because the application’s purpose is simply to display any website on an Android system, we classify this hack tool a potentially unwanted program (PUP). If you have enabled PUP detection (our default setting), then McAfee Mobile Security for Android will detect this tool as Android/DIYDoS.

See more here:
Android DIY DoS App Boosts Hacktivism in South America

Potentially Unwanted Programs (PUPs) are often legitimate software that pose a risk to users’ privacy or systems. A reasonably secure–or privacy-minded–user may want to be informed of the presence of certain PUPs and in some cases remove them. One very common type of PUP is adware, which exists to make revenue through advertising. Some adware is merely annoying but others could ignore or violate a user’s privacy by collecting and transmitting sensitive information to others without the user’s consent. Adware is well-known in the PC world and is becoming more prevalent now on mobile platforms (due to the fact that more developers are able to distribute their own applications from a central source like the Android Market).

The recent PUP Toplank (a.k.a. Counterclank) is an example of how aggressive mobile advertising in the Android world can be. The basic installation behaviors may be bad enough for some users. For example, Toplank adds bookmarks and home-screen shortcuts and makes home-page modifications without adequately informing the user or gaining consent to do so. More disturbing is what it does after it is installed. Recently, during the analysis of suspicious live wallpaper available in the Android Market, I found an advertisement module similar to Toplank’s in the sense that, once the PUP executes, it adds a shortcut in the home screen without the user’s consent:

However, at the same time in the background the following sensitive information is sent to the remote server ad.leadboltapps.net:

In addition to the “normal” sensitive data (OS version, IMEI, geographical location, and phone number) collected by several mobile-advertisement SDKs, this PUP also collects and sends the IP address of the device (which could be internal if the device is connected via network address translation or external if it is using the mobile network). This information, along with the exact identification of the device with the IMEI, could represent a privacy violation to some users. In addition, the developer does not clearly state in the Android Market that the wallpaper is ad supported:

The developer offers an option in Settings to disable notification ads. However, even if the option is disabled, the data has already been leaked and the user can do nothing to stop it.

Adware for mobile devices is constantly evolving and becoming very aggressive, invasive, and even dangerous to our privacy. If you have enabled PUP detection (which is enabled by default), then McAfee Mobile Security for Android detects this adware as Android/LdBolt.A.

View original post here:
Adware on Mobile Devices an Evolving Privacy Threat

Since you asked for avast! Free Mobile Security (for Android) and we gave it to you, we wanted to celebrate its launch with our Community. Thus, from December 22, 2011 to January 22, 2012 we offered a contest where you could win 10 Samsung Galaxy Nexus phones and 300 free avast! Internet Security licenses.

Our contest question was…

We asked you to predict how many users of avast! Free Mobile Security there will be by February 10, 2012, 12:00 CET.

Responses showed us…

Roughly 50,000 contest participants showed us that we should actually do it more often. So even if you weren’t lucky this time, make sure you won’t miss our next one!

Results are finally in…

As February 10 is here, we can finally tell you that, as of today, we have 2 168 960 users of avast! Free Mobile Security.

Winners to be announced…

In the next 10 days, we will announce the 10 winners of Samsusng Galaxy Nexus phones. Our winner will find his or her name in this format on our Facebook banner: Martin F.. And we will contact the winner via email, to arrange prize delivery.

The next-closest 300 responses will receive (via email) free licenses of avast! Internet Security.

Keep watching…

If you participated in our contest and your prediction was close to our final number above, be sure to follow our Facebook page and check your email regularly!

Visit link:
Avast! Free Mobile Security Contest results.

We suggested earlier that instead of going after the Secure Element chip and the information it keeps safe, attackers would go after the weaker point of the Google Wallet app. Security researcher Joshua Rubin has now created a proof-of-concept app, Google Wallet Cracker, that can recover the Google Wallet PIN on a rooted phone.

Once attackers get your PIN, they have full access to any credit card information stored in the app and they can use your phone to make purchases. As a user of Google Wallet, the main security you see is the PIN. What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card.

How It Works
The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app. Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.

Google Wallet Cracker app checks whether the phone is rooted.

In this case an attacker with root access can reverse-engineer the Google Wallet app’s database format and extract the hashed PIN.

The Cracker app extracts the encrypted hash of the Google Wallet PIN.

Because the PIN is a four-digit code, an attacker can generate all possible PINs (0000-9999), hash them, and compare against the extracted PIN. On a real phone this takes about four seconds.

The Cracker app displays the recovered Google Wallet PIN four seconds after the app was started.

How Do We Stay Safe?
Currently only Nexus S or Galaxy Nexus users can run Google Wallet. Rubin has responsibly disclosed the vulnerability to Google and the company is now working on patching Android to prevent such attacks. The Google Wallet Cracker is not publicly available.

Google Wallet users can take a number of steps to protect themselves:

• Use a lock code/password, swipe pattern, or face unlock
• Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
• Install antivirus software on the phone to protect against unwanted root exploits and spyware

Starting Tuesday, March 1st 2011, ESET, the leader in proactive protection will exhibit at world’s largest computer technology trade show and expo in Hannover, Germany (March 1st – March 5th). ESET will present a new product for the Android platform – ESET Mobile Security, and offer a preview of the 5th generation of ESET Smart Security for Windows.

See the article here:
ESET to Exhibit at CeBIT 2011: Presentation of ESET Mobile Security for Android, Beta version; …

Cloud-security, preview of ESET Smart Security 5, and presentation of ESET Mobile Security for the Android platform took center stage at the world’s largest IT expo CeBIT 2011 which came to a close Saturday. Tens of thousands visitors passed and stopped by at ESET’s main stand at the exhibition. Sneak peek of ESET’s latest security solutions drew the attention of visitors, press, and IT professionals.

Follow this link:
ESET @ CeBIT 2011: Thousands of visitors, cloud-computing and sneak peek of ESET’s next …

ESET, the leader in proactive protection, is expanding its portfolio of security solutions to protect devices running on the popular Android platform. ESET now offers ESET Mobile Security for three operating systems including Symbian, Windows Mobile and Android. The BETA version is available to download from the company’s website, ESET.com.

Originally posted here:
ESET Releases BETA Version of ESET Mobile Security for Android Smartphones

Today Google announced its Bouncer security service for the Android Market. This is a good initial step in protecting Android users.

Respect the Bouncer
To keep out known troublesome apps, the service performs a malware and spyware scan on all submitted material. It also uses behavioral analysis to determine if a given app is trying to do something suspicious. Google doesn’t stop there; it also does fraud and abuse detection to ban and remove malware writers posing as legitimate developers.

Other Protections
Aside from Bouncer, Google has older methods of protecting users from bad apps. The company cites its “remote app removal switch,” which allows Google to remotely uninstall apps that violate its policies and or are malicious. Although this is good for handling most basic Android malware, additional measures are sometimes necessary.

Sandboxing apps is very useful but is also a double-edged sword. On one side it keeps the average malicious app from accessing user data in other apps; on the other, however, it prevents Google and other security vendors from easily cleaning a device of advanced malware. In the case of malware such as Android/DrdDream or Android/DrddreamLite, which use root exploits to gain total control of a device, it’s necessary to go a step further. These threats that use root exploits completely bypass app sandboxing, requiring stronger methods to remove them. Google now provides a tool that runs on infected devices and removes all malware that were impossible to clean up with the remote removal function.

Alternative App Markets and Malware
Bouncer was able to reduce by half the amount of malware available on the official Android App Market during the past year. That’s an impressive figure. It’s also not the entire picture for Android malware. Android’s openness is great for developers and for users. It’s easy to get started developing apps and distributing them. It’s also easy for users to get an app that does what they need. These were keys that helped to make MS-DOS the most popular operating system in its day: Although MS-DOS was afflicted with viruses and other malware, they were always orders of magnitude smaller than the available number of legitimate applications.

The official Android App Market is not the only source for apps on Android devices. In China, it’s not even the only app store. There are reports of as many as 70 app stores in Beijing alone. In a presentation I gave last year at the security convention DefCon, we found that on a nearly two-to-one basis China was affected by for-profit mobile malware. The majority of this malware was Android based and downloadable from some of these alternative app markets. China has a large number of mobile users and the tactic of local cybercriminals was described by a colleague as “steal a little from a lot.” Even a single dollar from a million users is a good haul for a criminal.

Is a ‘Bouncer’ Enough?
We haven’t yet seen many details about Bouncer internals, but what we’ve seen so far bodes well for Android security. By itself Bouncer is not enough to clean up all infected devices or to keep all malware out of the market. There will still be a need for further innovation in security software and for defense in depth. The Android security team has a lot of clever people on it and no doubt they will continue to improve security while maintaining Android’s open nature.

Read more here:
Android Market Gets a Bouncer to Kick Out Malware