Good news—the robocalling scourge may not be unstoppable after all

(credit: D J Shin)

New data shows that the majority of robot-enabled scam phone calls came from fewer than 40 call centers, a finding that offers hope the growing menace of robocalls can be stopped.

The calls use computers and the Internet to dial thousands of phone numbers every minute and promote fraudulent schemes that promise to lower credit card interest rates, offer loans, and sell home security products, to name just a few of the scams. Over the past decade, robocall complaints have mushroomed, with the Federal Trade Commission often receiving hundreds of thousands of complaints each month. In 2013, the consumer watchdog agency awarded $50,000 to three groups who devised blocking systems that had the potential to help end the scourge. Three years later, however, the robocall problem seems as intractable as ever.

On Thursday at the Black Hat security conference in Las Vegas, a researcher said that slightly more than half of more than 1 million robocalls tracked were sent by just 38 telephony infrastructures. The relatively small number of actors offers hope that the phenomenon can be rooted out, by either automatically blocking the call centers or finding ways for law enforcement groups to identify and prosecute the operators.

Read 6 remaining paragraphs | Comments

Creating a Custom Domain Name with a Google App Engine Application

Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers can create a custom project ID or they can choose a default generated project id. The URL to access the application will follow the form “http://<project-id> .appspot.com,” a subdomain of appspot.com. For example, if the project ID is demo12, then the URL will be http://demo12.appspot.com. However, employing this sort of domain name can create multiple security issues:

  • A phishing attack could use a similar-looking web application and domain name. For example, an attacker could create the malicious application demo13.appspot.com, which is similar to the legitimate name demo12.appspot.com. Because the application is assigned to a subdomain of appspot.com, the name of the malicious application looks very convincing and hard to differentiate from the original name.
  • If the DNS record for *.appspot.com is entered by mistake or through DNS cache poisoning, then the application will be adversely affected.
  • The domain is assigned a wildcard certificate, which creates more headaches for the developers because they need to ensure the path and domain of cookies are properly constrained.
  • The certificate is controlled by Google. Thus for any certificate-related errors—such as expiration, strong or weak signing algorithms, trusted or untrusted certificate signing authorities, or certificates not self-signed—the application will be dependent on Google. Because the certificate is a wild card, extended validation of certificates cannot be enforced, though this is recommended for financial applications.

Apart from security issues, most organizations want their customers to see a custom domain name instead a subdomain of appspot.com. Thus it is necessary to have a custom domain. One can get a domain name from a domain name registrar and then use it with the App Engine or buy one from within the Google portal.

Follow these steps to add a custom domain name for your application:

  • Log in to the Google Cloud Platform Console.
  • Navigate to “App Engine” and “Settings” as shown in the following screenshot or enter https://console.cloud.google.com/appengine/settings/domains in the address bar. Click on the “Custom Domains” tab and then on “Add a custom domain.” If you do not yet have a custom domain name, buy one from a domain name registrar or click on “Register a new domain” to buy one from Google. 20160804 Domain 1
  • Select “Verify a new domain” from and enter your custom domain name as shown in the following screenshot. Click on “Verify” and follow the steps to prove that you own that custom domain.
    20160804 Domain 2
  • The domain name is now verified and should be updated under the “Custom Domains” tab. If not, click on “Refresh domains.”
  • Select the application for which to you want to associate this custom domain name and click “Submit mappings.”
  • Note the DNS records displayed. Go to your domain registrar website and update your DNS configuration with the noted DNS records. It can take some time for the changes to propagate, depending on your DNS provider.
  • Confirm access to the application using the custom domain name.

 

Reference

https://cloud.google.com/appengine/docs/java/console/using-custom-domains-and-ssl#adding_a_custom_domain_for_your_application

The post Creating a Custom Domain Name with a Google App Engine Application appeared first on McAfee.

Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs

Enlarge / Apple will soon begin offering bounties for bugs found in some of its hardware and software. (credit: Andrew Cunningham)

As part of a security presentation given at this year's Black Hat conference, Apple today announced that it would be starting up a bug bounty program in the fall. The program will reward security researchers who uncover vulnerabilities in Apple's products and bring them to the company's attention. Google, Microsoft, Facebook, and many other companies have offered bug bounty programs for some time now, but this is Apple's first.

For now, Apple is intentionally keeping the scope of the program small. It will initially be accepting bug reports from a small group of a few dozen security researchers it has worked with in the past. For now, bounties are only being offered for a small range of iDevice and iCloud bugs. The full list is as follows:

  • Secure boot firmware components: Up to $200,000.
  • Extraction of confidential material protected by the Secure Enclave: Up to $100,000.
  • Execution of arbitrary code with kernel privileges: Up to $50,000.
  • Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.
  • Unauthorized access to iCloud account data on Apple servers: Up to $50,000.

As the program continues and Apple works the, um, bugs out of its processes, the company will expand the list of eligible security researchers as well as the list of hardware and software bugs for which bounties are offered.

Read 4 remaining paragraphs | Comments

Report claims more than half of UK firms have been hit by ransomware

(credit: Blue Coat)

Large UK companies are amongst the hardest hit by ransomware in western countries according to a new report that found that more than half had been affected by it—and that nine percent had been left "entirely unable to operate."

Ransomware is clearly a growth industry in Britain; 58 percent of IT directors in this country have paid ransoms in the past, and the UK experiences more attacks than the Canada, Germany, and the US, where bosses are 21 times less likely to give in to hackers' demands.

Ransomware is malicious software which locks users out of key files or their entire system using tough encryption until the owner pays up. It's a relatively simple scam, and according to Malwarebytes, who commissioned the report, gaining rapidly in popularity. The vast majority of attacks are coming through an endpoint, with 46 percent originating from an e-mail.

Read 5 remaining paragraphs | Comments