Apple Sued for Infringing on Touch-Screen Patent

Apple this week was hit with a patent lawsuit over the use of touch-screen panels in products like the iPad Air.

Hilltop Technology on Wednesday filed suit in Texas district court, alleging that Apple is infringing on a patent it owns for a "capacitive type touch panel."

The patent was first filed in April 2008 and issued in Jan. 2011, according to Hilltop. The company alleges that "all Apple products having a capacitive type touch panel, including its iPad Air," infringe on this patent.

According to Hilltop, it "has suffered monetary damages in an amount not yet determined, and will continue to suffer damages in the future unless Apple's infringing activities are enjoined by this Court."

The firm is demanding an injunction and damages, among other things.

Hilltop filed similar lawsuits against TPK Holding and Wintek Corporation in November and against AU Optronics in September. Thus far, AU Optronics has filed its response, denying that its technology infringes on Hilltop patents.

While Hilltop goes after Apple in this particular case, most new technology includes touch-screen displays at this point - from the iPad Air to Android-based devices and new Windows devices. Hilltop likely sees a lot of dollar signs with Apple, though. In a recent earnings report, Cupertino revealed that it sold 51 million iPhones and 26 million iPads during the quarter ending Dec. 28.

Read More

Social engineering attack on GoDaddy and PayPal to blame in Twitter hijacking

Naoki Hiroshima lost access to his unique Twitter handle after being pressured by the criminal responsible for compromising his PayPal and GoDaddy accounts.

Update: GoDaddy confirms the social engineering aspects of this Twitter extortion scheme.

Update 2: Added commentary from Chris Hadnagy and Michele Fincher, from Social-Engineer Inc.

Leverage. That's what the criminal had when he contacted Naoki Hiroshima. Until recently, he had one of the highly prized single letter Twitter profiles; his was @N, but now it's @N_is_stolen.

The details of his story are posted to his Medium account.

In order to steal the coveted Twitter account, the criminal behind this scheme started with PayPal. Initially, they tried to reset the account password, but Hiroshima uses two-factor authentication, so that attempt failed. The attacker tried again, this time allegedly calling PayPal and posing as an employee, where they claim they managed to get the customer service representative to give out the last four digits of Hiroshima's credit card.

In a statement, PayPal said that Hiroshima's personal details and credit card details were not shared, noting that Hiroshima's PayPal account was not compromised.

"We have carefully reviewed our records and can confirm that there was a failed attempt made to gain this customer’s information by contacting PayPal... Our customer service agents are well trained to prevent, social hacking attempts like the ones detailed in this blog post.We are personally reaching out to the customer to see if we can assist him in any way."

It's entirely possible the criminal lied to Hiroshima, that's what criminals do. So their claims that they posed as a PayPal employee could be completely false. But whoever is behind the attack did have the last four digits of the credit card in question, because this person used them to gain access to Hiroshima's GoDaddy account.

According to the criminal, explaining the process to Hiroshima, they called GoDaddy and gained access to his account by pretending to have lost the card on file, but told the customer service representative that they recalled the last four digits – which can be used for verification of account ownership.

Compounding the problem, the criminal noted that they were allowed to guess the first two digits of the card GoDaddy had on file to prove they were the owner of the account. They guessed correctly on the first try. Now, Hiroshima's GoDaddy account was in the hands of the criminal behind this scheme, and they altered all of the account details.

With the details changed, GoDaddy told Hiroshima that he wasn't the owner of the account, and as such, there was nothing that could be done to help him. Stuck, with few options, Hiroshima is left to deal with an attacker who wants to make a trade.

GoDaddy didn't respond to emails seeking comment for this story [see statement below], but they have told Hiroshima they are willing to assist him, now that the story is out in the open.

As Hiroshima put it:

"It’s hard to decide what’s more shocking, the fact that PayPal gave the attacker the last four digits of my credit card number over the phone, or that GoDaddy accepted it as verification."

Once the attacker had control over Hiroshima's GoDaddy account, they threated to delete data unless Hiroshima gave up his Twitter profile. Felling pressure, Hiroshima relented and released the @N account.

Keeping to their word, the criminal returned control of the GoDaddy account back to its rightful owner, which allowed Hiroshima to start the recovery process and attempt to protect his remaining accounts.

Twitter is investigating, but wouldn't comment further when asked for details on the status of @N.

Social engineering is an attack on the mind, and one that plays into basic human traits. In this case, if the attacker is to be believed, a PayPal representative shared information because they were under the impression they were helping a co-worker.

However, even if the criminal lied, their claims are valid, because such security blunders happen all the time. If the information is presumed to be of little value, then there is little effort made to protect it.

In this case, the last four digits of a credit card are seen as useless, because on their own they don't amount to much. But the problem is that they're often used as a means of identification, which is a bad idea no matter how you look at it.

Adding to that, the fact the criminal was allowed by GoDaddy to guess at the first two numbers of the card on the account, which are uniform to begin with, and you have a breach just waiting to happen.

These little gaps in security are what social engineers will focus on, and given that people generally want to help others, all one needs is time. Eventually they'll get what they want simply by asking.

Update:

GoDaddy's CISO, Todd Redfoot, sent the following statement:

Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy.  The hacker then socially engineered an employee to provide the remaining information needed to access the customer account.

The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers.  We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques.

Update 2:

Chris Hadnagy and Michele Fincher, two well-known social engineering experts, told the Hash that this was "a pure social engineering attack from start to finish."

This would be a good opportunity to remind people to review their various accounts, passwords, and whether they allow any entities to store credit card or personal information. The attacker did his homework and came at the guy through multiple channels.  The guy in the article suggested using a Gmail password as opposed to the domain password in case of compromise and extending your TTL  - but it is a safer bet to do some things like:

Call your hosting / payment / card companies and have notes put on your account about information needed to give out your details;

Do not reuse passwords and make them stronger that you think you need;

Finally, review the companies you use to host and control things. It is a lot of work to switch companies especially if you host a lot of domains, so do your due diligence and chose one that will server your needs.

Companies that hold our information are obviously not going to any extent to protect our information, so it’s up to the individual user.  I am amazed at how easy it was for the attacker to trick PayPal.  It is something that we just can't imagine as many of us with PayPal accounts have had problems trying to do legit business with them.  So this just blows me away personally.  But it also points to the increasing number of MULTI-STAGED [Social Engineering] attacks.  This is not new, but in the last few years we are seeing much more of these popping up.

Read More

Wikipedia and many other wiki sites contained critical vulnerability

A vulnerability affecting 'wiki' websites put nearly a hundred million Wikipedia users at risk.

Wikipedia is one of the most highly visited sites on the Web with over 94 million unique visitors per month. A recently discovered vulnerability could have put those users at risk of malware exploits had it not been discovered.

Check Point researchers found a critical vulnerability in MediaWiki (versions 1.8 and up)—an open source Web platform used to create and maintain ‘wiki’ websites such as Wikipedia.org. If exploited, the flaw would allow an attacker to remotely execute malicious code. A successful attack could enable the attacker to gain complete control of the vulnerable Web server, and possibly compromise visitors by hosting malware on the site.

Thankfully, this issue has already been resolved. Check Point followed responsible disclosure guidelines and immediately contacted the WikiMedia Foundation—the group responsible for the MediaWiki platform. The Foundation verified the finding and developed an update to patch the vulnerability. Check Point also updated its own security tools to guard against potential attacks pending the update.

“It only takes a single vulnerability on a widely adopted platform for a hacker to infiltrate and wreak widespread damage,” said Dorit Dor, vice president of products at Check Point Software Technologies. “We’re pleased that the MediaWiki platform is now protected against attacks on this vulnerability, which would have posed great security risk for millions of daily ‘wiki’ site users.”

Thanks in part to the efforts of Check Point researchers, this crisis has been averted. If attackers had gained control of Wikipedia.org and injected malware code to infect site visitors the results could have been catastrophic and widespread.

This issue also illustrates why it’s important to be aware of discovered vulnerabilities that affect the systems and software you rely on, and why it’s crucial to implement patches and updates in a timely manner when they’re available.

For more details about this specific threat, check out this Threat Cloud Central blog post.

If you have a site that uses MediaWiki 1.8 or later, and you have not applied the latest update, you should do so as soon as possible to ensure your Web server is not vulnerable. Now that news of the flaw is public, and the patch exists for attackers to reverse-engineer, the threat is actually greater and the clock is ticking.

Read More

Happy privacy news even paranoids could love

Perk up, buttercup -- the Blackphone and MIT researchers offer glimmers of hope amid our NSA- and hack-filled landscape

When you're a journalist, tips pour into your inbox nonstop. Some concern current events, like BloomNation.com's breakthrough as the first online florist to accept bitcoins in time for Valentine's Day, but the rest hammer home the message that our lives are about as private as Justin Bieber's arrest record. Waste enough hours every day reading news from all around this big, blue, environmentally leprous marble, and like this aging snarko, you too will be 

overwhelmed by word of backroom NSA encryption dealings and the Canuck intelligence service spying on travelers going through its airports, especially once you've fully drained your quart of Johnny Walker life juice.

But my last NSA rant even left me a little down in the dumps, like a dog stuffed into a sidecar that came loose from a speeding motorcycle. I decided to cheer myself up by finding some positive news regarding personal privacy. It can't be all bad, right?

                                                             

                                                                                                        Credit: Nik Merkulov (devices) and

                                                                                                                         Svitlana Pidburtna (heart)

I started by checking out the happy news sites I heard about a while back and dismissed as psychological crutches for Scientology rejects or Lindsay Lohan's legal team. Unfortunately, when I entered "personal privacy" into the site's search engine, all I got were links to a privacy policy page and a reference to the consumer privacy act from 2001.

Banking hopes on the Blackphone
Nuts -- I'd have to find happy privacy on my own. After downing a slug of cough syrup from Pammy's medicine cabinet, I got to work. To stay positive, I stuck a knitting needle into my thigh. The obvious place to start was the Blackphone that I pooh-poohed yesterday, but to which I'm now clinging with the desperation of Charlie White trying to make ice dancing look straight for the Sochi Olympics. If you dropped your iPhone in the toilet and are looking longingly at the gun safe, take some Blackphone heart.

For those who've been laid out on the bathroom floor since discovering their spouse went shopping at Target, here's the scoop: The Blackphone is an independent mobile device developed by Geeksphone and Silent Circle. It uses a custom, hardened operating system (PrivatOS) with Silent Circle's encryption software to provide native security for text messaging, phone calls, and even video communication.

In the course of my research, I also discovered a German company that's been producing CryptoPhone, a secure phone line, for a while now, which was both good and unexpected news from a country that helped perfect fascism for one dark decade. In addition, there were rumors of blueprints for a secure Android phone released by the NSA and tellingly dubbed "Fishbowl" -- a splash of comic relief.

Then I remembered the Swiss. I've been dinging the concept of a completely secure data vault that would work like the banks pioneered by the same mountain people with complete privacy, total security, and impenetrable legal immunity. My objection: It likely wouldn't just be a data haven for us law abiders, but also for pedophiles, terrorists, and sophisticated criminal geniuses like Lucas Duplan.

But given how the NSA, Facebook, and Google have been worming their digital tendrils into the very recesses of my dreams, I'm willing to overlook that little side effect and instead concentrate on the fact that the sweet Swiss made it happen in the same secret underground bunker where Hitler probably stored his collection of hobo genitals. (Yes, I know the nation was neutral, but if RSA is will to whore itself out, I can't believe some Swiss politicians weren't morally vulnerable.) At least there's one place I could house my vacation photos without fear that a government nerd tech won't analyze them for signs of potentially subversive independent thought.

A light at the end of the tunnel
Then, at last, I found a truly heartening story. This one detailed a new encryption algorithm being developed at MIT that not only protects your data, but also delivers fake data to hackers to lead them to a dead end. I love this. According to the article, the glorious crypto-geeks at MIT aren't alone. Another scheme is being built by an ex-RSA employee and a professor from the University of Wisconsin to detect hack attempts and respond by dumping enough gobbledygook on the offending digi-hunchback to make them burst into tears and crawl back to Internet porn.

It's not a lot, but it still made me feel better. The ex-white-hats-turned-gut-wrenchingly-pitch-dark-black-hats may currently be overwhelming us, but at least we're onto them and some good folks in rebel basement labs are working on ways to screw them up. Whew! Now I can go back to ignoring all these problems and figure out how to get my news and unwittingly give more information on my personal interests to Facebook.

Read More

Office 365 turns one, but success is tough to tally

Beware of misleading numbers, says one analyst; look at Office Web Apps' progress, argues another

A year after the launch of Microsoft's ambitious Office 365, it's almost impossible for outsiders to get a grip on how the software-by-subscription program has done, analysts admitted today.

Microsoft kicked off Office 365 -- a revamped program for businesses and a new attempt to convince consumers to subscribe indefinitely rather than buy the software every few years -- on Jan. 29, 2013. Since then, Microsoft has disclosed very few details about Office 365's revenue or subscriber performance, other than to occasionally tout the number of consumers who have signed up for the $100-per-year Home Premium.

"In its [SEC and earnings] disclosures, Microsoft talks about revenue at times, but the fact is a huge chunk [of Office 365] is really about revenue from desktop licenses that are just licensed by subscription," said Melissa Webster, an analyst with IDC. "In other words, they're moving revenue off one line and on another. That's not growth."

The last time Microsoft mentioned Office 365 revenue was in mid-2013, when it said the rent-not-buy program was at an annual "run rate" of $1.5 billion, meaning that at its then-current pace, it would generate that amount over the next 12 months.

The company has also pegged Home Premium subscriptions at various times in the last year, most recently last week when it said it had 3.5 million on that edition's rolls, an increase of 1.5 million from the last update in October that's worth $350 million in annual revenue.

Webster's point was that any numbers from Microsoft for enterprise Office 365 subscription revenue was misleading, since much of it was not new, but simply a change of licensing from the traditional "perpetual," where companies bought licenses with rights to use the software as long as they wanted, to subscription.

"At least half is not new revenue, and not a new revenue stream," Webster said, no matter how the media interprets Microsoft's rare disclosures with its headlines. "At least half is just desktop software licensed a different way." She estimated that 60% of the Office 365 revenue was derived directly from the desktop licenses included with most plans.

In a research note last year, Webster called the run rate increases that Microsoft boasted of as an "indifferent" boost to actual revenue, arguing that the real net-new income was approximately one-fourth of Redmond's number once migrations from earlier programs and the switch in licensing were taken into account.

However, she did acknowledge that Microsoft has been drawing some new customers to Office 365, many of them small- or medium-sized businesses, for the hosted services like Exchange and SharePoint that are offered alongside the desktop software they used already.

Wes Miller, of Directions on Microsoft, a smaller research firm that only tracks Microsoft's moves, took a different tack in evaluating Office 365's progress.

Rather than focus on numerical metrics, Miller said it was important to remember why Microsoft switched to a subscription model in the first place, and look beyond the obvious point that the change was meant to smooth out the revenue peaks and valleys, and provide a steadier stream of money to the company.

"The point of subscriptions is one, so that the software is there when you need it and it's constantly updated," said Miller. "Two, software by subscription is much more agile because it can use the iterative methodology of Google and the Web development we've become used to over the last 10 years. We've definitely seen that in the Office Web Apps."

Miller focused on Office Web Apps, the browser-based versions of Word, Excel and PowerPoint that recent reports claim will shortly be renamed "Office Online" -- because they demonstrated the benefit to customers.

From his perspective, the Office Web Apps, which were updated and improved numerous times last year and through the first month of 2014, were indicative of Office 365's success. That's because, if nothing else, that pace of change would have been impossible without a shift away from the deliberate three-year development cycle and toward a more frequent, if not constant, tempo.

"The company isn't monolithic in its product groups," said Miller, who like most at Directions, once worked at Microsoft. "The Office Web Apps group made a conscious decision to iterate in a velocity impossible before. I think it's really important to understand what the Office Web Apps, in particular, have done. They've released apps for iOS and Android around Office 365, [which before Office 365] would have taken three or four years."

In mid-2013, Microsoft did, as Miller noted, ship Office apps for Android and iPhone, making them available only to subscribers of Office 365. The company, however, has not released Office apps suitable for Apple's iPad, an omission that many analysts have criticized.
Miller also argued that while the revamped Office 365 is now a year old, it may still have its best days ahead of it, as larger organizations have yet to discard their on-premises back-end servers for Exchange, SharePoint, Lync and other services tied to Office.

"We're seeing the same thing as with Azure," Miller said, referring to Microsoft's cloud-computing platform. "For a bigger organization to take advantage of Office 365 is very complicated. They've invested in Exchange, SharePoint and Lync, and there's lot of heavy lifting to change. Many are still taking a wait-and-see position. And the revelations about the NSA [haven't helped anyone."

Microsoft did not recognize the one-year anniversary of Office 365 Wednesday, perhaps not surprising since it's been relatively low key about the subscription program's progress all along.

And the rent-not-buy model now faces its toughest test, said Miller. "The big metric will be the churn rate," he said, referring to how many new customers come in, how many existing ones leave or re-subscribe.

Whether Microsoft reveals the churn rate, or even hints at it in future disclosures of subscriber counts for Office 365, is another matter.

Webster, of IDC, believed that the lack of hard information on Office 365 for enterprises was due to the muddled origin of those subscriptions, with some coming from migrations from earlier programs -- she mentioned "BPOS," or Business Productivity Online Suite," several times -- some from companies switching simply from perpetual to subscription licensing, and the like.

Miller agreed up to a point, but added that the opaqueness of Office 365's performance was also likely due to Microsoft not having a compelling story to tell.

Read More

Twitter buys 900 IBM patents, dodging a potential infringement suit

Twitter has acquired over 900 patents from IBM, a move likely intended to settle IBM's claims that Twitter was infringing on at least three of its patents.

IBM said Friday that Twitter acquired the patents in December, and that the companies had entered into a patent cross-license agreement covering other technologies that might be shared between the firms.

The deal will likely allow Twitter to continue to operate without facing a copyright infringement suit from IBM, which is one of the largest U.S. patent holders with an active portfolio of roughly 41,000 patents.

"This acquisition of patents from IBM and licensing agreement provides us with greater intellectual property protection and gives us freedom of action to innovate on behalf of all those who use our service," said Ben Lee, legal director for Twitter, in the announcement.

Financial terms of the deal were not disclosed.

Just as it was preparing to go public, Twitter revealed in November in a regulatory filing that IBM had alleged that it was infringing on at least three of its U.S. patents. Although it didn't file a lawsuit, IBM sent Twitter a letter inviting the social media company "to negotiate a business resolution of the allegations," Twitter said at the time.

IBM identified three patents specifically in the letter: for the efficient retrieval of uniform resource locators, for presenting advertising in an interactive service, and for programmatic discovery of common contacts, Twitter said.

It is not clear whether those three patents were included in the 900 that Twitter has since acquired, although they probably are. The totality of the purchased patents likely covers any number of software technologies and tools Twitter may choose to incorporate into its service. Twitter could not be immediately reached for comment.

Because IBM holds such a large portfolio of patents, Twitter's relationship with the company is not unique. Facebook, in the lead-up to its IPO, also purchased patents from IBM, as has Google.

Read More