Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - David Sancho (Senior Threat Researcher)

    Concerns about privacy on the Internet have always been out there, but news events of late seem to be bringing this problem more and more into the public eye.

    Earlier this month, Google began implementing its “new” privacy policy – despite opposition from many parties, including French and European Union regulators. The new privacy policy allows Google to consolidate what it knows about users across all of its services, something it had never done before. According to Google, this makes for a “simpler, more intuitive Google experience.”

    It’s not just search engines themselves falling under watch for privacy problems. Early in February, the popular Path and Hipster apps were discovered to be uploading user address books to their servers. Later on, it was discovered that both iOS and Android suffered from problems that allowed apps access to user photos even if they had not granted that particular permission.

    So far, there really hasn’t been a good set of guidelines that companies holding our data could be held accountable to and asked to follow. Essentially, companies with access to our private data were left to their own devices when it came to treating that data – with predictable consequences to our privacy.

    In February, it was announced that many advertising networks and leading Internet companies such as AOL, Google, Microsoft, and Yahoo have all agreed to implement the Do Not Track feature: essentially, it stops websites (and advertising networks) from tracking users. This blocks certain practices used by advertisers, such as personalized advertising.  (We discussed personalized advertising earlier on our ebook Be Privy to Online Privacy.)

    This was in line with a White House blueprint for what it called a “Consumer Privacy Bill of Rights”. The set of principles that the white paper includes are all sound and, frankly, common sense: they give user’s online data the same set of protections that they should have offline. Fundamentally, the US approach calls for Internet companies and industries to voluntarily adopt regulations which are then enforced by regulatory agencies.

    Does this mean that users no longer have to worry about their privacy, that advertisers and website owners will no longer abuse what they know about users? Sadly, that is far from being the case

    The Do Not Track announcement was not about anything that could be immediately implemented. How Do Not Track will actually be implemented – and thus, whether it actually works – is not yet entirely clear. In short, it will take some time for Do Not Track to actually be something that users can turn on.

    What these steps do mean is that regulators are finally paying attention to privacy as an issue, and companies are realizing that they have to start paying some attention, instead of just issuing blanket statements that said nothing. European privacy regulators have already launched a probe into Google’s new privacy policy. As a result of a settlement with California authorities, app store operators like Apple and Google have agreed in principle to make app developers include privacy policies if their apps gather user information.

    User concern about tracking and personal privacy is very real. A Pew Research poll found that almost two-thirds of American search engine users disapproved of personalized search results. A similar number had negative views on targeted advertising. A separate study by the University of Queensland found similar attitudes among Australian users. Clearly, users have serious concerns about what kind of information is gathered about them, and how this information is being used.

    The debate over privacy in the digital age will, no doubt, continue. Different people will have different standards for what they consider the acceptable trade-off between convenience and privacy is. Users should be free, however, to make that decision for themselves – and to have the information and tools to decide where their data will end up going.

    Posted in Mobile | Comments Off

    Last month, Google announced that they were making search more secure for their users. They announced that users already signed in to Google would have a more secure experience. This meant two things: first, search queries and results would now be sent via HTTPS. This protects the searches of users with unsecured Internet connections, such as most WiFi hotspots.

    The second part was far more interesting. According to our tests, Google does not include the search terms used to reach websites anymore in the HTTP referrer header. Here’s part of the URL that Google is now sending as the referring URL:

    Note that after the &q= portion, no search term is specified. By contrast, a standard search has a referring URL more like this:

    The repercussions are twofold. First, legitimate web sites won’t be able to point out what terms they use are popular. Thus, their own optimization efforts might be impeded. I know that as a web site owner, it’s really useful to have those stats and be able to tune your content so that it’s more easily searchable. To get this information, you now have to sign up for Google’s own analytics services–which may or may not be feasible for all websites.

    Read the rest of this entry »


    I’ve read lately about the launch of Google Wallet and how it may revolutionize how we make payments. Instant payments by putting the phone near a terminal and by keying in my PIN? Sounds good. As exciting as it may be to try out new technologies, if it has to do with my wallet though, I think things through twice or more.

    Things to Consider

    First off, you need to have an Android phone. Android, while a beautiful piece of software, is the most attacked mobile software in the planet. It’s the most used one now that it has surpassed its main competitor (Apple) and there are no signs of it slowing down. I don’t mean to say that anything running on Android is bad or risky but just keep the “most attacked” angle in mind for now.

    Second, it uses NFC, a technology not very unlike RFID. That’s the information-emitting little chip you put on your dog so the vet can easily identify him. It’s also the little chip on your passport broadcasting your data and the one that your credit card uses (if you have a U.S. credit card, that is). It’s a technology that, while extremely useful, provides a very juicy target for the bad guys. A bad guy with a big antenna pointed at my dog can read her ID number from afar. Okay, that’s not the worst scenario I can picture.

    Read the rest of this entry »


    When news broke earlier this week that some Citibank Japan customers’ information leaked, many of the bank’s customers probably thought, “Again!?!” But this is not a rare occurrence these days. This time around, it wasn’t even Citibank’s fault; one of the companies it outsources some services to was at fault.

    This is the second data breach involving Citigroup, both of which led to the exposure of a great deal of user information. The key difference between the two incidents, however, is the attacker. Someone who wasn’t associated in any way to Citigroup was responsible for the first incident while someone from within an organization Citigroup outsources certain operations to was responsible for the second one.

    After a past history of breaches, the 92,400 credit card holders whose data was stolen have a right to be mad. But mad at whom? Past history or not, it’s difficult to be mad at Citibank. It wasn’t the one who lost the data this time after all. At the hackers who stole the data? Maybe. But there are too many of them with a variety of motivation, not all of which are financial. At the outsourcing company? Well, that’s something certainly worth considering.

    Too Many Sheep in Different Farms

    A big problem for corporations with regard to data leakage has to do with the number of data repositories they need to look at and the different departments within their organizations that are in charge of the said data. In a global company, different security and IT departments, along with several outsourcing companies, have access to data. Therefore, the amount of coordination required to secure the whole thing is huge. Monitoring also becomes as critical as it is difficult. This is where security gaps begin to show. You just can’t keep an eye out on your sheep when you have too many spread out over different farms.

    Read the rest of this entry »


    In the last 24 hours, there has been much coverage of a data breach that affected an estimated 35 million users of SK Comms in South Korea. SK Comms is the largest service provider in the region that offers three types of service—social networking, mobile phone, and instant-messaging (IM) services. The breach affected user accounts of Nate portal and Cyworld, both under SK Comms.

    SK Comms Breach

    Given the breadth of services that SK Comms offers, the service provider is committed to provide user security and, as such, requires higher levels of personal information to secure and link user accounts compared with many other service providers. Unfortunately, these very measures are also the same ones that greatly affected its users. The stolen information include user names, email addresses, contact numbers, and some encrypted information that include the users’ blood types.

    The online landscape in South Korea is interesting and gives us an idea of the impact of the breach. The country’s Internet penetration is high and its Internet speed is fast enough to sustain mobile banking (i.e., conducting online banking transactions using mobile devices and smartphones). As such, mobile banking is pretty commonplace in South Korea. If users submit the same information and use the same password for all of their online accounts, it would not take too much creativity for hackers to conduct subsequent attacks.

    SK Comms issued an advisory to users of the affected sites. In the said post, it extended apologies with regard to the incident and gave users instructions in case they receive voice phishing calls and spammed messages. More information can be found in

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice