Application Signing: How to make it pay off

      No Comments on Application Signing: How to make it pay off

Nick D’Aloisio hit the headlines recently by selling his Summly app to Yahoo for an estimated £18 million, which is not bad at all when you consider he is still a teenager.

So now you are hoping to emulate him. Fine. But first, although this may be stating the blindingly obvious, you need an idea. Let me rephrase that: you need a very good idea. But that doesn’t mean it’s just a very good idea to you. Other people need to think so, too, and not just your best mates, your parents, or devoted partner. I mean people you don’t know who would be willing to fork out their money for your app only after you’d convinced them it was worth every penny and a bit more. That, after all, is the ultimate test of anyone’s sincerity when it comes to doing business.

They do like it and would buy it? Great. But have you found out if someone else has already got there before you. Are there hundreds, even thousands, of people already happily using an app that’s all but identical to yours? No? Then time to move up the apps ladder to the next level.

Now, while your app should be exceptional to truly succeed, it should also be fairly easy to create. Anything intricate and complicated is likely to backfire: too expensive, with much reduced prospects of even breaking even, never mind setting you up for life. Speak to someone who has been through the experience. Find out what went wrong and why. That will set you in good stead.

What about the start-up capital? In the current climate it’s unlikely any bank will start throwing cash at you, but friends and family are a natural starting point.

Okay, time to roll up your sleeves, which could be literal or metaphorical. In other words, are you the one with the actual IT skills to create the app yourself of are you going to have to invest in the services of a computer engineer. When you find out what they charge per day – anything up to £1,000 a day is not that uncommon – you may well decide to invest in yourself and develop the required skills. But you don’t have to be all alone in this task. Several online and real-world code academies can help you. Some simple desk research and Google will typically show names such as Steer and Code Academy.

Then there is the matter of confidence… of your potential customers…. in you. How can they be absolutely sure that your app is coming from a risk-free source? Packaged software, of course, uses branding and trusted sales outlets to assure users of its integrity. But these are not available when code is transmitted on the Internet. Also, there is no guarantee that the code hasn’t been altered while being downloaded. So you need to be able to assure everyone from the outset that you – and your apps – are to be trusted.

On which note, it’s worth taking a look at Microsoft’s solution to these issues – Microsoft Authenticode. This allows developers to include information about themselves and their code with their programs through the use of digital signatures. And while Authenticode itself cannot guarantee that signed code is safe to run, it tells users quite clearly that the software publisher is participating in an infrastructure of trusted entities. That way, it serves the needs of both software publishers and users who rely upon the Internet for the downloading of software. Digital signatures ensure accountability, just as a manufacturer’s brand name does on packaged software.

So, now you have an app to tell people about, and they know it’s trustworthy across multiple platforms from Windows OS to Android to Windows Phone, how do you market and make some real money out of it? Sadly, there’s no magic formula. You app may be exceptional, but so, too, will be many of the countless other apps out there, clamouring for attention. So you want to make sure that your claim to fame, all things being equal, is un-equalled!

To which end, I came across some useful pointers recently on how to get this right – from the development and marketing team at Telerik Radcontrols for Windows Phone. Their ‘How to promote your Windows phone app on a tight budget’ guide contains a number of tips to help make you a savvy app entrepreneur. Just as helpful, if you go to: http://www.telerik.com/products/windows-phone/getting-started/resources.aspx, you can download a Windows app for free that allows you to browse through more than 100 examples to help inspire you.

Oh, and good luck!

Join @McAfeeSECURE for #eCommChat on 8/1 to Discuss Optimization Testing Best Practices (Part 2): Focus on Security

      No Comments on Join @McAfeeSECURE for #eCommChat on 8/1 to Discuss Optimization Testing Best Practices (Part 2): Focus on Security

With the eCommerce industry reaching new heights, creating the best web experience possible for your site visitors is going to be even more crucial to success. Users expect much more than basic product photos and descriptions when it comes to online shopping, and with these increased expectations comes new responsibilities for merchants. Optimization testing can Read more…

The New Japanese “Not Just One-Click” Fraud on Google Play

      No Comments on The New Japanese “Not Just One-Click” Fraud on Google Play

Since the beginning of the year, Japanese one-click fraud scammers have continued to pump new apps onto Google Play and the market has struggled to keep itself clean. Though many are removed on the day they are published, some remain for a few days. Al…

Watching Your Every Move: Your Phone Could be Snooping on You Right Now

      No Comments on Watching Your Every Move: Your Phone Could be Snooping on You Right Now

Let’s just say it. The world is going mobile. Practically any task you can perform on your computer, you can also do with a mobile phone, and there are even a few that your computer can’t do. In just moments, you can simultaneously shop for shoes, deposit a check and then quickly buy a plan Read more…

When Car Hacking Turns Your Vehicle into a Video Game

      No Comments on When Car Hacking Turns Your Vehicle into a Video Game

image1_8.png
 

Modern cars contain a lot of nifty electronic gadgets, as well as more than one kilometer of cable wired to all kinds of sensors, processing units, and electronic control units. The cars themselves have become large computers, and as history shows, wherever there is a computer, there is someone trying to attack it. Over the past few years various studies have been conducted on how feasible it would be to attack a car through its onboard network. Most researchers focused on attacks with full physical access to the car, but some also explored external attack vectors.

If attackers have physical access to a car they can, for example, access the Controller Area Network (CAN) or the On-Board Diagnostic (OBD) system, but they can also perform other dangerous actions, such as physically tampering with the brakes or stealing the car. Digitally tampering with a car, on the other hand, might be much more difficult to prove after an accident. Such attacks could potentially be combined with other attacks that allow for a remote code execution and should be taken as a demonstration of payloads.

There are a few ways to get into a car’s system without having physical access to it, for example through tire pressure monitoring systems, traffic message channel (TMC) messages, or GSM and Bluetooth connections. Some manufacturers have started developing smartphone apps that can control some of the car’s functionalities, which opens another possible attack vector. There have also been some cases where specially crafted music files on USB drives were able to hijack some of the car’s systems.

Charlie Miller and Chris Valasek, two researchers working on a project for DARPA, explored how far they could go by hacking the Controller Area Network once inside the car. The pre-released video of their presentation for the upcoming DEFCON conference shows that nearly all of the car’s functions can be controlled or triggered including, switching off all lights, shutting down the engine, disabling the brakes, some limited steering, sounding the horn, and manipulating the system display. It doesn’t take much imagination to understand that this has the potential to cause serious accidents. Some of these changes could be made permanent and invisible with malicious firmware updates or system changes. Of course, a laptop with a modem in the glove box would work as well, but would not be as stealthy. If an attacker used the same method as the researchers, hopefully you would notice the attacker’s laptop on your backseat and wonder what was going on.

Car manufacturers are aware of these challenges and have been working on improving the security of car networks for years. Remote attack vectors, especially, need to be analyzed and protected against. At Symantec we are also monitoring this research field to help improve it in the future. Miller and Valasek’s research shows that cars can be an interesting target for attackers, but there are currently far bigger automobile-related risks than hackers taking over your car while driving. Personally, I’m more scared of people texting messages while driving and I assume they pose a far bigger risk than hackers when it comes to accidents, for now at least. Safe driving.

Short-URL Services May Hide Threats

      No Comments on Short-URL Services May Hide Threats

In a recent post, AppAppeal ranked the most popular URL shorteners. The top five includes TinyURL, Goo.gl, Bit.ly, Ow.ly and is.gd. Unfortunately, these helpful services are also used to hide a large number of malicious URLs. This result has made me want to learn more about malicious links that may be hidden behind these shortcuts. Read more…

Internet Security Threat Report Readership Survey

      No Comments on Internet Security Threat Report Readership Survey

Symantec’s Internet Security Threat Report (ISTR) is an annual report which provides an overview and in-depth analysis of the online security landscape over the previous year. The report is based on data from Symantec’s Global Intelligence …

The Dangers of a Royal Baby: Scams Abound

      No Comments on The Dangers of a Royal Baby: Scams Abound

Big news stories are always an opportunity for scammers and spammers, who attempt to redirect users to malicious exploit kits or other unwanted services. Britain’s royal baby is the latest news to offer cover for malware. We have already found a lot of spam messages regarding the birth and baby that lead users to the Read more…

AVAST is most downloaded Software in Europe

      No Comments on AVAST is most downloaded Software in Europe

Softonic, one of the world’s largest download site for Windows, Mac and mobile, has just announced that avast! Free Antivirus is the most popular download in Europe.  Thank you to our users who have downloaded AVAST from Softonic! Here’s what some reviews said about AVAST: Good protection at no cost Very good protection for a […]

Staying Clear Of The Dark Side

      No Comments on Staying Clear Of The Dark Side

There are deep and disturbing sides to the Internet where businesses should fear to tread, if they want to keep themselves safe. So called ‘dark’ search engines, for example, certainly need to be approached with extreme caution.

Take Shodan, a search engine that navigates the Internet’s back channels. It’s akin to a ‘dark’ Google, helping hackers to find out the servers, webcams, printers, routers, systems, networks etc… that are vulnerable to tampering.

Shodan has been designed to help users track down certain types of software and hardware, determine which applications are most popular, identify anonymous FTP servers, or investigate new vulnerabilities and what hosts they could infect. All good stuff and useful to know. But Shodan also serves as a window into millions of unsecured online connections; and you definitely wouldn’t want those connections to be yours. It’s similar to a bank opening up for business in the morning and leaving the safe ajar by the front door – an open invitation to enter the inner workings of your organisation and see what riches are there to be had.

Shodan, it seems, runs non-stop, collecting data from hundreds of millions of connected devices and services each month. Through a simple search, a user can identify a number of systems that either have no security measures in place or generic passwords that can be hacked easily, leaving unwary organisations open to hazardous attacks.

There are accounts of one independent security penetration tester confirming that, amongst a number of unsecured systems he located using Shodan, were: a carwash that could be turned on and off remotely; an ice hockey rink in Denmark that could be defrosted with a click of a mouse; and a traffic control system for an unnamed city that could be put in ‘test mode’ with one command entry. But that is by no means the worst. Cybersecurity researchers are also said to have located command and control systems for nuclear power plants and a particle-accelerating cyclotron, using Shodan. Even allowing for apocryphal stories and a degree of hyperbole, that has to be worrying.

The biggest security flaw, argues Shodan’s creator John Matherly, is that many of these susceptible systems should not even be connected to the web. “Of course, there’s no security on these things. They don’t belong on the Internet in the first place,” he says. Many systems can now be controlled by computer, so IT departments hook them up to a server, instantly making systems and devices available to anyone with an Internet connection. It’s all part of that great unknown sometimes referred to as ‘The Invisible Web’ – the area of the WWW that isn’t indexed by the search engines. And it’s a high-risk place to be, if you don’t have the right protections in force.

Indeed, tightly targeted cyber-espionage attacks, designed to steal intellectual property, are hitting the manufacturing sector and small businesses with ever greater venom, warns Symantec’s latest ‘Webiste Security Threat Report’, with the latter, highly vulnerable, organisations the target of 31% of such attacks – a threefold increase on 2011. Targeted attacks overall have seen a massive 42% surge during 2012, compared to the previous year.

It’s also worth noting that in many cases protecting yourself, your company and your intellectual property online is not difficult, as long as you start with solid foundations such as securing your websites, intranets, extranets etc… with the latest encryption technologies from Symantec.

Using Symantec SSL is a cost-effective security measure for websites; when SSL is deployed site wide in a persistent manner it helps to protect the entire user experience from start to finish, making it safer to search, share and shop online. This encrypts all information shared between the website and a user (including any cookies exchanged), protecting the data from unauthorised viewing, tampering or use. The Online Trust Alliance is one leading organisation calling for websites to adopt the use of persistent SSL on websites (which is also known as ‘Always-On SSL’), with some of the world’s most successful names having successfully implemented it, including Google, Twitter and Facebook.

You might also want to look at Symantec Validation and ID Protection Service when shoring up your defences. This is a powerful cloud-based authentication service that enables enterprises to secure access to networks and applications, while keeping out malicious, unauthorised intruders. A unified solution providing both two-factor and risk-based tokenless authentication, VIP is based on open standards and can integrate readily into your enterprise applications.

With solutions such as these firmly in place, you should have the foundations in place be able to make light of even the Internet’s darkest places but don’t stop there. And as a colleague of mine writes here….”As we near the 2-year anniversary of Stuxnet, it is high time to check where your own organisation stands. While doing so could be relatively quick (particularly using such databases), dealing with the damage would take much longer so we strongly recommend the former course of action. “

There is no time like the present to review what you do and take the appropriate steps to ensure your organisation is protected both now and in the future.