Symantec has discovered over a dozen apps with malicious code that could cede control of your smartphone to perpetrators.

In a recent blog post, the security company said the apps, which are hosted on the Android Market, can be used to propagate a “bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device”.

These threats are also known as botnets, where a collection of compromised computers can be controlled by a central server to launch denial-of-service attacks. Private information such as bank account numbers on compromised devices could also be stolen by cybercriminals.

According to Symantec, the malicious code is grafted onto the apps in a package called “apperhand”. Once launched, a service with the same name may be seen running on a compromised device. A search icon will also appear on the home screen

The malicious apps appear to be from three publishers: iApps7 Inc, Ogre Games and redmicapps. About half of the apps in question have been removed from the Android Market as of today.

Malware targeting mobile devices are expected to increase this year. The hardest hit are likely to be Android-based devices, given the operating system’s large market share and open innovation platform, said ICSA Labs, a division of Verizon Business that tests and certifies security products.

If IBM researchers get their way, remembering passwords will soon be a thing of the past. Big Blue has recently published a video of what it thinks will become reality by 2016, such as mind reading and generating electricity from human activities, among other predictions:

Generate your own electricity
Anything that moves generates kinetic energy, which can be converted to electricity. We can tap this energy from running water, or the rotating wheels of a bicycle to power our homes and offices. IBM scientists in Ireland are already looking at ways to understand and minimise the environmental impact of converting ocean wave energy into electricity.

Biometrics
Your biological make-up could be used more extensively to authenticate access to secured systems and safeguard your identity. According to IBM, biometric data such as retina scans and voice can be combined through software to build your unique DNA-based password. The same biodata could also be used to authenticate ATM transactions, eliminating the use of magnetic strip cards, which are prone to card skimming as we’ve found out this week.

Mind reading
Mind reading has been wishful thinking among science fiction fans for decades. But their wish may soon come true. Within five years, we’ll begin to see the applications of mind reading technology. Doctors could use it to test brain patterns, assist with rehabilitation of patients and understand brain disorders such as autism. IBM researchers are now figuring out ways to link our brains to devices so you can just call someone on a smartphone by thinking about it. In the further future, you could also type on a computer by thinking about the words to say!

No more digital divide
The digital divide will cease to exist in a global society where the wealth of economies is determined by the level of access to information. In five years, the gap between information haves and have-nots will be eliminated, thanks to the adoption of mobile technology. Eighty percent of the global population of seven billion will have a mobile device, IBM predicts. It’ll be cheaper to own a cellphone than open a bank account or buy a laptop. And because of this, rural communities are able to achieve much more than before, such as checking weather reports on their cellphones to determine the best time to fertilise their crops.

Death to junk mail
Too often, we’re flooded with irrelevant information including junk mail. In five years, spam e-mail will become personal notes. Through analytics technology, computers will be able to filter data that’s important and relevant, and bring you information that you would have asked for. Imagine your phone knowing that your favourite band is coming to town and putting tickets on hold for you to purchase.

Do IBM’s predictions sound too far fetched to you? Let us know in the comments.

According to tests conducted by AV-Test, which bills itself as an independent IT security and anti-virus research specialist, the most popular free anti-malware apps on the Android Market do not offer reliable protection against malware. The company also partners with PC World magazine to review security products.

Zoner AntiVirus Free was the only free app with a respectable result in the test. The security app, which boasts of 50,000 to 100,000 installations, detected eight out of 10 malicious apps.

BluePoint AntiVirus Free, Kinetoo Malware Scan and Privateer Lite warned against one malicious app, while Antivirus Free by Creative Apps, GuardX Antivirus and LabMSF Antivirus beta failed to detect any malware completely. In comparison, commercial apps by F-Secure and Kaspersky detected all threats without a problem.

Security researchers at Romanian security software company BitDefender recently warned that the number of Android malware could swell from 200 today to 12,000 by March 2012, according to a September report by The Register.

In June this year, researchers at North Carolina State University identified a new Android malware called DroidKungFu that avoids detection by masquerading as a VPN client.

“DroidKungFu clearly represents the next evolution in mobile malware,” said Derek Manky, senior security strategist at Fortinet, a provider of network security appliances.

“Where earlier attempts at Android malware, such as Zeus in the Mobile (Zitmo), are able to intercept the type of two-factor authentication that banks use to validate the identity of the account holder when logging in, DroidKungFu does much more,” he noted.

“By disguising itself as a legitimate VPN client application, the malware quickly gains root access to the device using social engineering. Once executed, DroidKungFu has the ability to download further malware, open URLs in a browser, start programs and delete files on the system,” Manky said in a media statement.

Singaporeans are still leery of doing financial transactions on the Internet, according to a recent survey by Paypal.

The research study, which was commissioned by PayPal and executed by Nielsen, collected over one thousand responses from Sinagporeans in a two-week survey period from end July to early August 2011.

The key criteria to be included in the study was having transacted online or through a mobile device in the past three months.

Key findings include:
– 33 percent of respondents had experienced fraud, phishing or had their personal information stolen online or from their computer.

– 91 percent of respondents were concerned about the amount of personal and financial information shared online. 50 percent did not know how many websites hold their personal details.

– 50 percent of respondents re-use the same passwords across multiple accounts. This could be solved using password management tools.

– 55 percent of respondents were not comfortable sharing their credit card, debit card or bank account online. With all Singaporean banks having some form of two-factor authentication, this is surprising to me.

The study was endorsed by the National Crime Prevention Council (NCPC), which suggested some of the issues for PayPal to look at.

NCPC has also spearheaded interesting programs like Cyberonia, a virtual online game to teach local primary school kids about internet safety and security.

NCPC is part of the Cyber Security Awareness Alliance, a collaborative body driven by the Infocomm Development Authority (IDA) , which is dedicated to raising awareness in cyber security issues in Singapore.

By 2021, three-quarters of Singapore companies say they will outsource the majority of their IT infrastructure, of which half will move their infrastructure to the cloud. The top three cost savings, they say, will come from reducing IT infrastructure costs, implementing a cloud and virtualisation strategy as well as standardising their IT infrastructure.

Conducted by Vanson Bourne, a research firm, the survey polled 480 IT decision makers in Singapore, Germany, France, United States and United Kingdom. The study was commissioned by Savvis, a cloud infrastructure and hosted IT provider.

Singapore companies are already leading their global counterparts in IT outsourcing. Only 43 percent of respondents host their IT infrastructure in-house, compared with 59 percent worldwide. And among Singapore firms, 44 percent say dedicating resources to develop and manage business critical applications will be their top priority.

“The adoption of outsourced IT infrastructure, in particular managed hosting and cloud computing, is a trend that Savvis has witnessed amongst our client base,” said Bill Fathers, president of Savvis, in a media statement last week.

“Singapore IT leaders are at the forefront of outsourcing adoption and we expect to see the propensity to outsource increase further over the next five years as more enterprises experience the benefits it brings,” he added.

The survey also revealed that over half of Singapore companies are paying for excess capacity to meet peak demands, with seven out of 10 saying they have IT equipment that they regret purchasing, compared with 43 percent globally.

Also, half of Singapore businesses reportedly utilised 55 percent or less of their total capacity. This is notable because it means companies here are doing a better job at maximising their use of IT resources, given that utilisation rates in most organisations hover around 15 to 20 percent.

So what’s stopping companies from outsourcing? The study found that contractual obligations and company culture are the top culprits, though these reasons should surprise no one, especially when jobs are expected to be threatened in any outsourcing deal.

Interestingly, security and risk management issues in IT outsourcing and cloud computing were not mentioned. Despite assurances from IT vendors, there is still significant trepidation over security, governance and risk management.

In fact, almost all companies that have moved to the cloud in the Asia-Pacific region have experienced some form of downtime from their cloud computing services, according to a separate study by CA. Failures in IT systems affected nearly three-quarters of surveyed organisations in the region.

CA said the “high level of data loss” indicates a lack of readiness for these failures among businesses. Just a quarter say they have comprehensive disaster recovery plans and 38 percent say they have not achieved their disaster recovery objectives despite testing their disaster recovery plans at least once a year.

So while IT outsourcing and cloud computing will allow companies to focus on innovation and business critical applications without investing on resources just to “keep the lights on”, jumping on the bandwagon without addressing security, governance and risk is foolhardy.

Image credit: D’Press, by Kishore Budha, used under a Creative Commons Attribution-ShareAlike license: http://creativecommons.org/licenses/by-sa/3.0

If you’ve been paying your credit card bills online, you should be familiar with the token PIN that’s required to access most Internet banking services in Singapore.

This security mechanism is commonly known as two-factor authentication (2FA), which requires users to enter a token-generated PIN, plus the usual username and password to access online banking sites and corporate networks.

Besides financial institutions, the Singapore government and some large corporations have also issued employees with tokens for an added layer of security.

My Gmail account was hacked last week and it was only then when I realised that Gmail has a little-known 2FA feature known as 2-step verification – at least I didn’t know about it until now.

Once you turn it on, anyone who tries to access your Google account on an unauthenticated device will need to enter a PIN generated by Google Authenticator, a smartphone app for iPhones and Android devices. In other words, your phone becomes your token.

Setting up 2-step verification is easy and Google has a detailed guide here. For those who want a quick run-down on how to do this, follow these steps:

1. Download the Google Authenticator app from the Android Market, iTunes App Store or http://m.google.com/authenticator for BlackBerry devices.
2. Sign in to the 2-step verification settings page on a computer.
3. Select your device (iPhone, Android or BlackBerry), and tap Next to generate a QR code that will be used to link your device with Gmail.
4. Launch the Google Authenticator app and tap on the plus icon to authenticate your Gmail account. Accounts can be added manually by entering your Gmail access credentials, or using a bar code scanner app to scan the QR code generated in Step 3. If you don’t have a scanner app, download one.
5. Click on next on the computer, then enter the verification code on your phone in the Code field and click Verify.
6. If the code is correct, a confirmation message will be displayed. Then, click on Next.
7. Now, you will see a list of backup codes that can be used to access your Google account if your phone gets stolen. Save this list or print it out, then click Next.
8. You will also be asked to add a backup phone number for a backup code to be sent to you if you lose your phone. Complete the set-up by sending a test code to the backup phone.
9. Once you are done, sign in as usual to your Gmail account. Check “Remember verification for this computer for 30 days” if you do not want to keep entering a verification code each time you sign in for the next one month.

Note: If you’re using your Google credentials to log on to third-party websites and apps, you may be prompted to enter an authentication code to access those websites.

Amazon Web Services (AWS) has rolled out its Amazon Virtual Private Cloud (VPC) service to its data centers around the world, including in Singapore, Tokyo and Europe.

Launched in 2009, Amazon VPC lets enterprises privately access a section of AWS, where they can tap computing resources in a virtual network under their control. This includes the selection of IP address range, creation of subnets, and configuration of route tables and network gateways, like they would in their own data centres.

While Amazon VPC gives enterprises a simple and seamless way to leverage AWS using the same security and management controls already familiar to their business, the service is NOT tatamount to a private cloud, as pointed out by some industry observers.

“Amazon VPC is not a private cloud offering,” said Lydia Leong, research vice president at Gartner’s technology and service providers group in a blog post.

“It is a connectivity option for a public cloud. If you have concerns about sharing infrastructure, they’re not going to be solved here. If you have concerns about Amazon’s back-end security, this is one more item you’re going to have to trust them on – all their technology for preventing VM-to-VM and VM-to-public-Internet communication is proprietary,” she added.

Amazon VPC works in a way that’s similar to the way office workers access their corporate e-mail on the move through VPN connections that provide private, secure tunnels over the Internet. At corporate backends, computers that “tunnel in” are assigned corporate IP addresses and would seem as if they are on the same network.

To be clear, what Amazon VPC does is to allow enterprises to access their AWS resources over a VPN connection, rather than isolate resources from Amazon’s shared computing pool for specific customers in the case of a private cloud.

In addition to VPN capabilities, Amazon is allowing enterprises to connect to AWS resources directly through a new service dubbed Direct Connect.

With a private connection, Amazon says, “enterprises can increase bandwidth throughput, reduce networking latency and costs, and provide a more consistent network experience when moving data between AWS and their data centres”.

The pay-as-you-go service, which provides dedicated Gigabit Ethernet or 10 Gigabit Ethernet links from corporate data centres to AWS, will only charge enterprises for network ports used and data transferred out of AWS. Data transfer into AWS is free.

Right now, AWS Direct Connect is available only at Amazon’s Virginia data centre, where companies can connect to services in the AWS US-East (Virginia) Region. Additional AWS Direct Connect locations are planned for San Francisco Bay Area (San Jose), Los Angeles, London, Tokyo and Singapore in the next several months.

Amazon is also making it easier for companies to access AWS resources using their existing identity management systems. This “identity federation” feature, provided through Amazon’s free Identification and Access Management service, will negate the need to create separate AWS credentials for users to access Amazon’s cloud computing resources.

The trio of AWS enhancements may be seen as a bid by Amazon to bring more companies concerned about security and network latency onboard its cloud computing platform.

According to IDC, the adoption of cloud computing is continuing to mature in the Asia-Pacific region, excluding Japan.

Countries in the region have emerged from economic uncertainties over the past two years with increased enthusiasm for cloud computing as a way to deliver existing and new business services, IDC said. Companies will also look beyond Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) to source business services that help them take advantage of recovering markets more quickly.

Almost all companies that have made the move to the cloud in the Asia-Pacific region have experienced some form of downtime from their cloud computing services, a new survey has found.

Conducted by CA Technologies, the IT management software company, the survey revealed that 95 percent of 1,086 respondents in eight countries admitted they have incurred application downtime and data losses over the past year.

Failure in IT systems in areas such as network, storage, hardware and software were the main culprits, affecting nearly three-quarters of surveyed organisation from Australia, China, India, Malaysia, Singapore, South Korea, Thailand and Taiwan.

These outages could cost companies around US$350,000, according to a previous CA Technologies study.

CA said the “high level of data loss” indicates a lack of readiness for these failures among businesses. Just a quarter say they have comprehensive disaster recovery plans and 38 percent say they have not achieved their disaster recovery objectives despite testing their disaster recovery plans at least once a year.

When asked about the barriers to improving data protection and disaster recovery operations, 45 percent of companies pointed to a lack of budget and 42 percent said there was inadequate buy-in from senior management.

Despite the bugbears, 42 percent of companies surveyed said the cloud continues to play an important role in their disaster recovery and data protection plans.

More than half of companies said they will invest in managing a hybrid cloud environment, where private clouds are supplemented with IT resources on public clouds. A third of respondents plan to use public clouds in their backup plans and 31 percent intend to better their private cloud investments.

The Internet Corporation for Assigned Names and Numbers (ICANN) has approved a program to expand the Internet address system’s top level domains (TLD) beyond the familiar suffixes such as .com and .net.

Under a new TLD program, companies, entrepreneurs and communities can apply and run their own TLDs that incorporate their company names, trademarks and location names.

As an example, Sony could switch from Sony.com to .Sony, while cities such as Bangkok could have a domain name such .bangkok. The new domain names will also support languages such as Chinese, Japanese and Arabic.

The approval follows years of discussion between the Internet community, business groups, governments and ICANN, the global governing body for domain names.

At a media briefing today, ICANN president and CEO Rod Beckstrom said the new program will throw up new domain names that weren’t available previously.

“If you live in Japan, it means there could be equivalents of generic top level domains such as .com and .org in kanji, katakana and hiragana, as well as new terms that might be in Latin scripts,” Beckstrom said.

“It opens the right of the dot (in domain names) to anything. So instead of .com and .net, think .anything,” he added.

So far, over 120 organisations have indicated interest in applying up for a domain name under the new program, though ICANN has not started receiving applications from interested organisations, Beckstrom said.

Applications for the new TLDs begins next January and will close three months later, in April 2012. The first TLDs expected to be approved by the end of 2012.

Beckstrom said ICANN is only receiving applications next year to allow sufficient time to educate organisations on the application process and availability of the new domain names.

“We decided to invest more time in our communications program because we thought that would the best thing to do to serve the public interest,” he added.

ICANN has also produced a guide book with information on how to apply for the new domains. The guide has gone through seven significant revisions to incorporate over 1,000 comments from the public.

Running your own domain name is not cheap and certainly not for the faint-hearted. The application fee could cost at least US$185,000, determined by ICANN on a cost recovery basis. The amount covers six evaluations for each application, along with other development and contingency costs.

The ICANN board has approved up to US$2 million to help developing countries get on the new domain names. This could translate to lower application fees or technical assistance, though the exact form of support will only be determined after ICANN has received inputs from an internal working group.

Adrian Kinderis, CEO of domain name registry AusRegistry International, said the new TLDs will allow for regulated online name spaces that are authentic, verified and trustworthy.

In a media statement, he said HSBC, for example, could assure customers concerned about the security of its online banking services with a simple message: “If it’s not .hsbc, it’s not us”.

As Mac OS X grows in popularity, with Apple selling a record number of Macs during its most recent quarter, malware writers are expected to be on the prowl for Mac users who haven’t seen a real need for antivirus software.

Last month, Mac OS X security was put to the test when a piece of malware masquerading as security software made its rounds on the Internet using SEO (search engine optimisation) techniques that placed it at the top of search results.

Once installed, the professional-looking program dubbed MacDefender displays porn sites and bogus virus warnings. This is followed by an option for users to fix the problems by buying a license for the fake software using a credit card.

Sure, Apple has baked in security features in Mac OS X to guard against malware:

Mac OS X v10.5 Leopard and Mac OS X v10.6 Snow Leopard improve download validation by providing file quarantine in some applications, such as Safari, iChat, and Mail. This means that files you download via Safari, iChat, or Mail are checked for safety when you open them.

File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), will attach file quarantine attributes. When you open a potentially unsafe file in Finder, Spotlight, or from the Dock, the file quarantine feature will warn you about unsafe file types.

When you open a quarantined file, you will receive a dialog box asking, “Are you sure you want to open it?” You should cancel opening the file if you have any doubts about its safety.”

In addition, Snow Leopard builds upon this “unsafe file type check” by scanning for known instances of malware. When you open a quarantined file, the file quarantine feature will check to see if it includes known malware.

Apple maintains a list of malware signatures, though this list isn’t updated as often as it should. The OSX.OpinionSpy spyware signature, for example, was only added 10 months after the spyware first surfaced.

Apple has since released security updates to block the installation of Mac Defender and five known variants of the malware, including MacProtector, MacSecurity, MacGuard and the latest MacShield, during a month-long cat-and-mouse chase with malware creators.

If you think your Mac might have been infected this time, use the Icrontic Mac Defender and Mac Protector Removal tool and update your machine if you haven’t done so.

While Apple has acted on this latest threat, no operating system can be 100 percent immune to every threat, a fact which Apple acknowledged at the end of its Mac OS X security page. The commonsense thing to do is to install security software from the likes of Intego and Norton, which Apple reportedly uses on its own company machines.

It’s about time Mac fans squash their beliefs that the Mac is somehow impervious to malware.