iCloud Not Hacked, but Some Passwords in Criminals’ Possession Reportedly Genuine

Apple has denied that its security has been compromised, following ransom demands from a criminal group that claims it has the usernames and passwords of hundreds of millions of iCloud and Apple email accounts. However, independent verification of samples of this set provided to media outlets indicate that at least some of them are in fact genuine, and that users should be worried.

The relatively unknown organisation calling itself Turkish Crime Family says it will remotely wipe users’ devices and the contents of their accounts on April 7 if Apple does not pay each of its seven members $100,000.

iCloud Not Hacked, but Some Passwords in Criminals' Possession Reportedly Genuine

The group has released evidence that it is in contact with Apple’s security team, and has also proactively reached out to various international media organisations to bolster its claims. A public Pastebin post and several tweets describe frustration with reporting of the situation, and clarify that the group never claimed to have hacked Apple directly, but the accounts are genuine and were gathered from multiple insecure third-party sources.

The Turkish Crime Family further claims to be able to reset 150 accounts per minute using 17 scripts running simultaneously on each of its 250 servers, for a total of 637,500 accounts per minute. Those servers have purportedly already verified 250 million of the Apple IDs in the group’s possession, with more being added after checking for simple password modifications such as the capitalisation of the first letter.

ZDNet and TNW have both investigated the situation, and report that while some of the accounts are several years old and not functional, many others are. ZDNet reached out to the Turkish Crime Family and was given a small sample of 54 user IDs and says that Apple’s password reset page accepts them all as valid accounts. ZDNet then tried contacting the users in question, and managed to confirm that ten of the passwords it was given were correct and still in use.

All ten individuals said that they had not changed their passwords since creating their accounts several years ago. One other respondent said that the password in ZDNet’s possession was correct in the past but had been changed by him two years ago, which means at least some of the breach occurred longer ago than that.

Among those contacted, there was no common pattern of ownership of specific Apple devices or using specific iCloud or Apple ID features. While many respondents admitted to using the same password for other major services, three said that their passwords were used only for iCloud, opening up the possibility that this data was harvested from sources other than third-party breaches.

TNW was also provided a sample, and says that it cross-referenced them with accounts known to have been harvested from the massive LinkedIn breach. However, only a few accounts matched, indicating that those users were simply using common email addresses and passwords across services.

No matter whether Apple itself was compromised or not, and whether these credentials have been collated from one breach or multiple sources over multiple years, anyone with an Apple ID should change their passwords immediately and enable two-factor authentication to prevent unauthorised access. This covers Me.com and iCloud.com email accounts, iTunes store accounts, and iCloud itself.

Koho, a mobile-only suite of financial services for millennials, launches in Canada

The world of consumer financial services has been turned upside down by the rise of newer technology like apps and the growing expectation from people that they should have a lot more flexibility and access when it comes to controlling how they spend and save their money. The latest development on this comes out of Canada, where a new startup called Koho is launching a service aimed at millennials (first in Canada, and then in Southeast Asia and Latin America) to provide them with a new way to manage their money, free of charge after creating accounts in under three minutes.

The service will come in the form of an app, first for iPhone and Apple Watch, and eventually on Android, too.

Koho, it should be made clear, is not a bank (it doesn’t have a license), but it has partnered with Canadian bank the Peoples Trust Company in a white-label deal, along with Visa, to provide a range of services to its customers including a “smart spending account”, a mobile app, and a Koho Visa Card.

Koho is the brainchild of an entrepreneur in Vancouver called Daniel Eberhard, who has been working on the product in stealth for the past two years with 2.6 million Canadian dollars (around US$2 million) in backing from investors that include David Tedman from Hootsuit and Shopify co-founder Scott Lake, along with the Power Corporation of Canada and VCs Gil Penchina and Stanley Park Ventures.

The Power Corp. is a strategic investor: the company is a $13 billion financial services company and has been eyeing up ways of breaking into more services targeting younger people.

The gap in the market that Koho is targeting in Canada (and later in Latin America and Southeast Asia) is specific.

As explained to me by VP of marketing Spencer Chen — who took up his role recently, after he left a VP role at Alibaba when he relocated from Silicon Valley to Vancouver — Canada is admittedly a tiny market, only 35 million people, “About the size of California!” he exclaimed over Facetime. But it’s also home to some of the highest banking fees per capita in the world: last year, totalling some $130 billion. “There is no innovation coming from the bottom,” Chen said.

At the same time, while there have been a number of innovative financial startups established south of the border in the U.S. and further afield in Europe, Canada’s disruption has been relatively thin on the ground. Chen tells me that services that it’s looking to emulate and offer all in a one-stop shop include Mint, Venmo, PayPal, Acorns and Digit — several of which do not exist in that country.

That’s where Koho is hoping to make a mark. It brings in several smart financial services like an account that lets you deposit money and track what you are spending from it in real time, by transaction as well as by categories; and it also lets you create and track savings budgets for buying big-ticket items. While you cannot write paper checks (yet) you can deposit money into your account to transfer money to friends or businesses electronically.

And, perhaps most enticingly for consumers, the service is planning to start out, and remain, free for life. The hope is that by targeting younger users who go out a lot and like to spend money, those consumers will opt for a service where they have no fees to pay, and will use their Koho payment cards to buy lots of things. It’s from those cards that Koho will make a commission each time an item is purchased.

(And in turn, both the Peoples Trust and Visa also hope that by targeting younger users, they will also see greater returns by way of overall spending, which is why they are happy to cut Koho in on their transaction commissions.)

Up to now the company has only been in a closed beta, where it has picked up some interesting stats that bear out some of its theories on how people under the age of 30 spend their money.

In that period, more than $1.3 million was processed from just 1,051 beta users, and users typically were opting to put about one-third to half of their paychecks into their Koho accounts every two weeks. Those users were also logging in and using their accounts on average eight times per month (compared to around once per month for most banking apps in Canada).

It’s not clear how much business Koho will have to generate in order to break even on this model. But with Canada’s top five banks controlling 90 percent of the market and making $128 billion in combined revenue and close to $40 billion in profit, you can see both the financial opportunity, as well as the competitive one to try to shake things up.

A new, affordable naming startup for startups

A few years ago, I launched a daily email newsletter, and I was ecstatic to be striking out on my own for the first time. Alas, just a few weeks after filing to secure a trademark,  an officious-sounding note appeared in my inbox, and soon after, I found myself shelling out $10,000 in lawyer’s fees over a short-lived trademark dispute. It wasn’t nearly as painful as it might have been, but it was a rude realization that figuring out the right brand can be both time consuming and have implications that founders might not foresee.

Of course, my experience is hardly rare. Most founders are typically left to either conduct trademark searches on their own via the USPTO site, or else pay top dollar for law firms or branding agencies to do it for them. Often they do both.

Thankfully, thoroughly and affordably eliminating risky name choices is exactly the opportunity that a two-year-old, Bay Area company, Naming Matters, is chasing, and the company’s founder is very familiar with the market. S.B. Master previously cofounded Master-McNeil, a 29-year-old corporate naming and branding firm in Berkeley, Ca., whose past clients include Apple, General Motors, Disney, and PayPal.

Now Master sees an opportunity to cater not just to deep-pocketed corporate customers but also startups on shoestring budgets. Indeed, 18 months ago, she decided to take everything she has learned over the years about linguistic analysis, trademark searching, and domain name acquisition and pour it into a self-service software product that also incorporates search and data visualization. I talked with her earlier today to learn more.

TC: You’ve already run a naming company for decades. Why start this new thing?

SM: Naming is hard, and we tend to work with companies that can afford us to do deep preliminary availability screening. I grew frustrated with how slow and antiquated that searching step is [for companies that can’t afford such a service]. I mean, if you have 100 names, how do you figure out which are most likely to get you into trouble, and which are your stronger candidates that you should focus on? There are legacy providers, but their model is to charge users for every name they look up. If you’re looking for a name in every country and every class, it adds up. You have to be very skilled to [keep your costs down].

TC: So the idea is to pay less to your friendly trademark attorney.

SM: The idea is that instead of this being some super expensive cottage industry, that anyone, anywhere — whether founders or innovators in companies or paralegals in law firms or companies under pressure to do more faster and with less — can use this tool in an unlimited way.

TC: How big a problem — or opportunity — is this?

SM: About 5 million trademarks are registered worldwide each year, and to get to a name that you’re willing to spend the money [on] to file a trademark application, you’ve probably looked at 50 to 100 names. That means people are looking up something like 500 million names a year. That’s a lot of time and effort, and it still often doesn’t answer the question of whether it’s worth it.

We’ve been told by big law firms that to look at one name, a paralegal is going to spend three hours, and they cost $300 an hour. So, there’s $1,000 right there.

TC: Why is this the killer solution?

SM: There are so many engineers and creative people who have no knowledge of trademarks or how they should work, and by merely looking at the visualization (that we produce for users), where the bigger the dot is to the name you’ve chosen, or the more crowded, the more [risky] the brand — it just offers incredible cost and time savings by being able to visualize this data.

TC: Are you scanning trademarks globally or just in the U.S.? And how much are you charging?

SM: We’re still working on pricing, but we offer a day pass for less than $50 which provides users with unlimited use to search U.S. filings. We also have a standard product that offers unlimited use on a monthly basis; one seat is $100 per month . . . and the service can be stopped at any time.

And we’re working on a pro product that’s much more feature rich and that will be a bit more expensive and will include multiple data sets, not just U.S [data].

TC: Don’t companies need to worry about competition globally from the outset?

SM: Absolutely. Any business that puts itself online is intrinsically international. So even though you may not plan to do business in Germany or the U.K. or Japan, knowing what’s out there and who could come after you – without hiring an attorney in Tokyo – [is key]. You’ll be able to see if there’s something there that you should be aware of.

TC: Is there no global database that exists as of today?

SM: You can find a newish database online that’s sponsored by the EU. But unless you’re a very skilled operator, it’s [hard to navigate]. It’s almost like doing a Google search, where you’re getting inundated with large amounts of irrelevant hits, or you have to have a lot of knowledge to know if you should care. Nothing is sorted; you can’t see how much of a threat other trademarks are. What we can do with our algorithm is rate and rank and visualize everything, so you can see those that look like the most serious threats.

You can also see who else is out there in your space with similar names and get new ideas yourself for names that are different and probably smarter in the context of knowing who else is out there. Using this as a creativity tool wasn’t something we anticipated, but once people see what’s out there, it prompts more creativity on their part to think up more unique names.

TC: Can you talk about who some of your clients are?

SM:  We have some law firm users. We have a prominent product innovation company. Fifteen companies from the last YC class signed up, too. [President] Sam [Altman] loves what we’re doing.

TC: Can I ask how you came up with the brand Naming Matters? I’ve talked with branding agencies in the past that say most early firms in a space use something that literally describes their business, like Facebook. Brands start getting crazier sounding the more crowded a space grows.

SM: It’s a pun. Naming does matter, but also, if you’re a lawyer, you call a legal topic a matter. What do you think? [Laughs.] We’re supposed to be good at this!

Google is the latest company to brush off most of the Wikileaks vulnerabilities

Wikileaks dumped thousands of alleged CIA documents online yesterday that contained lists of vulnerabilities in popular tech products, sending companies scrambling to make sure their security patches were up-to-date. But as companies reviewed the documents, it became clear that most of the vulnerabilities they contained were outdated.

Apple first dismissed the majority of the listed iPhone vulnerabilities in a statement last night, and now Google and other firms are following suit.

“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses,” Google’s director of information security and privacy Heather Adkins said in a statement.

Finding flaws in iPhones and Android devices was important to the CIA’s mission of surveilling targets because the security problems could allow the agency to eavesdrop on users’ communications.

It’s important to note that, although Google and Apple both say that most of the vulnerabilities are fixed, that doesn’t mean all of them are. Users concerned about the security of their devices need to make sure they’re updating to the latest software to get all of the security patches.

The Wikileaks disclosure has reignited a debate over whether U.S. intelligence agencies should disclose software vulnerabilities to companies so they can be fixed, or hoard them so they can be used for spying.

Mozilla’s chief legal and business officer Denelle Dixon highlighted the importance of disclosure in conversation with the New York Times. “The C.I.A. seems to be stockpiling vulnerabilities, and WikiLeaks seems to be using that trove for shock value rather than coordinating disclosure to the affected companies to give them a chance to fix it and protect users,” Dixon said. “Although today’s disclosures are jarring, we hope this raises awareness of the severity of these issues and the urgency of collaborating on reforms.”

 Many tech industry advocates believe that the government has a responsibility to protect American businesses and consumers by notifying companies of security flaws, rather than keeping them secret and exploiting them. The Obama administration pushed a vulnerabilities equity process to help government agencies determine when to disclose vulnerabilities to companies, but the Wikileaks documents raise questions about whether the VEP is effective.

“The White House vulnerabilities equities process spells out what the government should be doing when it comes into possession of 0-days,” Alex Rice, chief technology officer of HackerOne, told TechCrunch. “It’s unclear if it’s been honored properly in this case. Were these vulnerabilities handled in the way outlined by the previous administration? And if not, what do we do about that? Was the process illegitimate to begin with? It’s restarting a conversation we thought we had a clear answer to.”

Rice, who worked on Facebook’s security team before helping launch the bug bounty platform HackerOne, said the vulnerabilities Wikileaks reported in Samsung smart TVs had a personal impact on him: Wikileaks claimed the CIA spied on targets through their TVs, and Rice has a Samsung TV facing his bed. “I’m not worried about the CIA eavesdropping on my television. If the CIA is going to conduct espionage on me, they have more than enough means to do so. What I am concerned about, if the U.S. government knows I have vulnerable tech in my bedroom, that has direct implications to my privacy. That’s something I should know about as a taxpayer,” Rice explained.

After all, if the CIA discovers a security vulnerability in a popular product, it’s only a matter of time before hackers or other nations’ spy agencies find it too. The CIA knew it had been breached late last year, according to a Reuters report, which calls into question why Apple, Google, Samsung and others weren’t alerted sooner.

“Eventually these vulnerabilities are not going to be secret any longer,” Rice said. “How are we going to minimize the damage when that happens? This leak is proof of that. We are all at a disadvantage if Wikileaks has access to a 0-day in iPhone, Android, or Samsung TV.”

How hackers turned a Cape Cod fishing guide’s site into a host for e-commerce fraud

Cape Cod fishing guide Eric Stapelfeld trusted me to look after his website the same way that I trust him to find fish. Until a few weeks ago, I believed I had the easier part of the bargain. After all, what’s hard about maintaining a simple WordPress site with a phone number and lots of striped bass pictures? As it turns out, everything is hard, really hard, when hackers go to work on a vulnerable site — even a simple one. And no fish ever put up a fight like the malware that took over Eric’s site.

Eric Stapelfeld, the fishing guide

The story began last fall, when Eric called me in San Francisco to report that  “some guy” had called to complain about fraud on his site.

“Yeah, like the guy said somebody is running a business inside the website and ripped him off. Said he knows it’s not my fault but I should know about it.”

Eric doesn’t sell anything on his site. It consists of posts about fishing and a phone number to book trips. No hacker would bother with a site like that, right?

“Hey forget about it,” I told Eric. “There’s no way your site could rip anyone off. I have no idea what the guy is talking about.”

That was more true than I realized. Three months later, I got another call from Eric. “Hey, Google is fucking with my site,” he said. “My friends are calling me and saying something is wrong.”

As soon as I typed in www.hairballcharters.com, Google dropped a screaming red screen warning that read: “The site ahead contains malware. Attackers currently on www.hairballcharters.com might attempt to install dangerous program on your Mac that steal or delete information (for example, photos, passwords, messages,  and credit cards).”

“Oh crap,” I thought. Maybe there was something more to that guy who called Eric.

My first move was to call customer service at Deluxe Hosting, where the site is hosted, and get them to open a ticket. After a few email exchanges, I realized that they were unlikely to sort out the problem. They found malware and said they deleted some of it, but Google was still showing a warning. After a few exchanges, Deluxe stopped responding.

Next I got in touch with Jennifer Zelazny, the WordPress developer who set up the site and had worked on it from time to time. She agreed to dive in.

What she found was nasty. Hackers had accessed the site either directly through WordPress or through a plug-in on the site. She found at least 20 suspicious WordPress core files. There were also non-core files on the site with file names like “list.php” and “apis.php,” which to an average user might not have raised any red flags. Their names looked typical, but the time stamps were all recent — since July 2016 — and upon further inspection revealed redirects to other sites. She deleted the files, reset passwords, updated the secret keys in the wp-config, cleaned up other valid files with malicious code and then ran scans with Exploit Scanner and Sucuri SiteCheck scanner to ensure she found every bit of malware.

Jennifer asked me if I had a Google Webmaster account so we could request that Google scan the site and give it a clean bill of health. I had not claimed the site before, so I went through the steps. Google provided a code snippet to drop into the site’s markup as a means to authenticate that I was in fact the owner of the site. Jennifer followed up; not long afterwards, Google admitted me to the account.

To my horror, there were already two other email addresses listed as owners of the site. They were really sketchy email addresses, like ones you’d make up if you were up to no good.

I looked around in the Google webmaster account and saw that the hackers had filed 47 sitemaps and submitted 565,192 web pages, of which 229,837 had been indexed by Google.


In case you’re wondering, Eric’s site has 130 web pages, most of which feature a picture of an impressive striped bass caught off Falmouth on Cape Cod.

It appears that the hackers were using the malware to insert links in Eric’s site and using the site map to create some kind of dynamic set of redirects. But that’s just a guess, and there may be a better explanation.

Neither of us was crazy about following the links. The hacker had created more than 47 separate sitemaps using links/redirects from the site — all averaging 70,000 lines of code each (that’s a lot of URLs!) The URLs all looked similar in their format:

And this example of the result on a Google search results page — needless to say, Hairball Charters does not have any business extensions in Japan:

By looking at this cached page, it’s pretty easy to imagine what was happening. In this case, the hackers had set up an e-commerce site targeted at Japanese consumers.

Google’s tools made it easy to kick the invaders out of the account. Google shows the tag associated with each registered account for the site, so I passed those to Jennifer, who deleted them from the mark-up. In an instant, the hackers’ access was gone. Then I gave Jennifer access to the account and she deleted all the fake sitemaps. Jennifer told me that she had worked on a lot of compromised sites, but this was the first time she had seen hackers take over the Google webmaster account in order to manipulate the sitemaps.

Jennifer updated the security patches for WordPress and all the plug-ins and implemented steps to make sure updates take place automatically in the future. We also set up two-factor authentication to access the site.

I always knew that it was important to keep patches up-to-date, but until now I did not know why an out-of-date site was so vulnerable. Jennifer explained that every time WordPress or any developer with an important WordPress plug-in becomes aware of a vulnerability, they usually document the vulnerability at the same time that they issue the security patch. (Here is a WordPress example and a Sucuri example.)  Once that documentation goes public, hackers immediately scan WordPress sites to find exploits. Get there late and you get nailed. Sorry to say, that was Hairballcharters.com.

Avoiding situations like Hairball’s is a lot more simple than dealing with the aftermath of a hack. Here is Jennifer’s five-step program to good security on a WordPress site.

Step one: Stay up-to-date with WordPress core upgrades. This is beyond simple: Insert one line of code — define( ‘WP_AUTO_UPDATE_CORE’, minor ) — in the wp-config.php file and your site will always auto update. (Here is the documentation.)

Step two: Keep your WordPress plug-ins up-to-date. The Jetpack plugin makes this straightforward; just use the Jetpack Manage option to select the plug-ins you want updated as soon as patches become available.

Step three: To make your site extra secure, consider the plug-in Sucuri Security: Auditing, Malware Scanner and Security Hardening, which allows you to do exactly what the name suggests. You can enable auditing to send immediate notifications if any files are modified, plug-ins are enabled/disabled and much more.

Step four: Install two-factor authentication for access to your WordPress site.

Step five: Claim your site in the Google Webmaster tool and check in from time to time to make sure your site has no content or sitemap errors — or stealthy invaders populating sketchy sitemaps.

As for HairballCharters.com, the site is back in good order and Eric is happy that Google’s big red screen is now gone. If you happen to be out Cape Cod way this summer, he would love to take you fishing and trash-talk two of his favorite topics: my fishing and my security smarts.

Uber’s VP of product and growth has left the company

Ed Baker, Uber’s VP of product and growth, has resigned from Uber, Recode first reported. Uber declined to comment on the story but TechCrunch has confirmed that Baker has left the company, and that Daniel Graf, Uber’s head of marketplace, will be the interim head of product and marketplace.

“I have always wanted to apply my experience in technology and growth to the public sector,” Baker wrote in an email to employees, obtained by Recode. “And now seems like the right moment to get involved.”

That’s an interesting rationale given that the last couple of weeks have been something else for Uber, between allegations of sexual harassment, sexism, Amit Singhal resigning as SVP and reports of some sketchy software to sidestep law enforcement. Baker formerly worked at Facebook, where he was head of international growth.

Nokia 3310 With Month-Long Battery Life, Snake Game Launched at MWC 2017

The iconic Nokia 3310 feature phone made a comeback on Sunday on the sidelines of MWC 2017. HMD Global unveiled the Nokia 3310 (2017) with what it calls with a “modern twist.” The Nokia 3310 is the Nokia brand’s one of the best-selling feature phones of all time, and it has been priced at EUR 49 (roughly Rs. 3,500).

Nokia 3310 With Month-Long Battery Life, Snake Game Launched at MWC 2017

Nokia 3310 (2017) India sales will begin in Q2 2017, HMD Global has confirmed. Nokia at its Sunday launch event in Barcelona also revealed the new Nokia 3 and Nokia 5 Android smartphones in Barcelona at the side-lines of MWC 2017 trade show.

The all-new will come with a 22 hour talk-time, and the company claims that it features month long stand-by time. With the iconic Nokia 3310, the company also brought back the Snake game. The Nokia 3310 will be available in Warm Red and Yellow with a gloss finish while will also come in Dark Blue and Grey colour with a matte finish.

The new Nokia 3310, much like its original sibling, features a massive standby time of up to a month, a highlight of the device. The new Nokia 3310 also includes the regular Micro-USB port and ditches the pin charger.

With the Nokia 3310 refresh, HMD Global also bringing the legendary Snake game. The company however touts that the new Snake game has been optimised for the new colour screen. The company also confirmed that the Snake game will be available to users via Messenger app.

The Nokia 3310 sports a 2-megapixel rear camera with LED flash. It features a 2.4-inch QVGA display. The handset comes with 2G connectivity and runs on Nokia Series 30+ OS. It comes with 16MB storage and supports expandable storage via microSD card (up to 32GB). It packs a removable 1200mAh battery.

Nokia 3, Nokia 5 Android Phones Launched at MWC 2017: Price, India Launch, Specifications, and More

Nokia 3 and Nokia 5 Android phones were launched by Nokia brand partner HMD Global at the company’s Sunday launch event at MWC 2017 in Barcelona. Alongside the two new Nokia Android phones, the company also announced the global availability of the Nokia 6, which was launched in China last month. The company also unveiled the iconic Nokia 3310 (2017) feature phone at the same event.

Nokia 3, Nokia 5 Android Phones Launched at MWC 2017: Price, India Launch, Specifications, and More

The all-new Nokia 3 has been priced at EUR 139 (roughly Rs. 9,800) while the Nokia 5 has been priced at EUR 189 (roughly Rs. 13,500). The Nokia 6, on the other hand, will be available at EUR 229 (roughly Rs. 16,000). The company also announced an all-new Nokia 6 Arc Black variant which will sport high-class piano black colour. It has been priced EUR 299 (roughly Rs. 21,000).

HMD Global has confirmed that the Nokia 3 and Nokia 5 smartphones will be making their way to the Indian market as well by Q2 2017. The company confirmed that the Nokia 6 will be also heading to the Indian market at the same time. All new Nokia phones are also set to launch in APAC, Middle East, Africa and Europe in Q2 2017.

While the Nokia 3 runs Android 7.0 Nougat, the Nokia 5 smartphones runs Android 7.1.1 Nougat out-of-the-box. The company at the launch event stressed that all the new Nokia smartphones running Android will get regular updates. Much like other Nougat powered smartphones, the Nokia 3 and Nokia 5 will come with unlimited cloud storage on Google Photos app. Both will be available as a single SIM and dual SIM variants though availability could be different depending on the markets

The Nokia 3 will sport a polycarbonate body, machined aluminium frame, and will come with Corning Gorilla Glass lamination on top. It will be available in Silver White, Matte Black, Tempered Blue, and Copper White colour variants. It sports a 5-inch HD (720×1280 pixels) IPS display. It is powered by a quad-core MediaTek MT6737 processor clocked at 1.3GHz coupled with 2GB of RAM. It comes with 16GB storage and supports expandable storage via microSD card (up to 128GB). The Nokia 3 sports 8-megapixel front and rear camera. Both the cameras come with autofocus. The company adds that the Nokia 3 sports display flash.

The Nokia 3 packs an integrated 2650mAh battery. It measures 143.4×71.4×8.4mm and supports 4G LTE. The Nokia 3 supports LTE Cat. 4 speeds with download speeds of up to 150Mbps and upload speeds of up to 50Mbps.

The Nokia 5, on the other hand, features a fingerprint sensor embedded on the home button. HMD Global touts “seamless” metal body. Similar to the Nokia 3, the Nokia 5 will be available as both single SIM and dual-SIM variants though availability will depend on the market. The Nokia 5 is also expected to receive regular updates from the company.

The Nokia 5 is powered by a Qualcomm Snapdragon 430 processor coupled with 2GB of RAM. The handset comes with 16GB inbuilt storage and supports expandable storage via microSD card (up to 128GB). The Nokia 5.2-inch IPS LCD (720×1280 pixels) IPS LCD display and comes with 2.5D Corning Gorilla Glass cover on top.

It sports a 13-megapixel rear camera with PDAF and dual tone flash. It also packs an 8-megapixel camera with autofocus and comes with 84-degress field of view lens. The handset will be available in Tempered Blue, Silver, Matte Black, and Copper colours. It measures 149.7×72.5×8.05mm and supports LTE Cat. 4 download speeds. The handset is backed by a 3000mAh non-removable battery.

Sophos CEO sounds the alarm on enterprise ransomware attacks

Ransomware is increasingly becoming a problem for companies, and the CEO of a leading computer security company says he fears 2017 could see entire companies shut down until they pay up, or risk losing all their data.170214 hagerman

Ransomware works by infiltrating a computer with malware and then encrypting all the files on the disk. The user is presented with a limited time offer: Lose all your data or send money with the promise your data will be unlocked. The fee typically varies from a few tens of dollars to hundreds of dollars and often has to be transmitted in Bitcoin.

The problem began on a fairly small scale, targeting individual users, but has been growing. Last year, a hospital in Los Angeles admitted to paying $17,000 to get its system unlocked, and a report in October said ransomware cases were on course to quadruple in 2016 over the previous year.

But Kris Hagerman, CEO of Sophos, fears this is only the tip of an iceberg.

“It’s not inconceivable you could see a bank get targeted and they could say I want $10 million overnight or I’ll delete your files,” he said in an interview at the RSA security conference in San Francisco.

Ransomware presents companies with an extra level of complexity: a ticking clock that provides only a limited amount of time to try to disable the attack and retrieve data or risk is all being lost.

“It can bring an organization to its knees,” he said. “There are plenty of organizations that are not up to date in their backups and have not taken the full comprehensive approach to security to be able to combat this thing.”

One of the things making matters worse is the proliferation of websites that offer attack tools to anyone with a credit card.

“Today, you can be a very successful cybercriminal and not know a single thing about computer code,” he said.

Some even offer a money-back guarantee, if would-be criminals are not completely satisfied with the results, said Hagerman.

Sophos sees a stunning 300,000 to 400,000 unique pieces of malware each day running through its systems, and each of those presents a potential problem for companies that don’t have the right defense.

And at the end of the day, it’s all about building a high enough wall that cybercriminals go elsewhere, said Hagerman.

“The way that you really fight cybercrime is you make it more expensive for them,” he said. “When it becomes hard and less profitable, they take their advanced skills and do something else.”

Hagerman said laws against cybercrime had a limited effect because of the problems with identification and pursuit, especially across borders.

“For [criminals], it’s an ROI as well,” said Hagerman. “If you make it harder, they’re going to find another target or find another line of work.”

A.I. faces hype, skepticism at RSA cybersecurity show

Vendors at this week’s RSA cybersecurity show in San Francisco are pushing artificial intelligence and machine learning as the new way to detect the latest threats, but RSA CTO Zulfikar Ramzan is giving visitors a reality check.artificial intelligence ai a.i.

“I think it (the technology) moves the needle,” he said on Wednesday. “The real open question to me is how much has that needle actually moved in practice?”

It’s not as much as vendors claim, Ramzan warned, but for customers it won’t be easy cutting through the hype and marketing. The reality is that a lot of the technology now being pushed isn’t necessarily new.

In particular, he was talking about machine learning, a subfield in A.I. that’s become a popular marketing term in cybersecurity. In practice, it essentially involves building algorithms to spot bad computer behavior from good.

rsa cto

Ads by Kiosked

Michael Kan

RSA CTO Zulfikar Ramzan speaking at RSA 2017 in February.

However, Ramzan pointed out that machine learning in cybersecurity has been around for well over a decade. For instance, email spam filters, antivirus software and online fraud detection are all based on this technique of detecting the bad from good.

Certainly, machine learning has advanced over the years and it can be particularly useful at spotting certain attacks, like those that don’t use malware, he said. But the spotlight on A.I. technologies also has to deal with marketing and building up hype.

“Now all of a sudden, we’re seeing this resurgence of people using ‘the how’ as a marketing push,” he said, after his speech.

The result has created a “lemons market,” where clients might have trouble distinguishing between useful security products. Not all are equal in effectiveness, Ramzan claimed. For example, some products may generate too many false positives or fail to detect the newest attacks from hackers.

“There’s no doubt you can catch some things that you couldn’t catch with these techniques,” he said. “But there’s a disparity between what a vendor will say and what it actually does.”

Nevertheless, A.I. technologies will still benefit the cybersecurity industry, especially in the area of data analysis, other vendors say.

“Right now, it’s an issue of volume. There’s just not enough people to do the work,” said Mike Buratowski, a senior vice president at Fidelis Cybersecurity. “That’s where an A.I. can come in. It can crunch so much data, and present it to somebody.”

One example of that is IBM’s latest offering. On Wednesday, the company announced that its Watson supercomputer can now help clients respond to security threats.

Within 15 minutes, Watson can come up with a security analysis to a reported cyber threat, when for a human it might have taken a week, IBM claimed.

Recorded Future is another security firm that’s been using machine learning to offer intelligence to analysts and companies about the latest cybercriminal activities. The company’s technology works by essentially scanning the internet, including black market forums, to pinpoint potential threats.

That might include a hacker trying to sell software exploits or stolen data, said Andrei Barysevich, director of advanced collection at the company.

“When you cover almost a million sources and you only have 8 hours a day, to find that needle in the hay stack, you have to have some help from artificial intelligence,” he said.


Ads by Kiosked

Michael Kan

The RSA 2017 show floor.

Customers attending this week’s RSA show may be overwhelmed with the marketing around machine-learning, but it’ll only be a matter time, before the shoddier products are weeded out, Barysevich said.

“We have hundreds of vendors here, from all over the country. But among them, there are five or ten that have a superior product,” he said. “Eventually, the market will identify the best of the best.”