Budget cuts don't prevent growth
2B MONEY
USA TODAY THURSDAY, AUGUST 1, 2013
Can you trust your phone? v CONTINUED FROM 1B
networks and social-media sites may pose even bigger threats, experts here say. These legit players in the nascent mobile app and ad space have dispersed thousands of free apps designed to capture personal location, contacts and calendar entries. While in hot pursuit of mobile advertising revenue, they are sharing this sensitive information indiscriminately among themselves. “It’s just not malware we need to worry about; it’s also app developers requesting more personal information than they need to make the app work, and then selling that information to monetize their apps,” says Domingo Guerra, co-founder and president of mobile app security start-up Appthority. The disclosures come as Apple, Google, Microsoft and BlackBerry hustle to entice software developers to create cool new apps for their respective mobile platforms — in a tumultuous business environment. “Whenever a platform gets more popular and more attention, there’s higher motivation to try to take advantage because the chances for potential economic profit are higher,” says Billy Lau, a research scientist at the Georgia Tech Information Security Center. Tech companies, app developers, ad networks and cybergangs are all responding to the global sale of smartphones and touch tablets becoming indispensable to people’s personal and professional lives. More than 700 million of the 1.8 billion mobile phones expected to be sold in 2013 will be smartphones, compared with 680 million units in 2012, according to research firm Gartner. Meanwhile, researcher IDC estimates shipments of touch tablets will surpass PC sales by 2015. In this heady environment, Apple has won praise from the security community for insisting that any new iOS app pass a rigid review to gain approval for distribution via its tightly controlled App Store. It’s generally not possible to install non-approved apps on an iPhone or iPad without “jail breaking” the device to access the operating system software. However, Lau and GTISC associate director Paul Royal on Wednesday disclosed a way anyone can pose as a developer and finagle Apple’s app-approval process to install a malicious application on non-jail-broken iOS devices. Lau and Royal fabricated an Apple mobile device charger with simple materials, but then booby-trapped it so the following sequence would commence on any iPhone or iPad connected to the bogus charger: First, the fake charger instantly captures the device’s unique identifying number, called the UDID. Next, it logs on to Apple’s developer support website where it submits the UDID, and requests what’s known as a “provisioning profile” for that specific device. Apple assumes a developer intending to test a new app on a device dedicated to that purpose is making the request, so Apple automatically issues the provisioning profile. With that profile, the charger can now install coding that gives the attacker full control of the device. “Getting the UDID is trivial, and getting a provisioning profile is easy and automated,” Royal says. Apple spokeswoman Natalie Kerris declined comment. FAKE CHARGERS
While the researchers’ boobytrapped charger was a crude prototype, a more refined version, disguised to look like an official iPad or iPhone charger, would be simple to fabricate. A hacker could then look for an opportunity to swap it with a targeted victim’s real charger. Or it wouldn’t be too difficult to disperse faked chargers in public charging stations, like those found in
Budget cuts don’t prevent growth Economy grew at 1.7% annual rate in second quarter Tim Mullaney @timmullaney USA TODAY
NEW SOFTWARES.NET; APPLE AND PHOTOOBJECTS.NET; ILLUSTRATION BY KRIS KINKADE, USA TODAY
MORE DEVICES, MORE REASONS TO BE MALICIOUS
Ultramobile devices include products such as the MacBook Air, Microsoft Surface Pro and Acer Aspire S7. Shipments are in millions of units: 2011
2012
2013
2014
Smartphones
472.9
680.1
738.1
934.3
Tablets
60.0
120.2
201.8
276.2
Ultramobiles
3.4
9.8
20.3
39.8
NOTE 2013 AND 2014 TOTALS ARE PROJECTED SOURCE GARTNER (JUNE 2013)
many airports. “The faked charger is actually a computer that can install things on your Apple device,” Lau says. “We’re almost certain this is going on in the wild. From an espionage standpoint, it’s naïve to assume this isn’t already going on.” In another Black Hat presentation, Kevin McNamee, director of AlcatelLucent’s Kindsight Security Labs, showed how it’s possible to hack into any popular Android app that’s being distributed online and embed code that turns the smartphone of anyone who downloads the app into a spyphone. The corrupted device transfers the phone’s location and contacts to the attacker, who can then send text messages luring others to download the tainted application, and even remotely operate the device to take photos and record conversations. While Google goes through great
“From an espionage standpoint, it’s naïve to assume this isn’t already going on.” Billy Lau, Georgia Tech Information Security Center
lengths to keep malicious apps out of Google Play, its official application store, there typically is very little policing of hundreds of other third-party websites that distribute Google apps under the search giant’s open business model. “I do think the bad guys are doing something like this, injecting their malicious code into existing apps,” McNamee says. “It’s pretty straightforward. It requires the ability to unpackage and repackage apps. It’s not exceptionally tricky, but it does re-
quire some knowledge of how the Android system works.” PROBLEM IS SKYROCKETING
Metrics from Juniper Networks, in fact, show that the appearance of malicious apps moving across the Internet is on a steep growth curve. Juniper intercepted 276,259 malicious mobile apps in the 12 months ending March 31, a 614% increase over the earlier comparable year. That measure excludes the surge of legit apps that do not necessarily take full control — as malicious apps do — but, nonetheless, freely tap into location, contacts and calendar info. In an analysis of the 400 most popular paid apps on the iOS and Android platforms, Appthority found 83% of those apps are associated with security risks and privacy issues. IOS apps exhibited more risky behaviors than Android apps. Some 91% of iOS apps exhibit at least one risky behavior, compared with 80% of Android apps. One plausible explanation is that app developers and advertisers are putting a premium on profile information about Apple owners’ whereabouts, contacts and calendar entries, says Appthority’s Guerra. Such nosy profiling is translating into waves of spam and obnoxious pop-up ads appearing on mobile devices. And security and privacy experts argue that it is also exposing proprietary business information, as workers increasingly use personally owned mobile devices for work duties. “As consumers, we’re not yet thinking about our phones as computers, although they are,” Guerra says. “This really causes a lot of problems when you bring your own device — and your own apps — into the workplace and plug into corporate email and networks to access information.”
QOGa'#I
U#f.U QPHb'#
NF+Ub' QPHb'#
4C>24 /IA23
)-* +5&*DA; :*/@%+2=*'% +5&*D ]1 O_A $X1EA2C 9>>A2]X` $ G$2]AO/ 9> 1],A1 $XB >2A4IAXc/ 2$OA1 O9 =O /9I2 eIB`AO5 !92 Y92A ]X>92Y$O]9XC c$ZZD V9@BB9NY/9BB/B
The U.S. economy’s growth picked up in the second quarter, helped by a smaller-than-expected impact from federal budget cuts. That good news was offset by the Commerce Department’s announcement that growth earlier this year was slower than the government had previously estimated. The economy grew at an annual pace of 1.7% between April and June, Commerce said. The government revised down its estimate of first-quarter growth to 1.1% from 1.8% annual rate it had reported. The average for the past 12 months remained at 1.4%. The numbers paint a picture of an economy growing modestly, partly because of the effects of federal budget sequestration, Moody’s Analytics economist Ryan Sweet said before the report. Sweet expects growth to re-accelerate in the second half of the year, led by higher spending on residential construction, which rose at a 13.4% annual clip during the quarter. “The good news is that we’re on an accelerating growth trajectory once you include the changes to the firstquarter data,” Moody’s economist Scott Hoyt said. “We think that trend is likely to continue. We think consumer spending is picking up, and residential construction should also have a good effect.” The other main reason for a better second-half outlook is that the drag from spending cuts is fading, Hoyt said. “The biggest surprise on the demand side was in government,” said Citigroup economist Peter D’Antonio, who had forecast 0.5% growth for the quarter. “We had expected a 2.5% decline in government, and given that this sector comprises about a
Judge rejects Fed cap on debit card swipe fees Marcy Gordon
The Associated Press
A federal judge has struck down a rule setting a cap on the fees that banks can charge merchants for handling debit card purchases. The ruling by U.S. District Court Judge Richard Leon on Wednesday handed a victory to a coalition of retail groups — which are seeking a lower cap — and a setback to banks. The retail groups had sued the Federal Reserve over its setting the cap at an average of about 24 cents per debit card transaction. The previously unregulated “swipe” fee averaged 44 cents. The Fed initially proposed a 12-cent cap, and the retailers had argued that the Fed buckled under pressure from bank lobbyists when it set the cap at double that level. The Fed must craft a new rule. The current one will remain in effect in the meantime. “We are reviewing the judge’s opinion,” Fed spokeswoman Barbara Hagenbaugh said. The cap is the first limit on debit card fees. Before it took effect in October 2011, banks had negotiated such fees with merchants. A big chain such as Starbucks would likely get a better rate than a local coffee shop, because it handles more customers. The Fed rule was called for by the 2010 financial overhaul law, which was enacted in response to the 2008 crisis. The retailers’ lawsuit mainWASHINGTON
tained that the cap is an “unreasonable interpretation” that exceeds the authority given to the Fed by the 2010 law. It also asserted that the Fed wrongly interpreted a provision of the law that requires that merchants have a choice of which bank network handles their transactions. Leon noted that the Fed changed its view that the only costs that should be considered were those involved in the authorization, clearing and settlement of a transaction. Instead, the ruling said, the Fed added costs such as losses from fraud that were outside the scope of the law. Including costs for losses from fraud was for the Fed “a blatant act of policymaking that runs counter to Congress’s will,” Leon wrote. The Fed in June 2011 formally set the cap for what banks can charge merchants at 21 cents for each debit card transaction, plus 0.05% of the purchase price for fraud protection. Sen. Richard Durbin, D-Ill., author of the provision mandating a cap on swipe fees, called Leon’s ruling a “victory for consumers and small business around the country (that) will lead to lower interchange rates for billions of debit card transactions each year.” Banks had lobbied hard against the cap, saying the lower fees wouldn’t cover the cost of handling transactions, maintaining their networks and preventing fraud. The Consumer Bankers Association said the new ruling “will create even more chaos for consumers and small banks.”
QOGa'#I
+FJbQ#JJ PNNPLHFQbHb#J
1@OER 92 (9I2 U9c$Z QIYeA2 @@@^TMa^KTK@C '9BA M)<M *2WF1A ( KAU\D !K##bV@4
+FJbQ#JJ 'PQQ#'HbPQJ
JAXB /9I2 1$ZA1 O_29I`_ O_A 299> E]O_ $X $B ]X R)2]APU\)"A GW`)D5 !92 Y92A ]X>92Y$O]9X c$ZZD V9@BB9NY/9BB/B
sixth of the economy, the relatively small decline accounted for a big chunk of our miss on GDP.” The economy will grow at a 2.3% annual rate in the third quarter and 2.9% in the fourth, Hoyt said. Commercial real estate investment and a reported buildup in inventories by businesses were also major contributors to the quarter’s growth, the Commerce Department said. Building of new factories and offices climbed at a 6.8% annual pace. Inventory growth added 0.4% to the economy’s size, the department said. The inventory number is likely to be revised lower when the Commerce Department refines GDP estimates based on new data, Hoyt said. Consumer spending was held back partly by the increase in payroll taxes at the beginning of the year. The largest part of the economy, it rose at a 1.8% annual clip, down from 2.3% in the first quarter. Consumers spent heavily on durable goods, with spending rising 6.5%, but continued to skimp on services, said Joel Naroff, president of Naroff Economic Advisors. In a sign of the sustained nature of Washington’s budget-cutting, federal spending shrank less in the second quarter than the two quarters before sequestration took full effect. Federal spending fell at an annual pace of 1.5%, less than the 8.4% drop in the first quarter or the 13.9% drop in the fourth quarter of last year. The improvement mostly reflected smaller cuts in defense spending. Sequestration was preceded by another large round of defense cuts mandated by the Budget Control Act, the law that resolved the summer 2011 showdown over raising the debt ceiling. The government also announced a revision of its estimates of the size of the economy dating to 1929, based on a new methodology that specifically accounts for research and development spending for the first time. The government now says the economy grew 2.8% last year. Previously, the Commerce Department had estimated 2012 growth at 2.2%.
NF+Ub' QPHb'#
%'##!")-3".2$30+
"/1)*, (")*12&
, $0 +.L3- ) 4; 5%= -77' / ,?&7' 57!;" &B , G5HAEJ5H 5;=$' / @9 *; C"N' 1!6 I!(; , >')"' )=&73E,< HIc19XC .&
USA TODAY THURSDAY, AUGUST 1, 2013
Can you trust your phone? v CONTINUED FROM 1B
networks and social-media sites may pose even bigger threats, experts here say. These legit players in the nascent mobile app and ad space have dispersed thousands of free apps designed to capture personal location, contacts and calendar entries. While in hot pursuit of mobile advertising revenue, they are sharing this sensitive information indiscriminately among themselves. “It’s just not malware we need to worry about; it’s also app developers requesting more personal information than they need to make the app work, and then selling that information to monetize their apps,” says Domingo Guerra, co-founder and president of mobile app security start-up Appthority. The disclosures come as Apple, Google, Microsoft and BlackBerry hustle to entice software developers to create cool new apps for their respective mobile platforms — in a tumultuous business environment. “Whenever a platform gets more popular and more attention, there’s higher motivation to try to take advantage because the chances for potential economic profit are higher,” says Billy Lau, a research scientist at the Georgia Tech Information Security Center. Tech companies, app developers, ad networks and cybergangs are all responding to the global sale of smartphones and touch tablets becoming indispensable to people’s personal and professional lives. More than 700 million of the 1.8 billion mobile phones expected to be sold in 2013 will be smartphones, compared with 680 million units in 2012, according to research firm Gartner. Meanwhile, researcher IDC estimates shipments of touch tablets will surpass PC sales by 2015. In this heady environment, Apple has won praise from the security community for insisting that any new iOS app pass a rigid review to gain approval for distribution via its tightly controlled App Store. It’s generally not possible to install non-approved apps on an iPhone or iPad without “jail breaking” the device to access the operating system software. However, Lau and GTISC associate director Paul Royal on Wednesday disclosed a way anyone can pose as a developer and finagle Apple’s app-approval process to install a malicious application on non-jail-broken iOS devices. Lau and Royal fabricated an Apple mobile device charger with simple materials, but then booby-trapped it so the following sequence would commence on any iPhone or iPad connected to the bogus charger: First, the fake charger instantly captures the device’s unique identifying number, called the UDID. Next, it logs on to Apple’s developer support website where it submits the UDID, and requests what’s known as a “provisioning profile” for that specific device. Apple assumes a developer intending to test a new app on a device dedicated to that purpose is making the request, so Apple automatically issues the provisioning profile. With that profile, the charger can now install coding that gives the attacker full control of the device. “Getting the UDID is trivial, and getting a provisioning profile is easy and automated,” Royal says. Apple spokeswoman Natalie Kerris declined comment. FAKE CHARGERS
While the researchers’ boobytrapped charger was a crude prototype, a more refined version, disguised to look like an official iPad or iPhone charger, would be simple to fabricate. A hacker could then look for an opportunity to swap it with a targeted victim’s real charger. Or it wouldn’t be too difficult to disperse faked chargers in public charging stations, like those found in
Budget cuts don’t prevent growth Economy grew at 1.7% annual rate in second quarter Tim Mullaney @timmullaney USA TODAY
NEW SOFTWARES.NET; APPLE AND PHOTOOBJECTS.NET; ILLUSTRATION BY KRIS KINKADE, USA TODAY
MORE DEVICES, MORE REASONS TO BE MALICIOUS
Ultramobile devices include products such as the MacBook Air, Microsoft Surface Pro and Acer Aspire S7. Shipments are in millions of units: 2011
2012
2013
2014
Smartphones
472.9
680.1
738.1
934.3
Tablets
60.0
120.2
201.8
276.2
Ultramobiles
3.4
9.8
20.3
39.8
NOTE 2013 AND 2014 TOTALS ARE PROJECTED SOURCE GARTNER (JUNE 2013)
many airports. “The faked charger is actually a computer that can install things on your Apple device,” Lau says. “We’re almost certain this is going on in the wild. From an espionage standpoint, it’s naïve to assume this isn’t already going on.” In another Black Hat presentation, Kevin McNamee, director of AlcatelLucent’s Kindsight Security Labs, showed how it’s possible to hack into any popular Android app that’s being distributed online and embed code that turns the smartphone of anyone who downloads the app into a spyphone. The corrupted device transfers the phone’s location and contacts to the attacker, who can then send text messages luring others to download the tainted application, and even remotely operate the device to take photos and record conversations. While Google goes through great
“From an espionage standpoint, it’s naïve to assume this isn’t already going on.” Billy Lau, Georgia Tech Information Security Center
lengths to keep malicious apps out of Google Play, its official application store, there typically is very little policing of hundreds of other third-party websites that distribute Google apps under the search giant’s open business model. “I do think the bad guys are doing something like this, injecting their malicious code into existing apps,” McNamee says. “It’s pretty straightforward. It requires the ability to unpackage and repackage apps. It’s not exceptionally tricky, but it does re-
quire some knowledge of how the Android system works.” PROBLEM IS SKYROCKETING
Metrics from Juniper Networks, in fact, show that the appearance of malicious apps moving across the Internet is on a steep growth curve. Juniper intercepted 276,259 malicious mobile apps in the 12 months ending March 31, a 614% increase over the earlier comparable year. That measure excludes the surge of legit apps that do not necessarily take full control — as malicious apps do — but, nonetheless, freely tap into location, contacts and calendar info. In an analysis of the 400 most popular paid apps on the iOS and Android platforms, Appthority found 83% of those apps are associated with security risks and privacy issues. IOS apps exhibited more risky behaviors than Android apps. Some 91% of iOS apps exhibit at least one risky behavior, compared with 80% of Android apps. One plausible explanation is that app developers and advertisers are putting a premium on profile information about Apple owners’ whereabouts, contacts and calendar entries, says Appthority’s Guerra. Such nosy profiling is translating into waves of spam and obnoxious pop-up ads appearing on mobile devices. And security and privacy experts argue that it is also exposing proprietary business information, as workers increasingly use personally owned mobile devices for work duties. “As consumers, we’re not yet thinking about our phones as computers, although they are,” Guerra says. “This really causes a lot of problems when you bring your own device — and your own apps — into the workplace and plug into corporate email and networks to access information.”
QOGa'#I
U#f.U QPHb'#
NF+Ub' QPHb'#
4C>24 /IA23
)-* +5&*DA; :*/@%+2=*'% +5&*D ]1 O_A $X1EA2C 9>>A2]X` $ G$2]AO/ 9> 1],A1 $XB >2A4IAXc/ 2$OA1 O9 =O /9I2 eIB`AO5 !92 Y92A ]X>92Y$O]9XC c$ZZD V9@BB9NY/9BB/B
The U.S. economy’s growth picked up in the second quarter, helped by a smaller-than-expected impact from federal budget cuts. That good news was offset by the Commerce Department’s announcement that growth earlier this year was slower than the government had previously estimated. The economy grew at an annual pace of 1.7% between April and June, Commerce said. The government revised down its estimate of first-quarter growth to 1.1% from 1.8% annual rate it had reported. The average for the past 12 months remained at 1.4%. The numbers paint a picture of an economy growing modestly, partly because of the effects of federal budget sequestration, Moody’s Analytics economist Ryan Sweet said before the report. Sweet expects growth to re-accelerate in the second half of the year, led by higher spending on residential construction, which rose at a 13.4% annual clip during the quarter. “The good news is that we’re on an accelerating growth trajectory once you include the changes to the firstquarter data,” Moody’s economist Scott Hoyt said. “We think that trend is likely to continue. We think consumer spending is picking up, and residential construction should also have a good effect.” The other main reason for a better second-half outlook is that the drag from spending cuts is fading, Hoyt said. “The biggest surprise on the demand side was in government,” said Citigroup economist Peter D’Antonio, who had forecast 0.5% growth for the quarter. “We had expected a 2.5% decline in government, and given that this sector comprises about a
Judge rejects Fed cap on debit card swipe fees Marcy Gordon
The Associated Press
A federal judge has struck down a rule setting a cap on the fees that banks can charge merchants for handling debit card purchases. The ruling by U.S. District Court Judge Richard Leon on Wednesday handed a victory to a coalition of retail groups — which are seeking a lower cap — and a setback to banks. The retail groups had sued the Federal Reserve over its setting the cap at an average of about 24 cents per debit card transaction. The previously unregulated “swipe” fee averaged 44 cents. The Fed initially proposed a 12-cent cap, and the retailers had argued that the Fed buckled under pressure from bank lobbyists when it set the cap at double that level. The Fed must craft a new rule. The current one will remain in effect in the meantime. “We are reviewing the judge’s opinion,” Fed spokeswoman Barbara Hagenbaugh said. The cap is the first limit on debit card fees. Before it took effect in October 2011, banks had negotiated such fees with merchants. A big chain such as Starbucks would likely get a better rate than a local coffee shop, because it handles more customers. The Fed rule was called for by the 2010 financial overhaul law, which was enacted in response to the 2008 crisis. The retailers’ lawsuit mainWASHINGTON
tained that the cap is an “unreasonable interpretation” that exceeds the authority given to the Fed by the 2010 law. It also asserted that the Fed wrongly interpreted a provision of the law that requires that merchants have a choice of which bank network handles their transactions. Leon noted that the Fed changed its view that the only costs that should be considered were those involved in the authorization, clearing and settlement of a transaction. Instead, the ruling said, the Fed added costs such as losses from fraud that were outside the scope of the law. Including costs for losses from fraud was for the Fed “a blatant act of policymaking that runs counter to Congress’s will,” Leon wrote. The Fed in June 2011 formally set the cap for what banks can charge merchants at 21 cents for each debit card transaction, plus 0.05% of the purchase price for fraud protection. Sen. Richard Durbin, D-Ill., author of the provision mandating a cap on swipe fees, called Leon’s ruling a “victory for consumers and small business around the country (that) will lead to lower interchange rates for billions of debit card transactions each year.” Banks had lobbied hard against the cap, saying the lower fees wouldn’t cover the cost of handling transactions, maintaining their networks and preventing fraud. The Consumer Bankers Association said the new ruling “will create even more chaos for consumers and small banks.”
QOGa'#I
+FJbQ#JJ PNNPLHFQbHb#J
1@OER 92 (9I2 U9c$Z QIYeA2 @@@^TMa^KTK@C '9BA M)<M *2WF1A ( KAU\D !K##bV@4
+FJbQ#JJ 'PQQ#'HbPQJ
JAXB /9I2 1$ZA1 O_29I`_ O_A 299> E]O_ $X $B ]X R)2]APU\)"A GW`)D5 !92 Y92A ]X>92Y$O]9X c$ZZD V9@BB9NY/9BB/B
sixth of the economy, the relatively small decline accounted for a big chunk of our miss on GDP.” The economy will grow at a 2.3% annual rate in the third quarter and 2.9% in the fourth, Hoyt said. Commercial real estate investment and a reported buildup in inventories by businesses were also major contributors to the quarter’s growth, the Commerce Department said. Building of new factories and offices climbed at a 6.8% annual pace. Inventory growth added 0.4% to the economy’s size, the department said. The inventory number is likely to be revised lower when the Commerce Department refines GDP estimates based on new data, Hoyt said. Consumer spending was held back partly by the increase in payroll taxes at the beginning of the year. The largest part of the economy, it rose at a 1.8% annual clip, down from 2.3% in the first quarter. Consumers spent heavily on durable goods, with spending rising 6.5%, but continued to skimp on services, said Joel Naroff, president of Naroff Economic Advisors. In a sign of the sustained nature of Washington’s budget-cutting, federal spending shrank less in the second quarter than the two quarters before sequestration took full effect. Federal spending fell at an annual pace of 1.5%, less than the 8.4% drop in the first quarter or the 13.9% drop in the fourth quarter of last year. The improvement mostly reflected smaller cuts in defense spending. Sequestration was preceded by another large round of defense cuts mandated by the Budget Control Act, the law that resolved the summer 2011 showdown over raising the debt ceiling. The government also announced a revision of its estimates of the size of the economy dating to 1929, based on a new methodology that specifically accounts for research and development spending for the first time. The government now says the economy grew 2.8% last year. Previously, the Commerce Department had estimated 2012 growth at 2.2%.
NF+Ub' QPHb'#
%'##!")-3".2$30+
"/1)*, (")*12&
, $0 +.L3- ) 4; 5%= -77' / ,?&7' 57!;" &B , G5HAEJ5H 5;=$' / @9 *; C"N' 1!6 I!(; , >')"' )=&73E,< HIc19XC .&
