One of the claims by loyal Apple fans is that the Apple desktop operating system is more secure than Microsoft Windows because they are affected by markedly less malware. This has more to do with the fact that virus-writers would rather spend their time creating malware for an OS that is much more widely installed and has many well-known security weaknesses and bugs to exploit, and less to do with any inherent security strengths in OS X.
Which ever side of the fence you fall on, Mac users have recently been falling prey to a new form of ransomware that is delivered via Apple’s Safari web browser. Affected users are displayed the usual threatening messages that purportedly come straight from the FBI, demonstrating “proof” that your Apple computer has been engaged in illegal activity. Users are given the opportunity to pay a “fine” which will supposedly allow them to regain control over their machine and remove the warning messages blocking their screen.
What this means for you:
If you are a Windows user, you’ve probably already seen this form of malware in action. The Apple variant is slightly less annoying than its Windows counterpart, relying heavily on “iFrames” to pop-up the warnings. Savvy Safari users can close these windows to escape the ransomware’s clutches temporarily (something that’s not possible on the Windows side), but should still reset their browser settings (FBI provides instructions here) to clear out any rogue alterations made, and then run a full anti-malware sweep to ensure they didn’t pick up anything else alongside of the ransomware scam.
As always, you should never heed instructions to pay a “fine” levied by some governmental institution via online method. Law enforcement agencies do not operate in that fashion. Regardless of the brouhaha ongoing with the NSA and the Prism surveillance, no government entity is going to handle illegal activity via automated fines, and especially not through dodgy online payment websites. Use your common sense. If you encounter this form of malware and are unable to fix it yourself, shut down your workstation and pick up the phone to call a professional.
A german security researcher has revealed that as many as 750 million cellphones may be vulnerable to to hacking via their SIM card if it’s encrypted with DES (Data Encryption Standard) originally coded in the 1970s. Through studies on approximately 1000 sim chips and phones, Karsten Nohl of Security Research Labs demonstrated the ability to fool the older SIM chips into thinking he was authorized to access confidential data on the phone, including SMS texts, call logs as well as pay for fraudulent services via the phone. In theory, this level of access could grant an attacker the ability to compromise and steal the phone owner’s identity on top of gaining access to online bank accounts and other high-risk areas.
What this means for you:
Mr. Nohl has not revealed to the public the details of which SIM cards may suffer from this weakness and has instead been working closely with SIM card manufacturers to assist them with identifying and hopefully remediating the weakness where they can. His estimates are that as many as 3 billion cell phones use the older-generation SIM cards, but only some of those are prone to the security bug he has exploited in the above research. According to SIM manufacturers, they stopped using the older DES method back in 2008, so it’s likely that if your phone is less than 3-years old, you are probably safe from this particular exploit. If you have a phone that is older than 3-years, you should consider replacing it with a newer phone, or at minimum, see about getting a new SIM card from your carrier if you want to continue using your cellphone.
Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.
Depending on where you live or work, you’ve probably experienced problems with cellphone coverage for one or more carriers, usually due to your geographical (lack of) proximity to a cell tower, or courtesy of construction materials like concrete, lead and steel in between you and your signal. Thanks to the advent of widely available broadband, cellular providers have been able to build small devices called femtocells that can be connected to your internet connection and will significantly improve cellular signal for a specific carrier in a limited range.
While seen as a godsend for the cell-strength deficient, we also now have to regard them as a security risk, thanks to research performed by analysts at iSEC Partners who have allegedly hacked a Verizon network extender to allow them to eavesdrop on any phone call, text message or other information transmitted from the phone through the compromised femtocell. The researchers plan to publicize their findings at the upcoming Black Hat Conference in August, but have declined to share details for obvious security reasons.
What this means for you:
Unfortunately, you can’t tell your cellphone what radio signal source to use. It’s designed to look for the strongest signal and use it. The iSEC researchers claim it would be trivial to build a portable and unobtrusive hacked network extender and place it in a strategic location to capture confidential calls. If you are in the business of confidential information, you probably already know not to take sensitive calls where ever you might be overheard, and if you are a well-informed adult, you probably already know that the NSA could eavesdrop on your conversation regardless of what cell tower was handling your call. But now we are talking about a commercially available device that is cheap, portable, and apparently, hackable. As before, consider carefully the medium you choose for the delivery of your sensitive information, and when in doubt, err on the side of caution rather than convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
I often encourage my clients to be paranoid about security, but never to the point of throwing the baby out with the bathwater, which is exactly what the Economic Development Agency did two years ago when responding to a report that some of its computers were infected with malware. Due to a mixture of clerical error, poor communication and straight-up inexperience (in a government agency? Imagine that!), the top brass at the EDA received a report that stated over a hundred devices on its network were infected. Believing the technology to be unrecoverable, they proceeded to physically destroy all of it, including mice, keyboards, monitors, printers and other devices that couldn’t be infected with malware, rather than risk the spread of infection, to the tune of nearly $3 million.
What this means for you:
If you’ve ever had a really bad malware infection, you sometimes might hear the technician say, “It’s probably best if we nuke this thing from orbit,” referring to a favorite scene from the movie Aliens. Obviously, your computer is going to be just fine, as he’s actually just talking about wiping out the contents of your hard drive and starting with a fresh install of your operating system. Unless he’s a contractor who lists the EDA as a former client, in which case you might want to show him the door and call someone else.
In all seriousness, a situation like this can easily happen if your organization’s leadership has an incomplete understanding of technology and security. In the above case, a little knowledge and a pinch of common sense could have saved the EDA a lot of money and embarrassment. Continue to be paranoid about security, but only “nuke from orbit” when your company is completely overrun by man-eating aliens. A malware infection, or even a serious security breach, can be handled without slaughtering all those helpless keyboards and mice.
Back in January of this year, I wrote about Facebook’s impending Graph Search feature (“Facebook Graph Search Cutting Bait for Phishers“) which was set to greatly improve its existing feeble search engine as well as outrage privacy watchdogs. Based upon the feedback the developers received from the small test group to which it was originally released, Facebook went back to the drawing board, and have now decided that Graph Search is ready for its debut.
Unlike the search engine we all know and use, Facebook’s new search engine will rely heavily on the various layers of data that it has accumulated on it’s millions of users, allowing you to perform searches that list “friends who like trucks and football” or “single women in Los Angeles who like Ethiopian food”. Obviously, the results are heavily dependent upon how much information everyone shares about themselves on Facebook, but Facebook is confident that the results will be eye opening.
What this means for you:
If you haven’t heard me mention it before, there’s no better time than the present to log into your Facebook account and check your privacy settings, even if you don’t use it often, or you haven’t updated your profile since you created the account oh so many years ago. If you haven’t logged into Facebook in the past year, they have made a lot of changes to settings and security that will probably bewilder the savviest of users. I linked a guide written by the EFF on Facebook’s privacy settings here: “Tighten Up Your Facebook Security”, and Facebook is also taking a more proactive approach by warning you when you log in that Graph Search is coming and provides you a link to your privacy settings.
Remember last week when I reported on a “small” privacy blunder committed by Facebook and their data portability app? Security software maker Symantec announced over the weekend that they noticed Facebook’s Android app behaving inappropriately, to the tune of uploading the phone number of the device to Facebook’s servers the first time the app is installed and launched, prior to any logins or other interaction by the phone owner. According to Facebook, they never used this information, and have since deleted it from their databases. Seeing as the Android Facebook app has been downloaded by several hundred million people, up until this “bug” was discovered and remedied, several hundred million people had their phone numbers harvested by Facebook without their explicit permission.
What this means for you:
Maintaining control over the privacy of your personal data requires constant vigilance on your part, and trustworthiness on the part of those who are requesting the use of your data. In this specific instance, a list of several hundred million mobile numbers isn’t very useful without any other meta data, but it highlights the larger issue at hand: can Facebook be trusted to be good stewards of your personal data? Should they have ever been trusted to the extent that most people have up until now? Recent events should put a great deal of caution into even the most open social networker, and should serve as a red-flag warning to everyone. Organizations are only as good as the people who run them. Apps are only as good as the people who program them. If your privacy is important to you, pay close attention to how others respect that privacy. Don’t reward bad or careless behavior with your dollars or loyalty, and don’t let inertia alone keep you from making informed choices.
FYI: “Facepalm”: http://en.wikipedia.org/wiki/Facepalm
After four years of research and debate, the Federal Trade Commission has updated the Children’s Online Privacy Prevention Act with much stricter rules that hit internet advertisers right in the moneymaker. Written originally in 1998, COPPA was enacted to protect minors under the age of 13 by requiring any company collecting data on that demographic to adhere to strict privacy protection guidelines as well as putting well defined limits on advertising and marketing targeting minors. Since 2000, when it first went into effect, the internet and online advertising has changed significantly, and the FTC has amended COPPA, over the strenous objections from the industries affected.
What this means for you:
Whether you are a parent or an organization who markets to this particular demographic, you should take a moment to understand how COPPA may impact you. The new rules have been expanded in the following ways:
- The guidelines now include a wide range of digital media and devices, including smartphones, tablets, mobile gaming devices and mobile apps.
- The definition of “Personal Information” (previously only protected was the child’s name, address and email) has been expanded to cover a larger variety of data types including: geolocation, photos, videos, recordings, screen names and cookies. Just about anything that could be used to identify or track a child has been included.
- Any organization or platform must ask permission from a parent or guardian before collecting the information, and must include links to an official privacy policy governing the use of that data.
- In the case of any organization collecting information without consent, parents and guardians have a right to receive a full description of what was collected on their child and also the right to have that info be deleted immediately.
- Targeted advertising that is based on a minor’s online data profile are no longer permitted without parental/guardian consent.
The trick, of course, is paying attention to what your child is doing online, and especially to what they are seeing onscreen. Advertisers are extremely clever, and this segment of the market is extremely valuable to them. The howls of protest will soon subside as they devise even more subtle ways to get parents to open up their wallets. Caveat Emptor!
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
BlackBerry (formerly RIM) has been struggling in the smartphone market, having recently fallen into 4th place behind even Microsoft’s fledgling foray into that space. Despite the recent release and generally positive reviews of their 10-series phones, the mobile device manufacturer ceded their corporate dominance years ago to the crushing flood of iOS and Android devices primarily because of the company’s failure to stay competitive on the software side. In a move that has analysts scratching their head, BlackBerry is now making a play via software with a new platform called “Secure Work Spaces” which aims to allow for peaceful and secure co-existance of personal and corporate data on smartphones, including iOS and Android devices.
What this means for you:
Corporations struggle with allowing their employees to use corporate phones for business, and vice versa, with corporate phones and personal usage, primarily because the risk of security breaches is much higher on the personal side. BlackBerry’s new platform is designed to create a partition that keeps the two work spaces (see what they did there?) separate, giving enterprises complete control over corporate data without the distasteful invasion and control over the personal aspects of devices. There are other companies working on this same concept, and have been in the space longer, but BlackBerry’s reputation (and probably some nostalgic sentiment) may win the heart’s and minds of corporate IT managers. Seeing as BlackBerry has historically been a company that depends on hardware sales for revenue, many think that BlackBerry is either making a desperate or cunning pivot to the software space, knowing that there is little chance they can recover any ground in the mobile device race.
Facebook offers its users the ability to upload your email contact list, presumably so you can discover which of your friends are on Facebook (that you haven’t already befriended). Once you’ve done this, you also have the ability to download those contacts via an archiving tool called DYI (Download Your Information), that delivers this information via a simple HTML file. Unfortunately, an unintended “bug” in DYI exposed a rather distasteful (though expected) Facebook practice called data correlation. Here’s what happened:
Say you uploaded a contact “[email protected]” to Facebook, but that’s all the data you had on Mr. Smith: just his email address. Another Facebook user also knows Mr. Smith, but also happened to have his phone number and mailing address as well. Facebook’s data correlation practices stores all data on John Smith, regardless of who uploaded it, in a single record, creating a comprehensive data profile on Mr. Smith. See where this is going? Before they fixed this bug, when you went to download your contact info via DYI, not only would you get the email address you knew about, you’d also get any other contact information uploaded by other users, even if you didn’t know the other person who uploaded the contact info about John Smith!
According to Facebook, this data correlation is done to make “Friend” recommendations to you based upon everything it knows about an individual, across its entire store of information.
What this means for you:
It’s not clear whether Facebook intends to notify any of the six million individuals who are affected by this bug, and supposedly this has been fixed so that Facebook users only have access to the data they uploaded minus the data correlation ties Facebook makes in its internal database. According to Facebook, this security bug wasn’t exploited intentionally or maliciously, and it wasn’t possible for anyone using the tool to access information about users they didn’t already have some form of contact info on already.
This does highlight a larger privacy issue that probably won’t be resolved anytime soon, but has been ongoing for Facebook ever since it first appeared. Your friends have access to your PII (Personally Identifiable Information) and regardless of your own personal wishes, you have no ability to control whether or not they share that information, on Facebook or any other social networking site. As is always the case, if you are concerned with the visibility of your personal information on the internet, do regular searches on your name via Google to see what comes up in public, and work back towards the source to remove that information if necessary. Unfortunately, the Internet never forgets, and there is no “100% guaranteed erase” button, so its sometimes impossible to completely remove that data from public view.