The New York Times is reporting that the number of Android smartphones infected with a ransomware virus has grown to nearly one million devices in the past 30 days. Though the concept of ransomware is not new to the technology world, only minor outbreaks of this particularly nasty malware have been seen on mobile devices, and have either been quickly defeated or bypassed. Not so with this latest set of extortionware: most prolific is a trojan called ScarePackage, which, as the name suggests, locks your phone with a warning that the device has been used to commit a crime (child porn and media piracy are two of the most common tactics), and can only be unlocked by paying a fine to “law enforcement”.
What this means for you:
Up until now, the most common way Android devices were infected with malware like the above was through “sideloading” apps from questionable sources other than Google’s own “Play” store. Unfortunately, hackers seem to have perfected mobile browser drive-by infections so that they don’t even need to rely on someone bypassing the normal controls all Android phones ship with by default. It’s unclear whether Android antimalware apps (I use WebRoot’s SecureAnywhere) can protect you from drive-by infections reliably, but it does provide a layer of protection when installing apps and it will block suspicious text messages; both are a common source of malware infections. On top of installing malware protection on your mobile device, you should always be very careful surfing unknown or questionable websites, avoid installing brand-new, never-reviewed apps (sometimes trojans slip through Google’s malware screening), and always scrutinize the permissions that installed apps are requesting, especially the ones that ask for full administrative permissions or unfettered access to make mobile calls and send text messages.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite industry opposition and a failed first attempt, California’s governor signed into law a bill that requires smartphone manufacturers to install and enable kill switch functionality on all smartphones sold after July 1, 2015. Though California isn’t the first state to enact a killswitch law – Minnesota enacted a similar law back in May – it’s the first to require that the kill switch be enabled by factory default. Opponents of the law were quick to point out that any state’s effort to enforce this capability are redundant, as many smartphones already have this functionality, and it is quickly becoming a standard for all manufacturers. Both Apple and Samsung feature some variation of activation locking that prevents stolen phones from being used, but as the authors of the California bill were quick to point out, having it available and actually enabling it are two different things.
What this means for you:
Even if you aren’t a California or Minnesota resident, it’s possible you already own a phone that has some form of kill switch capability, especially if the device was made in the past two years. Even if you are one of the careful 9 out of 10 people who hasn’t had a smartphone stolen, you should enable any kill switch and anti-theft capabilities your phone has to offer, including putting a passcode of some form on your phone. Misplacing a phone could be just as devestating without it, and even though it wasn’t technically “stolen”, no kill switch means that a less scrupulous individual just got a brand new smartphone for free. You should also enable recovery and theft prevention features on any tablet you own – both iOS and Android offer location and security as standard features of the OS – and keep in mind that California’s law only applies to smartphones, not tablets.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Supermarket chains Supervalu, Albertons and Jewel-Osco have joined the illustrious list of large retailers hacked (presumably) for their vast datastores of shopper identities and credit card information. Investigation is still ongoing in both cases as to whether hackers actually managed to retrieve shopper data during the breaches, and whether the data is being used illegally elsewhere. Though the details of the hacks have not been revealed, security analysts are speculating that the hackers probably compromised point-of-sale machines, similar to the attacks that breached Target in 2013.
What this means for you:
As you can imagine, based upon the difficulties of trying to secure your own personal devices, securing a large network of heavily used and highly exposed computers is tricky business. Even the slightest misstep can lead to cybercriminals pouncing on you like a pack of wild hyenas. Large chains like the ones affected above are continuously under attack from multiple vectors primarily because of the type of data hackers absolutely know they have. The best way to descibe the current war between corporate enterprise and cybercriminals would be that of a siege, with the “good guys” turtling up behind walls that being hammered on relentlessly. And as in any siege, even the smallest breach of that wall can lead to a complete razing of the besieged. Unfortunately, the good guys are struggling to innovate as fast as the bad guys who are heavily invested in winning these types of battles, as the stakes can result in huge payoffs in stolen credentials.
As mentioned, none of the supermarket chains have verified that data has been stolen, but if you happen to shop at any of the listed establishments with your credit card, you may want to consider having your credit card company issue you a new number.
Four and a half million patients treated within the hospital network Community Health Systems now have something else to worry about aside from having to see a physician: identity theft. The 28-state network revealed today that its servers had been breached by Chinese hackers who gained access to CHS patients’ names, birthdates, social security numbers, phone numbers and addresses, every bit of data a criminal would need to perpetrate a robust identity takeover. The hackers did not gain access to credit cards or clinical records, which may only serve as a small consolation to this egregious breach of privacy.
What this means for you:
CHS operates primarily in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas, so if you’ve received medical treatment in one of those states any time since records became computerized, you might be affected by this data breach. As opposed to the widely publicized (but not yet independently verified) Russian hacker haul of 1.2 billion passwords, changing a few passwords isn’t going to help you if you are one of the 4.5 million affected by the CHS data leak. Supposedly, CHS is planning to offer some form of Identity Theft monitoring, which, depending on the level of patience and fortitude you have, may be worth accepting. The alternative – manually monitoring your credit for bogus accounts being opened – can be time-consuming and tedious.
Even if you aren’t impacted by the above – are you keeping a close eye on your credit history? Keep in mind that Credit Monitoring services only do just that – monitor. They can’t prevent criminals from attempting to hijack your credit via bogus credit and loan applications. They will warn you about the attempts, and at best, provide some assistance in working with the 4 credit agencies to rectify the damage. And even unsuccessful attempts ding your credit history, adding injury to insult in this case.
Confirming something that many of us already suspected, Twitter has revealed in its most recent SEC filing that almost 9% of all Twitter accounts aren’t used by actual humans. Given the social media’s 271 million accounts, that’s nearly 23 million Tweeters posting content at the behest of some form of automation or algorithm.
Common sense tells us that a long, complex password is inherently better than short, simple password primarily because it makes it harder for humans to guess what it might be based upon what they know about the user. However, when computers can brute-force a solution to even the most complex passwords within minutes, a lot of people are starting to question why they bother at all. That’s ever more so the case in light of a recent discovery that Russian hackers have amassed nearly 1.2 billion unique compromised credentials in a series of hacks targeting nearly half a million websites. Investigation into some of the hacked sites has revealed that though you may have put some effort into creating a complex password, the website you created it for didn’t invest nearly as much effort in keeping it safe. In some cases, the passwords stolen were originally stored “in the clear”, ie. not encrypted.
What this means for you:
Sadly, the industry as a whole is still scrambling to come up with a solution to the failure of passwords as a security mechanism. So far, the best some sites can offer is 2 or 3-factor authentication, and as can be surmised from the lackluster adoption of this form of protection, most people will opt for the simpler, less secure method when they aren’t required to do otherwise. As for what to do about the above? Go out there and change your passwords on all your important accounts, and enable 2-factor where available, especially on your critical business services like email, banking and file-sharing sites. It’s highly likely one of your passwords is part of this huge hacker database, and it could be used against you very soon.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Any day we can take a purveyor of child pornography off the streets is a good day in my book. In this case, we can thank Google for discovering a Texas man sending images of child sex abuse through his Gmail account. As you might have guessed, a search algorithm rather than a human spotted the transgression and sent an alert to the National Center for Missing and Exploited Children, who then tipped off local authorities. According to Google, this is the only criminal activity they actively scan for within Gmail, and the search relies heavily on a large database of known illegal images maintained by NCMEC against which comparisons are made.
What this means for you:
In the case of child pornography, I’d say that just about any method used to catch perpetrators is justified, but as many pundits and security analysts point out, this practice teeters precariously on a knife edge of ethics. Telecommunication service providers like Google are required to inform law enforcement of suspected child abuse whenever it is made aware of such activity within its systems, but that word “aware” is ill-defined in today’s age of artificial intelligence, big data analysis and search algorithms. Does a search algorithm matching mathematical hashes on images constitute “awareness”? Should this same algorithm be used to look for other serious crimes? What about petty crimes? Does talking about a crime constitute the commission of a crime? What happens if someone hacks your account and sends out a bunch of disgusting images in an attempt to get you arrested? All the more reason to keep your passwords strong, unique and very, very safe. Oh, and don’t use email to commit or plan out crimes, because even though Google says they are only watching for child pornography, you can bet other agencies are looking at everything. Heck, maybe you should just not commit crimes at all, mmkay?
When it first occurred, connecting things to the internet seemed more like a gimmick than anything practical. Remember that fridge that was supposed to know when you need to buy more milk and would email you a reminder? Even though that particular concept still hasn’t really caught on (though it should!) plenty of other things in our houses and workplaces are connected to the web, to the point where we don’t even consider it gimmicky anymore. Cars that can be started via an iPhone app? Sure! Security cameras that text you when they detect motion? Why not? How about thermostats and lighting that can be adjusted via wifi? Done! Except for a “little” problem: this growing “internet of things” is just as bad (if not worse) at security as the rest of the internet. A security study by technology giant HP took a look at the 10 most popular internet-enabled devices and discovered each device had at least 25 security vulnerabilities that could lead to terrible things.
What this means for you:
Most of my clients have a healthy respect (if not fear) of the internet and its tireless ability to invade your privacy, and typically make more informed choices than the general public, but as more and more devices come “connected” right out of the box, it’s easy to fall into the convenience trap of plugging the thing in and moving on to the next item on the to-do list. What this will eventually mean is people are surrounding themselves with devices that, taken as a whole, can provide an incredible amount of detail about their supposed “private” life. And those devices are all connected to the internet. Unless manufacturers starting upping their security standards (or the market forces them to), we may all find ourselves living a rather exposed existence. So the next time you are considering a device that is “internet” enabled, consider whether or not you are ready (and willing) to understand exactly how that device secures itself from hacking, and whether its worth the convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
Did you know that if you jailbroke your iPhone (or any locked smartphone) without your mobile carrier’s permission anytime between early 2013 and now, you were actually breaking a federal law? That’s right, due to an expired clause in the Digital Millenium Copyright Act, it’s actually illegal to unlock a smartphone you own. This bit of nonsense was courtesy of a Congress that was deadlocked on just about every issue big or small, so it’s no surprise that only just now they are getting around to fixing an issue that both the FCC, Whitehouse and even mobile carriers recognized was just plain wrong.
What this means for you:
The “Unlocking Consumer Choice and Wireless Competition Act” was passed by Congress on July 25 and is now awaiting the President’s signature, but the impending law seems like a token gesture in response to what is now more of a symbolic stance from a vocal minority of smartphone users. In the intervening 18 months, the mobile marketplace has seen a fierce rise in competition, including some carriers offering to pay off early termination fees to woo customers away from the competition. Most carriers now also offer plans that incorporate no-penalty upgrades to new hardware, another incentive to not bother unlocking phones or switching carriers. And to top it all off, the CDMA/GSM network divide continues to limit your unlocked phone to a single alternative (if you want nation-wide coverage).
The carriers, even though they “allow” you to unlock your phones once your contract has expired, still do not always make the process easy, nor is it always a simple technical process, especially on the Android platform. In the end, if you aren’t already a veteran jailbreaker, you are better off interrogating the salesperson at your local carrier store about upgrade options and no-contract plans rather than worrying about whether you can take your phone over to the other guys.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net











