By the time you read this, Apple will be on day two of quarantining group calls in its video chat app, FaceTime. Why? Oh, how about a nasty eavesdropping bug that would allow callers to listen in on recipients before they pick up the call? Not necessarily ground-shaking in terms of espionage or cybercrime, but potentially embarrassing or even relationship-destroying, especially for an app that is heavily used for non-business calls. To add to the embarrassment of everyone, discovery of this bug is credited to young teenager trying to set up a group chat with his Fortnite friends. Thanks, Fortnite?
What this means for you
Probably not much, except if you use FaceTime for group chats which is now unavailable until Apple fixes the issue. At the moment, there is no firm ETA on the fix which “…will be released in a software update later this week,” per Apple’s official statement. Unfortunately, this isn’t the first security bug for FaceTime’s group chat feature which is not even a full year old. Last fall a security researcher was able to exploit a flaw in group chats to bypass the lock screen and view a user’s entire address book. Thanks to the internet and the always connected nature of iOS devices, bugs like these are typically fixed quickly, and unlike Android phones which suffer from a fractured operating system environment and inconsistent update policies controlled by competing manufacturers, Apple is able to react quickly to these situations. Score one for the fruit company!
Last week, the majority of US Windows 10 users received a big update from Microsoft nicknamed the “Anniversary Update”, primarily because it was initially released on Aug 2, approximately one year after the official launch of Microsoft’s latest operating system. Amongst a host of improvements to core features like Edge and Cortana and presumably numerous bug fixes, the update also managed to render millions of webcams inoperable. Depending on what you use your computer (and webcam) for, and even what generation you hail from, the impact of this could have been non-existant to a complete showstopper. In the ongoing videochat fight, Apple and Google just scored a TKO without even stepping into the ring.
What this means for you:
Obviously if you don’t use Windows 10 and a webcam, feel free to point and laugh or shake your head in sympathy. What might make this very aggravating for the average Windows 10 user is that they may not even know their computer was updated last week. All they know is their Skype or favorite videochat app is now locking up after a minute with no visible explanation. Even more exasperating is Microsoft’s new rollback policy for Windows 10. Previous versions of Windows allowed the user to uninstall any MS update applied to their system at any time. Now, with Windows 10, you have ten days to rollback your OS to a previous version, otherwise you are just out of luck. In the grand scheme of things, ten days is a very short time to figure out the root cause of an obscure problem like this, so you can imagine that many folks are discovering the root cause of this problem too late to easily solve it.
Though Microsoft has finally acknowledged the problem (WARNING: technical jargon galore!), a patch is unlikely to be released until September. Until that day arrives, the only fix is to rollback the Anniversary update (if you catch it within 10 days) or manually edit your computer’s registry. Buying another webcam won’t necessarily fix this problem unless you know for a fact it can process video through a codec known as YUY2, as Microsoft intentionally removed support for the more common MJPEG and H.264 protocols. According to them, these two older codecs have significant performance issues and support was removed to improve Windows 10. So now instead of degrading performance, your webcam will have zero impact on your computers performance. Working as intended?
Just when you think Microsoft might have its act together security-wise, some clever/persistent security researcher will do their damndest to shatter your fledgling comfort with the latest exotic bug. In this case, the bug has been around since 1997 – it’s so old it’s officially Bug #4 in Internet Explorer. As in the fourth bug discovered in Internet Explorer, ever. And never fixed! Sadly, this negligence has arisen as a critical security flaw in both Windows 8 and 10, and could lead to your Microsoft Live account being exposed.
What this means for you:
This flaw does not affect the following:
- Windows 7,
- Windows 8 or 10 computers attached to a domain,
- Windows 8 or 10 computers accessed via local accounts,
- Windows 8/10 users who do not use Internet Explorer, Edge or any version of MS Outlook.
The people who fall into #2-4 are what I would call a “select” demographic, which is to say that it’s more likely you are using Windows 8 or 10 with a Live account. Via trivial exploit, a hacker could obtain your login and a hashed version of your password, and depending on how complex that password is, that hash could be cracked in less than a minute, meaning your Live account is now fully compromised. In case you weren’t sure what Live accounts can do, they give you a wide variety of access to Microsoft services including OneDrive, Skype, MS Office, and XBox Live to name a few, not to mention your actual computer, should the hacker somehow gain access to your local network or the device itself.
Before you start panicking, there is a (relatively) simple solution: change your password and switch your Live account to use 2-factor authentication. This won’t change how you log into your computer, but it will force anyone trying to use your credentials elsewhere online from using them without that second authorization that 2-factor provides, even if they manage to steal your password again. To really circumvent this bug from impacting you, switch to using a local account on your computer, or to stop using IE/Edge and Outlook until Microsoft fixes this ancient, but dangerous bug.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Due to a vulnerability in Android’s implementation of MMS, nearly one billion smartphones and tablets could be impacted by a security weakness known as Stagefright. In a nutshell, an attacker exploiting this vulnerability could send an MMS message with an infected attachment that could literally take over your device without you knowing it. Even though Google has released a fix for this vulnerability none of the major carriers and manufacturers have pushed the update to the affected devices, including Google’s own Nexus devices, which are due to be patched next week.
What this means for you:
This vulnerability can affect you even if you don’t open an infected MMS attachment, which could appear as a picture, movie or just about anything that can be attached to an SMS message. Stagefright’s actual purpose is to provide you with the thumbnail preview of the attachment in your SMS application, so having the attachment appear while scrolling through your messages would be enough to get infected. Regardless of what app you use to view MMS messages on your Android device, the only way to combat this attack is to prevent your device from automatically downloading MMS attachments. In Google’s default SMS application Hangouts, this is accomplished by doing the following:
- With Hangouts open, tap the Menu icon (3 horizontal lines in a stack) in the upper left corner.
- Tap the “Settings” icon (looks like a gear)
- Tap “SMS” (usually at the bottom of the list, below “Add Google Account”)
- Scroll down to “Auto retrieve MMS” and uncheck that box.
If you aren’t using Hangouts to view your SMS and MMS, make sure you check with the software developers to find out if disabling this option is possible in their app. I was previously using ChompSMS as my messaging app, and this option was NOT available, so I immediately switched back to Hangouts.
Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.
What this means for you:
You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.
Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.
You thought you’d done a good thing: you finally listened to all the warnings and locked your iPhone with a passcode or, if you are one of the lucky few with a shiny new 5s, the new fingerprint lock. Sadly, one of Apple’s other famed technologies may betray you in the end. An Isreali security analyst has uncovered a significant flaw in iOS7 security when access to Siri on your iPhone’s lockscreen is enabled. The problem is part convenience and part bug: using Siri while your phone is locked allows you to make calls without having to punch in a passcode, something that is indispensible while driving, or when your hands are otherwise occupied. Unfortunately, using Siri in this manner leaves a back door open in the form of unfettered access to the phone app, while your phone is still locked. Oh, and did you remember that Siri responds to anyone’s voice, not just the owners?
What this means for you:
“How bad could this be?” I hear you asking. While in the phone app, the user can access the phone’s voicemail, send text messages, view the calendar and look through all the contacts in your phone. If you don’t consider that private, you are part of a very small minority on this planet. The fix is simple: disable access to Siri from the lockscreen. The recommendation: do it now if you care about your phone’s security. It’s likely Apple will fix this flaw, but will they do it in time to protect your confidential data?
Facebook offers its users the ability to upload your email contact list, presumably so you can discover which of your friends are on Facebook (that you haven’t already befriended). Once you’ve done this, you also have the ability to download those contacts via an archiving tool called DYI (Download Your Information), that delivers this information via a simple HTML file. Unfortunately, an unintended “bug” in DYI exposed a rather distasteful (though expected) Facebook practice called data correlation. Here’s what happened:
Say you uploaded a contact “firstname.lastname@example.org” to Facebook, but that’s all the data you had on Mr. Smith: just his email address. Another Facebook user also knows Mr. Smith, but also happened to have his phone number and mailing address as well. Facebook’s data correlation practices stores all data on John Smith, regardless of who uploaded it, in a single record, creating a comprehensive data profile on Mr. Smith. See where this is going? Before they fixed this bug, when you went to download your contact info via DYI, not only would you get the email address you knew about, you’d also get any other contact information uploaded by other users, even if you didn’t know the other person who uploaded the contact info about John Smith!
According to Facebook, this data correlation is done to make “Friend” recommendations to you based upon everything it knows about an individual, across its entire store of information.
What this means for you:
It’s not clear whether Facebook intends to notify any of the six million individuals who are affected by this bug, and supposedly this has been fixed so that Facebook users only have access to the data they uploaded minus the data correlation ties Facebook makes in its internal database. According to Facebook, this security bug wasn’t exploited intentionally or maliciously, and it wasn’t possible for anyone using the tool to access information about users they didn’t already have some form of contact info on already.
This does highlight a larger privacy issue that probably won’t be resolved anytime soon, but has been ongoing for Facebook ever since it first appeared. Your friends have access to your PII (Personally Identifiable Information) and regardless of your own personal wishes, you have no ability to control whether or not they share that information, on Facebook or any other social networking site. As is always the case, if you are concerned with the visibility of your personal information on the internet, do regular searches on your name via Google to see what comes up in public, and work back towards the source to remove that information if necessary. Unfortunately, the Internet never forgets, and there is no “100% guaranteed erase” button, so its sometimes impossible to completely remove that data from public view.
Since its release last month, Apple has been fielding numerous complaints about wifi issues on the new iPhone 5. It’s not uncommon for manufacturers to sit tight during the first wave of complaints to see if there is any merit to them, or if they are just a combination of user-error and settling-in that always appears in new product launches. New customers were complaining of poor performance during the initial weeks of the iPhone 5’s arrival, and now that the first month’s bills are rolling in, these same customers have uncovered what looks to be a serious bug on the Verizon version of the the iPhone 5: instead of using an existing wifi connection to deliver data to the phone, iOS 6 (the operating system powering the iPhone 5) will instead continue to use the cellular connection, chewing up the monthly data allotment at an alarming rate.
Apple admitted the existence of the bug through a software update released on September 30, and Verizon has stated that no one will be charged for “unwarranted data usage” that might have occurred from this bug.
What this means for you:
If you’ve recently purchased an iPhone 5 or have upgraded your older iPhone 4 to iOS 6, and Verizon is your carrier, keep a close eye on your data usage and look for any unusual spikes in your monthly usage average. Reports are mixed as to whether this problem affects any other model other than the iPhone 5. Watch for the alert to patch your phone, and accept the update as soon as you see it. To check your cellular data usage on your iPhone: Settings->General->Usage->Cellular Usage.