Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
Researchers from Google and security firm Codenomicon released details yesterday on a staggering security hole in one of the fundamental security technologies used by hundreds of thousands of websites around the world. Dubbed the “Heartbleed Bug”, this vulnerability is found within a code library called OpenSSL – a tool almost universally used in Linux-based webservers, and it may have been in existence for as long as two years before being discovered this past weekend. In a nutshell, this weakness could theoretically allow a hacker to download critical bits of information that are literally the cryptological “keys to the kingdom” of a server affected by this bug. And unfortunately, there is no way to detect an exploit of this vulnerability, nor to determine what, if anything was stolen in the alleged attack.
What this means for you:
You would encounter OpenSSL through the familiar “HTTPS” protocol websites use to transact business online, and sadly, both small and large companies are affected by this bug. (Full Disclosure: C2’s own website had this bug up until late last night when the server was patched). And by large, I mean websites like Yahoo Mail. Essentially, the weakness could allow hackers to scrape a small segment of active, encrypted server memory and read the contents, which could contain just about anything at the time, up to and including passwords or actual cryptographic keys that can be used to decrypt encrypted data sent by the server itself. Alas, because there is no way to tell when or even if a Heartbleed bug exploit is occurring, there’s no way to tell if anyone, or everyone has been compromised in some form by this hole.
Fortunately, the media seems to be grasping the severity of this problem, and has broadcast this story across every website. Unfortunately, this may prove to be a double-edged sword as both server adminstrators and hackers scramble to get to the unprotected server memory first. For any online service you use that utilizes HTTPS or other forms of encryption, you will want to watch for announcements and news from that service: either acknowledging and fixing the bug, or assuring their customers that they are not affected by this weakness. Either way, it’s always a good idea to never use the same password more than once, and to always keep a close eye on your bank accounts and credit history for unusual activity. If you suspect a website may be unaware of this bug, and potentially at risk, send them an email asking about the Heartbleed Bug to make sure they are on top of this very serious issue.