The end of 2016 is nearly upon us, and I don’t think I’m alone in saying that I hope 2017 will bring more optimism and compassion for everyone. That being said, we at C2 are going to put our game faces on and finish out 2016 as if it was the best year yet (as far as C2 is concerned, it was, thanks to you!), but I will be taking a break for the next two weeks from scaring the spirit of security into you, so the next newsletter after this one will be in 2017. I don’t want to leave you hanging like a stocking on the chimney, so here are some technology gift ideas that I hope will inspire the spirit of giving in you.
- If you spend time in the outdoors trying to get away from all that big-city tech, but can’t put down that mobile device, how about a solar-powered charger? These things are great when paired with a portable battery pack (a 2015 recommendation). Set up the charger in the sun and attach your battery pack while you’re out enjoying nature. You can come back, grab your battery pack and keep going with your USB-powered smartphone, tablet or action camera without having to hunt for a non-existent AC outlet. Repeat until you are tanned, relaxed and chockful of wonderful memories captured on your favorite mobile device, of course!
- Speaking of action cameras, it seems like everyone has one, and why not? They’re very affordable, and when you can capture ridiculously adorable and amusing videos, how can you not afford get one? The GoPro HERO+ is the titular company’s entry-level model and it still shoots awesome video in a highly durable, portable and dare-I-say wearable fashion. GoPro videos will become this generation’s family vacation “slideshow”, minus the boring!
- Cordless headphones seem to be the hotness this year (another 2015 recommendation), but I still see a lot of folks rocking corded earbuds. As simple as they are, they get tangled if you look at them funny, so why not store them in style with a key chain fob designed to tame those unruly earbuds? The simplicity of this thing is hard to beat: your neatly wrapped earbuds will always be nearby, because you never misplace your keys, right?
- Did someone say lost keys? Tile Mate has you covered, fam! Attach one of these babies to your keys (or whatever you seem to misplace frequently) and your phone can lead you to them. And if you are one of those people who misplace your phone, all I got to say is this: Find my iPhone or Android Device Manager.
- Want to really give a gift that can keep on giving, months or even years later? How about the gift of data backup? It’s not whimsical and definitely not romantic, but buying a family member a year’s subscription to CrashPlan, Carbonite or BackBlaze and setting it up for them can mean the difference between “Oh no!” and “Oh well, thank goodness I’ve got a backup.” Bonus gift: you get to be the hero!
To finish out this list, here are a couple of things you might want to avoid:
- Virtual Reality is definitely the hot new entertainment trend, and there are a ton of knock-offs, wannabes and straight up con-artists looking to exploit the hype. Quality VR headsets that are approaching the fiction sold by Hollywood will currently set you back well over $500, and require dedicated systems such as a Playstation 4 or a high-end (+$700) Windows gaming computer, some degree of technical proficiency, and a strong stomach. Make sure you try before you buy, especially something that isn’t an Occulus, Vive or Playstation device.
- Nintendo released a retro-gaming console called the Nintendo “Classic Edition” for $60, featuring a slew of games from many of our childhoods’, and promptly sold out of them, well before the shopping season had even picked up steam. The lack of stock coinciding with the holidays has created a huge gray and black market for these devices, which are being sold for 3 to 4 times their actual cost. Unless you or a loved one are really into retro-gaming, you may want to let the hysteria subside and pick one up for normal price (or even on sale) in 2017.
Image courtesy of Master Isolated Images at FreeDigitalPhotos.net
Researchers from security firm Check Point announced at this year’s DefCon security conference that up to 900 million smartphones may be vulnerable to a set of up to 4 vulnerabilities that appear in Qualcomm-powered devices. Discovered earlier this year and reported to the manufacturer, Qualcomm has since published fixes, but not all manufacturers have pushed these fixes to all the affected models, including Google’s own Nexus line which normally has a reputation for being kept more current than most Android devices.
What this means for you:
Based upon the affected Qualcomm chipset impacted by these four vulnerabilities, the following models are impacted:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
To find out if your phone is affected by the vulnerabilities, you can run this app on the Google Play Store: QuadRooter Scanner. Buyer beware: the app developer is very transparently marketing its mobile protection app through the publicity surrounding their discovery. I don’t begrudge them the opportunity – after all they did the hard work to discover these flaws, but I didn’t install their software as I am confident I can keep my device safe, and I’m sceptical of mobile security apps in general. If the app reports that you are vulnerable, it will state which CVE’s are still unpatched on your device. You have a few options at this point:
- Check to see if any outstanding OS updates are available to be installed on your device. Where this is shown will vary depending on your phone’s manufacturer, but typically it will be found in “Settings”
- Avoid “side-loading” apps from dodgy sources. Only install apps from the Google Play store and nowhere else. Even then, think twice and read the reviews on any new apps, especially ones that seem to be very new – hackers have been known to sneak malicious apps onto the Play Store for a short while before being detected and removed.
- As usual, avoid opening strange emails, URLs and attachments on your device.
- Send an email to your device manufacturer asking them when they plan to patch the vulnerabilities on your phone. The more people that write in, the more likely the manufacturer will move faster on deploying the fixes.
Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
Due to a vulnerability in Android’s implementation of MMS, nearly one billion smartphones and tablets could be impacted by a security weakness known as Stagefright. In a nutshell, an attacker exploiting this vulnerability could send an MMS message with an infected attachment that could literally take over your device without you knowing it. Even though Google has released a fix for this vulnerability none of the major carriers and manufacturers have pushed the update to the affected devices, including Google’s own Nexus devices, which are due to be patched next week.
What this means for you:
This vulnerability can affect you even if you don’t open an infected MMS attachment, which could appear as a picture, movie or just about anything that can be attached to an SMS message. Stagefright’s actual purpose is to provide you with the thumbnail preview of the attachment in your SMS application, so having the attachment appear while scrolling through your messages would be enough to get infected. Regardless of what app you use to view MMS messages on your Android device, the only way to combat this attack is to prevent your device from automatically downloading MMS attachments. In Google’s default SMS application Hangouts, this is accomplished by doing the following:
- With Hangouts open, tap the Menu icon (3 horizontal lines in a stack) in the upper left corner.
- Tap the “Settings” icon (looks like a gear)
- Tap “SMS” (usually at the bottom of the list, below “Add Google Account”)
- Scroll down to “Auto retrieve MMS” and uncheck that box.
If you aren’t using Hangouts to view your SMS and MMS, make sure you check with the software developers to find out if disabling this option is possible in their app. I was previously using ChompSMS as my messaging app, and this option was NOT available, so I immediately switched back to Hangouts.
Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.
What this means for you:
This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.
It’s become a tradition here for many folks to do some technology shopping on Black Friday and Cyber Monday. The savvy shopper can often find great deals on otherwise expensive items, and if they are willing to brave the insanity of brick-and-mortar shopping on Black Friday, can sometimes get an amazing deal on the year’s hottest technology. Tablets are up at the top of everyone’s gift list, and cheap Android-based tablets are popping up everywhere, including a batch of sub-$100 tablets made by lesser-known (or unknown!) manufacturers that are flying off the shelves of discount retailers like Walmart and Walgreen’s. Unfortunately, these cheap tablets are shipping with a variety of security flaws that could pose a serious threat to you or your business.
What this means for you:
A detailed analysis performed by Bluebox Security walks through the flaws of 12 sub-$100 tablets, but I’ll simplify: if you’ve bought one of the tablets on their list, you should absolutely not access any of your important email, banking or business-service accounts with this device. The age-old rule of thumb applies here: you get what you pay for, and paying less than $50 for a tablet gets you a very unsecure device that should only be used for the most casual entertainment purposes. It is also highly unlikely that these devices can be made secure, as many of the flaws come from older versions of the Android operating system. Due to the limitations of the low-cost hardware use to build these tablets, upgrading the OS is highly unlikely without some serious hacking, and should only be attempted by a trained professional. At that point, you should really question whether the overall cost was really worth the initial savings. Long story short: these sub-$50 tablets should only be used as toys and never for serious business or personal use.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
A flaw in an Android open source web browsing app found on nearly half the active Android user base could potentially be used by malicious websites to steal user information. Reported by white-hat hacker Rafay Baloch earlier this month, this bug affects the Android Open Source Platform browser – also known as “Android Browser” – which was the default browser on all Android phones shipped prior to Android OS 4.2, when Google switched the default browser to Chrome. Even then, parts of Android Browser were still being used by other OS applications up until version 4.4, when Google swapped those parts out for Chromium ones. A survey of web browsers used shows that nearly half of all Android users may be using Android Browser actively, which could equate to nearly 40 million potential victims.
What this means for you:
Note that “Android Browser” (with capital B) is the actual name of this program, and should not be confused with the Chrome app, which is also an “Android browser” – as in it’s an app that lets you browse the internet on your Android device. If you still have the Android Browser app installed on your 4.X Android phone, you should replace it with Chrome. However, this may only solve part of the problem, as many other apps that have some form of internet browsing built into it may be using the flawed engine embedded inside the app itself, and there is no clear way to know for sure without asking the developer.
Now that Google has officially acknowledged the bug, a fix is supposedly in the works, but hasn’t said when it will release the update, which will have to be delivered as part of an OS update (ie. going from 4.3 to 4.4) and not throught Play Store. Also, it’s not clear whether that update will trickle down to the many apps that still use the engine to power their own embedded browsers. For now, stick to using Chrome, and be wary of apps that have built-in web browsing capabilities.
The New York Times is reporting that the number of Android smartphones infected with a ransomware virus has grown to nearly one million devices in the past 30 days. Though the concept of ransomware is not new to the technology world, only minor outbreaks of this particularly nasty malware have been seen on mobile devices, and have either been quickly defeated or bypassed. Not so with this latest set of extortionware: most prolific is a trojan called ScarePackage, which, as the name suggests, locks your phone with a warning that the device has been used to commit a crime (child porn and media piracy are two of the most common tactics), and can only be unlocked by paying a fine to “law enforcement”.
What this means for you:
Up until now, the most common way Android devices were infected with malware like the above was through “sideloading” apps from questionable sources other than Google’s own “Play” store. Unfortunately, hackers seem to have perfected mobile browser drive-by infections so that they don’t even need to rely on someone bypassing the normal controls all Android phones ship with by default. It’s unclear whether Android antimalware apps (I use WebRoot’s SecureAnywhere) can protect you from drive-by infections reliably, but it does provide a layer of protection when installing apps and it will block suspicious text messages; both are a common source of malware infections. On top of installing malware protection on your mobile device, you should always be very careful surfing unknown or questionable websites, avoid installing brand-new, never-reviewed apps (sometimes trojans slip through Google’s malware screening), and always scrutinize the permissions that installed apps are requesting, especially the ones that ask for full administrative permissions or unfettered access to make mobile calls and send text messages.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
As if having your Windows computer files and iPhone being held for ransom wasn’t bad enough, Android-based devices can now “enjoy” that ignominious fate as well. Security researchers are reporting that hundreds of Android devices, primarily in Russia and the Ukraine are being infected by a Trojan called “Pletor” which can do just like it’s Windows based counterparts: the victims were tricked into installing the trojan by fake websites, apps and games, and once the victim’s content is encrypted, the trojan demands a ransom of approximately $30-35 USD to unlock the data.
What this means for you:
Though it has happened before, it’s still extremely rare for a Trojan like the above to make it through the screening process that Google performs on all the apps that are available through the Google Play store, and even if one does, it’s pulled quickly. Google can even reach out retroactively to affected phones to remove the harmful app. That being said, it’s not hard to “side-load” apps on Android devices, which is primarily the way Android malware spreads. The easiest way to keep your Android devices safe: don’t side-load apps. Only install apps published through Google’s Play Store. Keep in mind, for everything not a Kindle Fire, installing apps from Amazon’s App Store is considered side-loading, and should only be done if you really know what you are doing. And if you just can’t live without side-loading apps, make sure you don’t store any important information on your device, and keep it well away from sensitive business data. The more risky your activities are on the device, the more likely it is that device will get compromised.