Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.
What this means for you:
This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.
Adobe has confirmed that a recently discovered vulnerability in the current version of Flash for Windows, Macintosh and Linux is actively being exploited on the internet. Adobe is planning to release a patch the week of January 26th, but did not confirm a specific date. Though security vulnerabilities are nothing new to Flash, this particular loophole is being exploited by a well-known and widely distributed exploit “kit” called Angler which could indicate a rapid spread of compromised websites and a large spike in malware infections. Once used to gain access to a victim’s computer, the device could fall prey to any number of malicious programs, including key loggers, ratting, ransomware, and good ole-fashion zombification.
What this means for you:
According to Adobe’s own advisory, pretty much everyone is affected by this exploit, though some reports suggest that Windows 8.1 and Chrome users may be safe for the moment, but that was based upon the current version of the Angler kit in distribution. The actual security hole Angler exploits exists in every version of Flash on all OS platforms. The easiest way to protect yourself from this exploit is to disable Flash altogether. For all browsers except Chrome is usually a matter of disabling the plug-in. For Chrome, you have to type “chrome://plugins/” into your address bar to access the hidden internal plug-ins page, at which point you can disable it from there. Aside from keeping your browser’s “head” down until the storm passes, make sure your antimalware software is functioning properly and updated, and avoid any strange links you may receive over the coming week.
Lest you think Microsoft has finally plugged the many holes in the S.S. Internet Explorer, Patch Tuesday December includes four critical upates (Microsoft’s “critical” rating means they should be applied immediately) addressing newly discovered weaknesses, including an active zero-day exploit of the OLE (Object Linking & Embedding) platform. This particular chunk of code allows Microsoft apps like Office Word and Outlook to exchange documents between each other: when you insert an Excel spreadsheet into a Word document and it shows up as an editable spreadsheet, that’s OLE at work. In this case, the exploit allows hacked Office documents attached in Outlook emails to circumvent security, typically for the express purpose of installing other malware onto the victim’s machine.
What this means for you:
I can already see your eyes glazing over, and I don’t blame you. Microsoft’s bulletins are making me cross-eyed as well. Here’s what you need to do:
- Make sure your OS is patched. The updates should start arriving on computers as early as tonight. Unless your machine is being managed by an internal IT department and they’ve disabled this functionality, your Windows OS should be set to automatically download and patch all important updates from Microsoft. If you are not sure if your computer is set up this way, you can check by going to Control Panels -> Windows Update.
- If you must use Internet Explorer, avoid using it until you get fully updated with the latest round of patches (see #1). If it’s possible, consider using an alternative such as Firefox or Chrome. While neither is guaranteed free of security bugs, they are still faring better than IE in terms of exploits.
As always, avoid opening strange and/or unexpected attachments. If you regularly exchange documents with others via the internet, consider using a secure filesharing platform other than Dropbox or Drop or any of the numerous clones that offer free apps. Instead, look into options like Citrix Fileshare (we use it here at C2) for a much more secure and fully encrypted way to exchange documents.
A flaw in an Android open source web browsing app found on nearly half the active Android user base could potentially be used by malicious websites to steal user information. Reported by white-hat hacker Rafay Baloch earlier this month, this bug affects the Android Open Source Platform browser – also known as “Android Browser” – which was the default browser on all Android phones shipped prior to Android OS 4.2, when Google switched the default browser to Chrome. Even then, parts of Android Browser were still being used by other OS applications up until version 4.4, when Google swapped those parts out for Chromium ones. A survey of web browsers used shows that nearly half of all Android users may be using Android Browser actively, which could equate to nearly 40 million potential victims.
What this means for you:
Note that “Android Browser” (with capital B) is the actual name of this program, and should not be confused with the Chrome app, which is also an “Android browser” – as in it’s an app that lets you browse the internet on your Android device. If you still have the Android Browser app installed on your 4.X Android phone, you should replace it with Chrome. However, this may only solve part of the problem, as many other apps that have some form of internet browsing built into it may be using the flawed engine embedded inside the app itself, and there is no clear way to know for sure without asking the developer.
Now that Google has officially acknowledged the bug, a fix is supposedly in the works, but hasn’t said when it will release the update, which will have to be delivered as part of an OS update (ie. going from 4.3 to 4.4) and not throught Play Store. Also, it’s not clear whether that update will trickle down to the many apps that still use the engine to power their own embedded browsers. For now, stick to using Chrome, and be wary of apps that have built-in web browsing capabilities.
Security holes in Adobe’s Flash and Oracle’s Java have become so commonplace, it’s actually helped to raise awareness about the necessity of keeping these platforms updated, but there’s a third platform that many of you probably use everyday without ever realizing that it too needs to be patched. Would it surprise you to know that it’s a Microsoft product? Microsoft’s Silverlight technology was originally built to compete with Flash, but it’s probably best known as the platform that delivers Netflix’s streaming content to your computer. Hackers, unfortunately, are very much aware of how widespread Silverlight is, and are currently pressing their attacks on older versions of Silverlight, seeing as their usual punching bags, Java and Flash, are now firmly in the security spotlight.
What this means for you:
If you’ve ever watched Netflix streaming content on your computer, you have Silverlight installed. Even if you don’t use Netflix streaming, there is a high probability Silverlight is installed on your computer, even if it’s a Mac. Depending on how long ago it was initially installed, it might be out of date, especially if you disallowed automatic updates of the software. The latest version of Silverlight is 5, and to make sure you are up to date, you can use this link here. While you are at it, double check to make sure Java and Flash are both up to date as well, but be careful of the “optional software” both companies push when you update their platforms. Oracle variously pushes the Ask toolbar or McAfee Security Scan, the former a very annoying adware-spawning toolbar, and the latter may be redundant if you already have a decent antimalware app installed. Adobe is a little less obnoxious, but it does offer to automatically install Google Chrome (and the Google Toolbar), which may be redundant if you already have it installed, or possibly very confusing to a less savvy computer user who thinks Internet Explorer is the web browser.
I shouldn’t have worried that my special “Microsoft Zero-day Warning” graphic was going to gather dust. Would it surprise you to hear that a serious security flaw has been found in all versions of Internet Explorer up to the latest, version 11? This particular loophole allows attackers to use a specially crafted Flash file downloaded from compromised websites (like the ones linked to in spam, scams and phishing emails) to gain full access to your computer, and will likely lead to a badly infected computer and theft of your personal information. Though there are some band-aids offered by Microsoft, as of now there is no word whether this hole will be plugged by an emergency patch released soon, or on “Patch Tuesday” (2 weeks from now), or even later than that. Because of the severity of the security flaw, even the Department of Homeland Security is recommending everyone avoid using IE until this is fixed. Oh, and remember Windows XP? It won’t be getting patched, so yet another burning reason to switch browsers, and upgrade as soon as possible.
What this means for you:
This flaw is being exploited “in the wild” as you read this, though not widespread yet, and has thus far been used to target government employees and defense contractors. Given how large the target surface is, this exploit is highly likely to spread beyond these focused attacks. Unless your work requires it (or disallows the use of other browsers), you should stop using Internet Explorer for anything except known work-related websites. And if you have to use IE, you can disable the Flash add-on until the hole is plugged. This article from Microsoft explains how to do this, but make sure you use the little drop-down to the right of the headline to switch to the appropriate version of IE for specific steps. Chrome, Firefox or Safari are good alternatives to IE, and who knows, you may find that they can permanently replace IE for most of your web browsing tasks.
In December 2013, French security hacker Eloi Vanderbeken uncovered what appeared to be a backdoor programmed into several models of DSL routers. The affected devices were built around hardware manufactured by Taiwanese company SerComm and the finished products came from several well known brands like NetGear, Linksys and Belkin, to name a few. This backdoor allowed anyone with knowledge of the hole and local access to the router (say through a nearby Wi-fi access point) to gain administrative access to the router and could lead to a complete takeover of the network controlled by the device. Now, several months later, this backdoor is not only NOT fixed, but appears to have been purposefully concealed behind the digital equivalent of a secret knock, which once given, opens the backdoor right up to the same level of exploitation as discovered in December.
What this means for you:
If you own a DSL router, you should check this list to see if your model appears on it. If it does, I recommend replacing it immediately. Even if it does not, you should check to see if your router is among the many models that are compromised in other significant ways. If you happen to be among the fortunate that uses a router not on any of these lists, you should still review the security settings and passwords used by the device, and if you don’t know how to program or even access your router, you need to get someone who does to review the device for you. The router is the front door to your home or business network, and you should not trust your security to something that can be easily broken down or opened with a readily available master key.
Image courtesy of creativedoxfoto / FreeDigitalPhotos.net
Microsoft has released a security advisory that warns of a new zero-day weakness that is currently being exploited on the internet. Depending on how you interpret their choice of wording – “targeted attacks” – the scale seems to be relatively limited for the moment, but given that the compromised app is Microsoft Word and is not limited to a specific version, the potential attack surface is huge. And it gets better: the delivery mechanism is a hacked RTF file that once opened can lead to the targeted machine being completely compromised. While RTF files aren’t as widely used as the default “.doc” and “.docx” formats, they are used to export and import documents from Word to other word processing platforms like Wordperfect, LibreOffice, OpenOffice and Apple Pages.
What this means for you:
Microsoft has issued a temporary fix which merely disables the ability for Word to open RTF files, but as of the moment there is no ETA on a patch delivered by Windows Update. We recommend applying this Fix-it if you are at all unsure what an RTF file is, or how to tell the difference from other Word and Email formats.
The most vulnerable user to this exploit is actually someone who uses Word to view formatted emails delivered via Outlook. Normally, Outlook is not set to view emails using Word by default, so if you didn’t set Outlook to do this, you only have to worry about Word. If you did, disable this feature and use Outlook’s built-in email viewer to read formatted emails. For Word users, don’t open RTF files, even if they come from a trusted source, and don’t send any RTF files, as your recipients may be exercising the same level of caution. If you have to exchange data using RTF, make sure you communicate thoroughly with your recipients, and choose another platform other than email to exchange files, primarily so there is no chance they could mistake a trojaned RTF for a legitimate file.
Several models of popular Linksys-brand routers may impacted by a self-replicating worm that can exploit a security flaw in the router’s programming. The exploit allows attackers to install a worm in the firmware which can lead to further security breaches on any device connected to that router’s network. According to Linksys, this exploit requires that the routers have the “Remote Management” feature enabled on the device, a setting that is disabled by default on Linksys routers. Depending on who set up your router, this setting may have been enabled expressly for remote management purposes, and as such your device is vulnerable to the worm, dubbed “TheMoon”.
What this means for you:
Linksys routers are a popular choice for home and small businesses. Unless you know for certain your router is not a Linksys device, I would put an eyeball on your router and check the make and model against the list below. Your network router is a critical point in your network’s overall security, and a compromised router can lead to a variety of problems and significant invasions of your privacy and safety. Even if your Linksys model is not named below, it’s important to check whether or not “Remote Management” is enabled on your device.
As of now, the following model routers are affected: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. Linksys hasn’t confirmed whether this list will grow, as it does not want to reveal other models and make them targets for attacks. Until Linksys can patch the loopholes and issue firmware updates the only workaround is to disable the Remote Management feature, install the latest version of the firmware available, and reboot the router to clear any possible worms.
Another day, another social networking site hacked. This time, unfortunately, it was new internet darling SnapChat that was breached, exposing over four million mobile numbers and user names. The hacker(s) who published the data did so purportedly to compel Snapchat to take action on security flaws in its platform that have been known since earlier in the year, but remained unpatched up to (and even past) the public release on Dec 31, 2013 of the information harvested by exploiting the security flaws.
What this means for you:
SnapChat is very popular with younger generations who moved to the service for a variety of reasons, not the least of which was more privacy (from Facebook-savvy parents and authority figures) and less permanence (Snaps are deleted forever within seconds of being shared). Irony aside, the data exposed in the security breach reveals sensitive personal data from millions of individuals, many of whom are probably minors, a demographic that may include your child(ren).
You can check this website to see if any of your family’s mobile numbers were leaked by this SnapChat hack. While the data released isn’t as sensitive as bits like Social Security numbers, birthdates or debit card pins, some other services do use mobile numbers as identifying data, alongside usernames which many people (including Snapchat teens) like to re-use as part of their online “brand.” Armed even with these slender morsels, clever social engineers can wedge their way into someone’s online presence and use it as a stepping off point for a complete takeover of an identity, leading to credit fraud, theft and much, much worse.