Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015
What this means for you:
If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.
As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:
Security analysts recently demonstrated a significant weakness in Samsung smartphones that could potentially impact up to 600 million people. The vulnerability lies in their modified version of the Swiftkey app, which is Samsung’s onscreen keyboard. This vulnerability impacts the the Samsung Galaxy S6 on Verizon and Sprint networks, the Galaxy S5 on T-Mobile, and the Galaxy S4 Mini on AT&T. The developers of SwiftKey were quick to confirm that the version available for download on Google Play was not affected by this vulnerability, and supposedly Samsung has provided a fix to carriers, but there is no confirmation from any of the carriers as to whether they’ve distributed this fix, or have any plans to do so.
What this means for you:
This vulnerability could potentially allow an attacker to completely “own” your device – from the camera to microphone, incoming and outgoing texts and emails, as well as installing further malicious applications. There is no way to uninstall this app unless you root your phone (only recommended for the technically savvy, and you might void your warranty), and even if you switch to a different keyboard app, the vulnerability still exists. Until the carriers can confirm that they’ve patched this vulnerability you should avoid using public wi-fi networks, and if you are feeling sufficiently outraged, you can contact your carrier and demand they issue this patch immediately.
For those of us that spend a good part of the day stuck in SoCal traffic, Google’s self-driving car offers a tiny glimpse of future salvation. We’re a long way off from streets filled with autonomous autos, but Google’s cars have driven 1.7 million miles so far, have only been in 11 accidents, and apparently humans were at fault in all cases. This really shouldn’t come as a surprise to anyone with any measure of self-awareness and experience with today’s technology. After all, technology provides us with a means to amplify our own innate abilities and allows us to achieve objectives that might be beyond our unassisted reach. It also grants us the ability to fail faster and sometimes in a spectacular way.
What this means for you:
My newer clients are frequently surprised to hear me say, “Sometimes, less technology is better.” It sounds like a butcher preaching a vegan life-style to his customers. The main reason I say this is not because I’m a Luddite (far from it!) but that I often come across instances where someone has become temporarily blinded by what I call the “Shiny Factor” and has adopted or implemented a technology that complicates rather than simplifies their original intent.
A prime example of this are clients that purchase software or even new computers to deal with an increasing volume of email, when the simpler (but not necessarily easier) solution would be to reduce the volume of email. Purchasing expensive firewalls won’t prevent infections caused by poorly-trained employees. Faster, more powerful computers won’t fix broken process automation or buggy software, nor will a faster internet connection necessarily result in more productive workers. It’s a dangerous, slippery slope, and can become self-perpetuating spiral of expense, frustration and complexity. As the old adage goes, the cure may end up being worse than the disease.
Are we doomed? Only if we continue to ignore that technology is created to serve us, and not the other way around. Technology is not meant to replace humans, but to amplify us. It’s up to us to make sure that the good is amplified and the bad minimized wherever possible, and sometimes to solve problems or get work done the old fashioned way – with a little elbow grease, human ingenuity, and common sense.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Lest you think the tech giant missed having a finger in this particular pie, Google surprised no one by debuting their own wireless carrier service earlier this week. Though the service is invite-only at the moment and only offered on Google’s own Nexus 6, they’ve negotiated a deal with both Sprint and T-Mobile to piggy back on their existing, nation-wide infrastructure to create a coverage area without having to build it. According to Google, the limited launch of this service is more of an experiment as opposed to a direct challenge of reigning champs ATT and Verizon. The major differentiator to their service? A low-cost, pay as you use it, data plan with data tethering, wi-fi calling that can also be used from other mobile devices such as tablets and laptops.
What this means for you:
Unless you have an invite in hand, you can’t jump onto the Google Wireless bandwagon yet, and if Google stays true to the “we’re just testing the waters” mantra, maybe not ever. But if Google can deliver a solid service for a fraction of the price that the big 4 carriers are charging now, it’s going to have repercussions on the entire mobile landscape. As they’ve done with Google Fiber, this particular foray into the bloody wireless markets is an exercise in forcing a change in the status quo where major carriers are squabbling over how to charge consumers more for less service. However, Google surely has an agenda that includes profit (they are publicy held), and you musn’t forget that the largest revenue stream for them is advertising and data mining. The mad scramble for dominance in the mobile data market is about as close as we’ll ever get to seeing a modern gold rush, and you can bet Google has been preparing to stake a claim since before you and I even knew there was “gold in them thar hills!”
Though it may sound enticing to some, “Mobilegeddon” is not the sudden annihilation of all mobile devices. Rather, Google is releasing a new search algorithm that will impact how mobile users find websites. For those of you who aren’t up on your search engine technology, Google uses a complex, closely-guarded formula to calculate its search result rankings for all the websites it indexes. The last major update to the algorithm, entitled “Panda“, was released in 2011, and was designed to reduce the impact of gaming search engine ranking through content manipulation, a specialty of many less-than-honest SEO companies that sprang into existence in the last decade. Panda impacted about 12% of existing websites, most of them content farms designed to leverage popular content and other nefarious SEO methods to get to the top of search results.
What this means for you:
This time around, Google is focusing on providing better results for smartphone users by favoring mobile-friendly websites over those that display poorly on small screens. If you don’t drive business through your website, this may not be a high priority for you, but it may surprise you to know that over half of all internet traffic is from mobile devices, and nearly 40% of search is done on smartphones. Having a website is essentially a must-have for any ongoing business or organization, and if your website makes a poor showing to over half of your visitors, it will have an impact on your brand. How do you know if your website is ready for Mobilegeddon? You can punch in your URL to a website developed by Google to determine whether your website is mobile-friendly. Unlike Google’s last algorithm change, this one should start impacting rankings as soon as 72 hours from launch. Lest you think you are the only one caught out in the cold with this change, there are several internationally recognized brands whose sites do not pass Google’s mobile “sniff test.” One advantage you may have over corporate behemoths: less red tape and meetings will be necessary to make the required changes to your website, also you happen to know someone who can provide strategic advice in this area as well as assist in the website redesign. Give us a call if you need to “mobilize” your website!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Several technology manufacturers, including Broadcom (whose chips you probably have in several devices around your home and office) are planning to release in 2015 chips for a new networking protocol called G.Fast which can push bandwidth transmissions on twisted-pair copper lines to near fiber-optic speeds of one gigabit per second. Throughout the US and many other developed nations with significant communication infrastructures, internet speeds aren’t limited by technology but by physical wiring. The most common form of internet service in the US, Digital Subscriber Line (DSL), is delivered via the same wires that provide basic telephone service, that were, up until now, limited in how fast they could transmit data mainly by what amounts to a simple (but hard to overcome) physics problem: copper wires are susceptible to radio-frequency interference from adjacent sources, including each of the strands in a single pair that delivers the signal.
What this means for you:
Don’t rush out to cancel your existing internet service. G.Fast isn’t expected to make an appearance until 2016 at the earliest, and providers will still have to grapple with an issue that they have faced many times in the past: the full, gigabit transmission speed of G.Fast is still limited by distance, with the last leg not exceeding about 160 meters before the speed drops off drastically. This means that ISPs will still need to install equipment proximate to residences and offices, something that is costly and time-consuming to execute, and very few ISPs (maybe with the exception of Google and their Fiber initiative) have demonstrated a willingness to pursue until they are forced to (see ATT’s GigaPower counter to Google Fiber). However, the fact that this technology can utilize existing wiring that is available in just about every building in the US means that getting to gigabit internet speeds might not require companies tearing up streets and hanging from telephone poles to string the more expensive cables needed for fiber-based solutions. And you can bet that companies like ATT and Verizon will seize on any opportunity to compete with Google, especially when they can spend less money to field a competitive solution.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
If you thought you had data breach fatigue, prepare to be exhausted this week:
- Hacker tries to scam Internet with fake DropBox password database – DropBox refutes the claim, noting the “proof of hack” provided consisted of known stolen passwords from other sources.
- Kmart Hacked – Undisclosed Quantity of Credit Card Numbers Stolen – Sears-owned retail outlet may have been a victim of known point-of-sale malware “Backoff”, says no identity info stolen, just credit and debit card numbers.
- SnapChat denies it was source of potential racy photo leak – Third-party addon app “SnapSaved” blamed for providing an avenue for hackers to save pictures from SnapChat. SnapSaved admits to security breach, but downplays claims that hackers could provide a “searchable” database of photos.
- NATO Summit Gets Breached by Russian Hackers – Hackers whom security analysts believe to be Russian exploited a Zero-day flaw in Windows operating systems through a spearphishing campaign targeting Ukrainian government workers, leading to breaches on government servers and probably information leaks from Summit proceedings.
- Google Documents Flaw in SSL 3.0 Protocol – Google documents a serious flaw in encryption protocol SSL 3.0, immediately removes it from Chrome web browsers. Though outdated, SSL 3 is still widely used as a fallback protocol when newer protocols fail to function.
- 850K Records Exposed in Oregon Employment Dept Website Breach – State-run website exposes personal information on hundreds of thousands of job seekers. No financial information was exposed, but leaked info could lead to identity theft.
A flaw in an Android open source web browsing app found on nearly half the active Android user base could potentially be used by malicious websites to steal user information. Reported by white-hat hacker Rafay Baloch earlier this month, this bug affects the Android Open Source Platform browser – also known as “Android Browser” – which was the default browser on all Android phones shipped prior to Android OS 4.2, when Google switched the default browser to Chrome. Even then, parts of Android Browser were still being used by other OS applications up until version 4.4, when Google swapped those parts out for Chromium ones. A survey of web browsers used shows that nearly half of all Android users may be using Android Browser actively, which could equate to nearly 40 million potential victims.
What this means for you:
Note that “Android Browser” (with capital B) is the actual name of this program, and should not be confused with the Chrome app, which is also an “Android browser” – as in it’s an app that lets you browse the internet on your Android device. If you still have the Android Browser app installed on your 4.X Android phone, you should replace it with Chrome. However, this may only solve part of the problem, as many other apps that have some form of internet browsing built into it may be using the flawed engine embedded inside the app itself, and there is no clear way to know for sure without asking the developer.
Now that Google has officially acknowledged the bug, a fix is supposedly in the works, but hasn’t said when it will release the update, which will have to be delivered as part of an OS update (ie. going from 4.3 to 4.4) and not throught Play Store. Also, it’s not clear whether that update will trickle down to the many apps that still use the engine to power their own embedded browsers. For now, stick to using Chrome, and be wary of apps that have built-in web browsing capabilities.
Any day we can take a purveyor of child pornography off the streets is a good day in my book. In this case, we can thank Google for discovering a Texas man sending images of child sex abuse through his Gmail account. As you might have guessed, a search algorithm rather than a human spotted the transgression and sent an alert to the National Center for Missing and Exploited Children, who then tipped off local authorities. According to Google, this is the only criminal activity they actively scan for within Gmail, and the search relies heavily on a large database of known illegal images maintained by NCMEC against which comparisons are made.
What this means for you:
In the case of child pornography, I’d say that just about any method used to catch perpetrators is justified, but as many pundits and security analysts point out, this practice teeters precariously on a knife edge of ethics. Telecommunication service providers like Google are required to inform law enforcement of suspected child abuse whenever it is made aware of such activity within its systems, but that word “aware” is ill-defined in today’s age of artificial intelligence, big data analysis and search algorithms. Does a search algorithm matching mathematical hashes on images constitute “awareness”? Should this same algorithm be used to look for other serious crimes? What about petty crimes? Does talking about a crime constitute the commission of a crime? What happens if someone hacks your account and sends out a bunch of disgusting images in an attempt to get you arrested? All the more reason to keep your passwords strong, unique and very, very safe. Oh, and don’t use email to commit or plan out crimes, because even though Google says they are only watching for child pornography, you can bet other agencies are looking at everything. Heck, maybe you should just not commit crimes at all, mmkay?
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.











