We’ll keep it short and sweet this week. Earlier this year, an advanced form of spyware was discovered on a small group of Middle-Eastern journalists’ iPhones that was eventually traced back to a developer in Isreal called NSO Group. Purportedly designed for law enforcement agencies to combat terrorism, the spyware known as Pegasus appears to have been utilized by one or more government agencies to spy on a select group of iPhone users. At the time, it was unclear how the exploit was being deployed, so no defense or patch could be provided to stop Pegasus from being installed. After months of research, Canadian internet watchdog group Citizen Lab uncovered the flaw and announced it this week in the news, timed in concert with a security update from Apple that should be applied immediately to all iOS devices and MacOS devices.
What this means for you
If you have a late model iPhone, Mac computer, Apple Watch or iPad, check the settings immediately for any available updates and apply them as soon as you can get to a solid internet connection and have your device connected to a power source. The iOS version you are looking for is 14.8, and on Macbooks and iMacs it will be MacOS 11.6.
- Update your iPhone, iPad, or iPod touch – Apple Support
- Update your Apple Watch – Apple Support
- Update macOS on Mac – Apple Support
As of this writing, the actual number of people who have been impacted by this flaw and Pegasus is very small, but now that the actual flaw has been revealed, there is a possibility that others beside the NSO Group will attempt to take advantage of the window that is typically open while people get patched which can be days or even weeks. While Pegasus is designed for spying, there will surely be other malware types released to attempt to exploit this flaw that may be more straightforward in doing harm. Don’t be one of the ones caught sleeping on this update. Get patched now!
Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
Security researchers have discovered that certain models of iOS devices that have been “jailbroken” are now being targeted in a malware attack, dubbed “unflod”, that can collect the AppleID account login and password used on that device and transmit it to hacker-controlled servers. While jailbreaking iPhones or iPads isn’t likely to be something the majority of iOS device-users will do (primarily because it voids your warranty), a significant percentage of users (2% in early 2013, or nearly 7 million devices) regularly jailbreak their devices. Even if the actual count of phones vulnerable to this threat is somewhere less than 7 million, it’s still a big enough target for identity thieves.
What this means for you:
If your iOS device isn’t jailbroken, you don’t have to worry about the unflod malware attack. If you have an iPhone 5s, iPad Air, or iPad Mini 2G, you don’t have to worry about this particular attack either, even if the device is jailbroken, as the malware currently in use doesn’t work on 64-bit operating systems, of which the aforementioned devices use. The unflod malware appears to be caught through application of certain system tweaks that can only be applied to jailbroken, 32-bit OS devices, and only then if the tweaks are sideloaded outside of Apple’s own official app store, or Cydia, the “unofficial official” app store for jailbroken devices. In other words, if most of the words in the article don’t make sense to you, you probably won’t be affected by this malware.
HOWEVER, if you’ve ever considered jailbreaking your iOS device for whatever reason, let the above serve as a cautionary tale: be sure you know what you are doing, back up your important device data, and seriously consider whether you really need a jailbroken iPhone. While the above malware attack requires a specific set of circumstances that only affect a very small percentage of users, jailbreaking a device should only be done by someone willing to take on an increased risk of security breaches and with a full understanding of troubleshooting your own device issues.
The winter holidays are upon us, and with them comes the shopping, traveling and general merry-making. Law enforcement is also warning about the increasing rate of smartphone thefts as criminals take advantage of the increased distraction, armfuls of packages and winter clothing to abscond with devices they know most people carry and use these days. Though you can do a lot to lower your profile as a potential victim, its an virtual guarantee that a certain percentage of you will have your phone stolen or lost, and aside from the loss of the device itself, your data could also be exploited to your further detriment if your device isn’t properly safeguarded against possible theft. CNET has a comprehensive article detailing how you can secure your data and increase your chances of recovering your iOS, Android or Windows smartphone in case it is stolen, but if you are in a hurry (and who isn’t, these days?), I’ll provide a summary of the basics below.
What this means for you:
For all phones:
- Use a pin, password, or fingerprint to lock your phone.
- Encrypt your phone data. iPhones and Windows Phones do this by default, but it must be enabled manually on Android devices.
- Back up your critical data, whether it’s contacts, emails or photos.
For iPhone Users:
- Disable access to any features made available through the lockscreen, such as dialing and texting via Siri.
- Set up an iCloud account and enable “Find my iPhone” so that your device can be tracked in case of loss or theft.
For Android Users:
- Disable access to lock screen features.
- Setup Android Device Manager and make sure tracking and control of your device is enabled.
- If you use a microSD card, be aware that it cannot be wiped remotely like the phone’s internal memory (but it can be encrypted).
For Windows Phone Users:
- Sit back and relax, as tracking is enabled by default and the lock screen doesn’t allow access to anything.
The article is really worth reading. If you truly are pressed for time, skip to the part that is pertinent to your specific phone platform. The author provides much more detail on how each tracking system works, as well as what the systems can and can’t do. It may mean the difference between having a happy holiday or a blue Christmas if (when) you get separated from your smartphone.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Earlier this year, CEO Thorsten Heins of beleaguered tech company BlackBerry infamously stated, “In five years I don’t think there’ll be a reason to have a tablet anymore.” The press had a field day with this quote and the explosive growth of tablets in 2013 alone seems to be proving otherwise. As if to rub Mr. Heins’ and other tablet-doomsayer’s faces in it, October is seeing the launch of multiple new tablets, including new lineups from Microsoft, Nokia and Apple, all essentially debuting on the same day.
Apple dominated the American media on Oct 22 with the debut of “the lightest full-sized tablet” on the market, the iPad Air, weighing in at a diminutive single pound. It also updated the wildly popular iPad Mini with its high-resolution “Retina” display, bringing the 7″ tablet up to par with competing models from Google and Amazon. In an attempt to not be out-done (and sadly not quite succeeding in that effort), Nokia announced its first tablet today as well. The Lumia 2520 will run Microsoft’s Windows RT, a move that analysts questioned given the tepid consumer response to Microsoft’s tablet OS, but is not unexpected in light of the Redmond tech-giant’s recent acquisition of Nokia’s hardware business. Not wanting to be left out of the tablet party, Microsoft held its own midnight release event on Oct 21 at its retail stores around the country to celebrate the arrival of the Surface 2. Despite loud music, flashy displays and enthusiastic staff, the Surface 2 launch parties seemed to be (unsurprisingly) sparsely attended.
What this means for you:
If you’ve been holding off on buying a tablet for some reason, the market is currently overflowing with choices, and many of them are very strong on features and backed by staunch developer support and healthy ecosystems, notably the iOS and Android family of products. Though many are saying it’s too early to tell, the Windows RT and Windows 8 tablets have a stiff, uphill climb in the market, something that is keeping developers away from the OS, leaving Microsoft’s app marketplace relatively barren compared to the competition. There’s been a minor stir of interest in the Surface tablets from the arts industry, primarily because of the hardware’s robust pressure sensitivity, but unless you have a specific use case in mind, I’d steer clear of the Windows tablets for now. If you’ve been concerned about the size and weight of the 10″ tablets (very hard to use as bedtime readers or if you spend any time as a standing commuter) you can’t go wrong with a 7″ tablet from either Apple, Google or Amazon, all of which now feature high-definition screens, robust app stores and great portability.
Confirming what many commercial security companies already claim, a security bulletin published on the Public Intelligence website by the Department of Homeland Security and the Federal Bureau of Investigation identifies the Android OS as the most attacked mobile operating system. Nearly 80% of all malware threats in 2012 targeting mobile devices were focused on Google’s platform. The distant second place (19%) was held by Nokia’s Symbian OS, most commonly found on older feature phones. At the other end of the spectrum was Apple’s iOS, which despite being one of the most popular mobile devices on the planet, was only targeted less than 1% of the time in 2012.
What this means for you:
The malware focus on Android is not unexpected: the platform is fractured across multiple versions and multiple carriers, and there are hundreds of thousands of phones running older versions of Android that have well-documented security flaws that have been fixed in later versions. Unlike Apple’s relentless updating of the iOS, many Android phones rely on the carrier to push OS updates, which they do reluctantly, if at all, especially to hardware lines that are no longer being sold or considered a significant portion of the market.
Unfortunately, the carriers have also locked down the OS on many models, requiring a series of highly-technical processes to “unlock” and “root” the phone to force an update to the OS. Of course, doing so voids any warranties with the carrier, and has a chance of “bricking” the phone itself if the process is done incorrectly, or if it is updated with an OS that has bugs or is incompatible with that specific model phone.
Here are some things you can do if you find you are using an Android phone running an older version of the OS:
- Contact your carrier to request an OS update. If they tell you one is not forthcoming immediately, or that your particular model is essentially no longer receiving updates, let them know you are concerned about security flaws in the older OS, and ask for an upgrade to recent model phone.
- Whether or not a new Android phone is in your future, you should be extremely careful about “sideloading” apps. Only install apps from Google’s Play store, and be very careful following app install links from anyone. Instead, get the name of the app you want to install, go to the Google Play app already installed on your phone, search and install from there. If you can’t find the app, it’s likely the link was to a sideloading site (and potentially unsafe), or a disguised attempt to get you to install malware on your device.
- Install a malware protection app. Several reputable companies make apps for Android. I’ve been using SecureAnywhere from Webroot for several months now, without issue, and I will soon be testing Kaspersky’s app. Look for a name you recognize, and give their app a try. Some of them might slow your phone down on ocassion as they scan for issues, but the temporary inconvenience may save you from serious heartache later on.
BlackBerry (formerly RIM) has been struggling in the smartphone market, having recently fallen into 4th place behind even Microsoft’s fledgling foray into that space. Despite the recent release and generally positive reviews of their 10-series phones, the mobile device manufacturer ceded their corporate dominance years ago to the crushing flood of iOS and Android devices primarily because of the company’s failure to stay competitive on the software side. In a move that has analysts scratching their head, BlackBerry is now making a play via software with a new platform called “Secure Work Spaces” which aims to allow for peaceful and secure co-existance of personal and corporate data on smartphones, including iOS and Android devices.
What this means for you:
Corporations struggle with allowing their employees to use corporate phones for business, and vice versa, with corporate phones and personal usage, primarily because the risk of security breaches is much higher on the personal side. BlackBerry’s new platform is designed to create a partition that keeps the two work spaces (see what they did there?) separate, giving enterprises complete control over corporate data without the distasteful invasion and control over the personal aspects of devices. There are other companies working on this same concept, and have been in the space longer, but BlackBerry’s reputation (and probably some nostalgic sentiment) may win the heart’s and minds of corporate IT managers. Seeing as BlackBerry has historically been a company that depends on hardware sales for revenue, many think that BlackBerry is either making a desperate or cunning pivot to the software space, knowing that there is little chance they can recover any ground in the mobile device race.
In an announcement that surprised pretty much no one in the technology industry, Facebook frontman Mark Zuckerberg announced the arrival of both a Facebook application suite, dubbed “Facebook Home” as well as a phone from HTC called “First” that will have Facebook Home pre-installed. It’s not an operating system, like iOS or Android, nor is the “First” a dedicated Facebook phone. Facebook Home is really a set of apps (only for Android phones at the moment) that essentially makes your phone more like Facebook and less like Android.
What this means for you:
If you live and breathe Facebook (and millions of Americans do just that), then you’ll want to give this app a try, but only if you have an Android phone. iPhone users will be out of luck for the forseeable future, as Apple does not allow the sort of access to the base operating systen that Facebook Home requires. For those of you wondering why anyone would want such a thing on your smartphone, consider this: For many, the Android OS is overwhelming and complicated. They just want to make calls, answer email, and connect with friends. These users are looking for what’s known as a “Walled Garden” experience, very similar to the way AOL offered the “internet” to millions who weren’t interested in (or bewildered by) the unfiltered and un-curated experience of the 1990’s world wide web. You could think of Facebook Home as the new “AOL” for your smartphone.
One thing to keep in mind: Facebook’s revenue model is based upon knowing as much as they can about all of their users. By using Facebook Home, it’s conceivable that Facebook will harvest much more data about you, including location data and browsing habits above and beyond what they can collect while you are sitting at home in front of a computer. If you’ve been living your life on the internet and have nothing to hide, and you don’t mind Facebook mining your smartphone activity for marketing data, Facebook Home might just give you the Facebook phone you’ve always dreamed of.
In what many analysts are seeing as another setback for beleaguered BlackBerry, the US Department of Defense has now announced that it will start allowing the use of iPhones and Android devices in a space that was once the domain of BlackBerry devices. In the early days of mobile email delivery, BlackBerry devices were designed for enterprise-controlled security, where as the other email-capable devices still relied on immature internet standards, or like Apple’s early iPhones, completely eschewed corporate control. Because of this, BlackBerry became the defacto standard for any business that valued security over style, including pretty much every government agency around the world.
What this means for you:
Don’t count BlackBerry out just yet, but the count is getting shorter and shorter, and at some point the referree might need to stop the fight. The Pentagon isn’t getting rid of BlackBerries (that would be a haymaker they won’t get up from), but they are now opening up the space for departments to use solutions from other vendors (namely Apple and Android). This is a signal to the rest of the world that might have been sceptical of iOS or Android’s security status that if the world’s most powerful military is willing to consider using iPhones and Androids, maybe those platforms have finally caught (and passed) BlackBerry on the security front.
- 1
- 2