Like the predictable “tick-tock” of a clock, reports are coming in of an infection spreading rapidly through Facebook via a fake Flash Update. The “tick” in this case was the report last week of a zero-day Flash vulnerability, and the subsequent legitimate update of the Adobe Flash plug-in. Not wanting to miss an opportunity, cybercriminals have released the “tock” – a video on Facebook is tricking clickers into installing a set of malware that can take complete control of the victim’s computer. Over 100k have fallen for this scam which is only 2 days old as of this writing.
What this means for you:
If you see a warning pop up on your computer that software on your computer may be out of date, it may be legitimate, and it may not be. With Adobe Flash, it’s very easy to check by going to Adobe’s own Flash website http://helpx.adobe.com/flash-player.html. Also be wary of the source of the update warning, such as that which comes from clicking on a dodgy link on Facebook or in an email. Doublecheck it against a legitimate source. Not sure what that source might be? Your trusted IT professional is only a quick call away. Spending five more minutes to vette that update warning is certainly worth avoiding a malware infection, right?
Microsoft has released a security advisory that warns of a new zero-day weakness that is currently being exploited on the internet. Depending on how you interpret their choice of wording – “targeted attacks” – the scale seems to be relatively limited for the moment, but given that the compromised app is Microsoft Word and is not limited to a specific version, the potential attack surface is huge. And it gets better: the delivery mechanism is a hacked RTF file that once opened can lead to the targeted machine being completely compromised. While RTF files aren’t as widely used as the default “.doc” and “.docx” formats, they are used to export and import documents from Word to other word processing platforms like Wordperfect, LibreOffice, OpenOffice and Apple Pages.
What this means for you:
Microsoft has issued a temporary fix which merely disables the ability for Word to open RTF files, but as of the moment there is no ETA on a patch delivered by Windows Update. We recommend applying this Fix-it if you are at all unsure what an RTF file is, or how to tell the difference from other Word and Email formats.
The most vulnerable user to this exploit is actually someone who uses Word to view formatted emails delivered via Outlook. Normally, Outlook is not set to view emails using Word by default, so if you didn’t set Outlook to do this, you only have to worry about Word. If you did, disable this feature and use Outlook’s built-in email viewer to read formatted emails. For Word users, don’t open RTF files, even if they come from a trusted source, and don’t send any RTF files, as your recipients may be exercising the same level of caution. If you have to exchange data using RTF, make sure you communicate thoroughly with your recipients, and choose another platform other than email to exchange files, primarily so there is no chance they could mistake a trojaned RTF for a legitimate file.
From the moment it was announced, Google Glass has been a favorite target in the growing privacy debate in our always-online and increasingly less-private society. Initially, privacy advocates were worried that Glass wearers could record others without their permission or even awareness. Now, we have to worry about the possibility that the device itself could fall victim to remote access malware, like we recently wrote about here and here. Grad students from Calforina Polytechnic have created a trojan application that purports to be a note-taking application, but instead takes photos without the wearer’s knowledge, recording images every 10 seconds while the device appears to be off, and uploading the photos via Glass’s built-in data connection to a specified destination conceivably anywhere on the internet.
What this means for you:
Before you go running for the pitchforks and torches, the app was created as a proof-of-concept to demonstrate a key weakness in Google Glass’s current operating system. This app’s ability to take pictures while the device reports itself as “off” is a violation of Google’s Terms of Use for the device, but that TOU is completely toothless as the OS in its current state can’t enforce that restriction. Worse still, the app itself actually made it through Google Play’s screening process and was available for a short while on the official app store. It might still be there if not for the students’ professor tweeting about it, and Google consequently pulling it for TOU violations. Google’s position was that this was a desired outcome, and the reason that Glass is still in limited to release to developers and their early-adopter aka beta tester program called Glass Explorers.
I’m fairly certain the students in question weren’t the first to dream up this concept, and you can bet that hackers with much more nefarious intent are impatiently waiting for the inevitable arrival and wide-spread use of wearable technology. The current, laser-hot focus of the privacy debate may be on the NSA and Ed Snowden’s disturbing revelations for the moment, but it seems the government isn’t the only one spying on us. In the words of the sage Walt Kelly (of Pogo comic strip fame), “We have met the enemy, and they are us.“
About a year ago, I shared an article from Ars Technica detailing a chilling and degrading hacker activity called “ratting” wherein your computer could be hacked into covertly spying on you. This disturbing trend now appears to be spreading to Android smart phones; for a short while before it was detected and removed, a seemingly legitimate app was available on the Google Play store that was purportedly for parents to keep an eye on what their children were doing on their smart phones. Unfortunately for the 50 or so people who actually downloaded the program, the real purpose of the app was to install a remote access trojan platform on the device which would enable someone to illicitly use the phones cameras and mics to spy on the user, as well as control other aspects of the phone like sending texts, making calls and sending emails.
What this means for you:
The app was built on a software development platform that is being marketed specifically to hackers, and one of the key selling points is this kit’s ability to build apps that can “hide” from Google’s security scans that usually prevent malware from being uploaded to the Play store. Translation: you can expect more apps like the one mentioned above to appear on the Google Play store. Where before you could, with maybe 99% effectiveness, depend on Google to protect you from harmful apps, you can no longer take for granted that if an app appears on the Google Play store that it is 100% legitimate. To protect yourself as an Android user, you should:
- Make sure to have a reputable Anti-malware app installed (I like Webroot’s Security & Antivirus).
- Read carefully the access permissions each app is asking for before installing.
- Pay attention to user reviews and install count. If the app only has a small number of reviews and installs, give it a few days and check back to see the app survives internet scrutiny.
Fortunately, Google has a means to automatically reach out to any Android phone and purge apps that it has found to be harmful, but it’s much safer and less stressful to avoid being victimized in the first place.
Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.