900 Million Android Devices at Critical Risk!

1 Comment

What is the Android Master Key Vulnerability?

Android is an operating system (called OS) designed for mobile touch screen devices such as smart phones and tablet computers.  It is a very popular system.  Consider how popular the Android smart phone is worldwide: the Android smart phone market share in the US is estimated to be over 52%; the Android smart phone market share in China is over 90%!  

A vulnerability in the Android operating system (OS) was discovered early in July, 2013, by a security organization.  The vulnerability, which affects an estimated 900,000,000 Android devices worldwide, has been code named “Master Key”.  Although it was just recently discovered, the vulnerability has existed on Android devices running versions 1.6 and higher.  The best I can find is that it has existed since 2009!  (Note:  the latest Android version is 4.3 – Jelly Bean.  It was released July 24, 2013)

 Why Is This Exploit Dangerous?

The Master Key threat allows anyone to completely control your Android device.  What does that mean to you?  It means that a hacker/bad guy can infect your device and retrieve all your personal and sensitive information, your passwords, your account numbers (think bank and stock accounts), phone numbers, information about others including their email addresses. A hacker who utilizes this vulnerability on your device can monitor all your messaging. 

Feeling a little fear yet?  You should as it is appropriate in this case.  The Master Key threat even allows a hacker to use your phone to take pictures and videos, to send premium SMS messages, to disable security software, not to mention join bot nets. (If you don’t remember about bot nets, please see my post “What the Hack is a Bot Net and Why Should I Care?”)

Because of the market saturation of Android devices in China, that country has become a prime target for the Master Key threat.  According to Bluebox.com, the security firm that first discovered the vulnerability, two legitimate apps used in China to find and make doctor appointments have been “trojanized” (infected with Trojan malware) with more attacks expected.

How the “Master Key” Threat Works

It is a bit of a challenge to explain the threat without techie talk.  The security provider Symantec recently explained that “ an Android package file, used to install an application, could be modified in a way that did not affect the application’s original cryptographic digital signature. The signature verifies an application’s integrity.” http://www.pcworld.com/article/2045087/symantec-spots-two-android-apps-using-master-key-vulnerability.html 

This means that the bad guys found a way to use the actual process that verifies that an app is safe and has not been tampered with to tamper with the app!   They use the Android vulnerability to create and install an update for an already installed app, but that update is actually a malicious version of the app – and it is installed without detection!  And with NO permission required. 

So now, the “updated” but malicious version of the original app is comfortably in place on the device; it continues to be usable, albeit now for malicious purposes; all the while the user of the device, and even the app store, have no clue the updated app is really malware – until catastrophe happens…

How to Protect Against the Vulnerability?

1.    Check For and Apply Device Manufacturer’s Software Updates and Patches ASAP

The first recommendation is to immediately check for and apply OS and software updates from your device manufacturer.  The only good news, according to one source, is that the Samsung Galaxy S4 is already patched and protected against the Master Key threat. 

Major brands are acting quickly to get patches out to their market; but be aware that smaller and lesser known brands like Cherry Mobile, Starmobile or MyPhone are likely to be slow to release updates.  Check with those manufacturers if you own their devices for how they are offering updates and patches.

2.  Use Google PlayStore to Download Apps for the time being

Google was quick to release patches in response to the threat.  It is suggested that applications for Android devices currently be downloaded ONLY from Google’s Playstore.  DO NOT download apps from file-sharing sites (torrent sites) since those are sites of choice for hackers and bad guys.  They are waiting for and counting on you to go there for apps.

3.  Disable Non-Market App Installations

Check that only trusted apps are installed on your device.  On an Android phone, this can be done by selecting Settings > Security, then uncheck the “Unknown Sources” option.

4.  Uninstall Questionable Apps

The following advice is excerpted from pinoytechguide.com:    “If you have recently installed an app that offers very little use for you, uninstall it. Examples of apps like this are those that serve as ebooks with very few pages. Be specially skeptical in installing apps that ask for a lot of permissions.” http://www.pinoytechnoguide.com/2013/07/protection-android-master-key-bug.html

Tool to Scan for the Master Key Threat

I don’t have an Android device so I can’t verify the following tool as effective.  I will suggest it only as resource mentioned in many articles as a scan tool for this exploit.  If you are an Android device user, I suggest you explore this resource further. 

So try to picture a room full of 900,000,000 Android devices.  I can’t picture that, either.  But the thought that 900,000,000 devices could be infected and controlled by bad guys who want what you and I have and are probably already getting it – that SCARES me into action.  I hope it does the same for you…

Can You Count That High?

Can You Count That High?

 

Advertisements

There Is NO Eraser On The Internet

Comments Off on There Is NO Eraser On The Internet

There Is No Eraser On The Internet!

There Is No Eraser On The Internet!

 

If you don’t want your potential employer, potential spouse, identity thief, HR Recruiter, potential friend, police, church friends, best friend, worst friend, whomever, to know something about you – how you think, act, speak, express yourself – then don’t post “it” on the Internet! The Internet – that includes but is not limited to social network opportunities, blogs or websites, to name a few places. To borrow a great carpenter rule – Think Twice, Post Once – or NOT at all…

Virus Humor

1 Comment

There is nothing funny about a computer virus – usually.  If you’ve been reading my previous posts, you should start to get the gist that cyberspace is scary and dangerous for even the very savvy and alert cyber citizen.

Viruses – hundreds of thousands of them and multiplying hourly!  Malware; Scareware; Botnets; Identity theft; Zombie Armies; Robots.  Yikes!  Enough Already!!!  I’m scaring myself!  Stop!  Please!  Give me a break!

OK.  Good Idea.  This really is heavy stuff.   Let’s take a short break from all the assaults on our security and lighten up our moods with a little bit of laughter.

Mark Twain wisely said “Against the assault of laughter nothing can stand.

So, if you can stand it, here’s a list of viruses that have been around a while that might infect you with some laughter….

Adam and Eve Virus:   Takes a couple of bytes out of your Apple.

AT&T Virus:   Every three minutes it tells you what great service you are getting.

Time Warner Virus:   Every three minutes it reminds you that you’re paying too much for the AT&T virus.

Politically Correct Virus:  Never calls itself a “virus”, but instead refers to itself as an “electronic microorganism.”

Arnold Schwarzenegger Virus:   Terminates and stays resident. It’ll be back.

Government Economist Virus:   Nothing works, but all your diagnostic software says everything is fine.

Federal Bureaucrat Virus:   Divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer.

Gallup Virus:   Sixty percent of the PCs infected will lose 38 percent of their data 14 percent of the time. (plus or minus a 3.5 percent margin of error.)

Texas Virus: Makes sure that it’s bigger than any other file.

Congressional Virus #1:   The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.

Congressional Virus #2: Runs every program on the hard drive simultaneously, but doesn’t allow the user to accomplish anything.

Airline Virus:   You’re in Dallas, but your data is in Singapore.

PBS Virus: Your programs stop every few minutes to ask for money.

NIKE Virus:  Just does it.

Jimmy Hoffa Virus:  Your programs can never be found again.

Star Trek Virus:  Invades your system in places where no virus has gone before.

Health Care Virus:  Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.

Chicago Cubs Virus: Your PC makes frequent mistakes and comes in last in the reviews, but you still love it.

  He who laughs last, didn’t get it…”          Helen Giangregorio

    Partial list borrowed from http://www.bsd.org/new.virii.html

…Where Everybody Knows Your Name

Comments Off on …Where Everybody Knows Your Name

CheerslogoIf you’re old enough, you might remember the TV series “Cheers”, that famous Boston bar where the regulars came to get away.  And where everybody knew their names – Sammie and Diane, Cliff and Norm, Dr. Frasier and Carla and Woody and Rebecca.  And we were always glad they came – because we came to know all about them, and couldn’t wait to find more about how their private lives and hearts intertwined and broke each week.   Now some 30 years later, we still know their names and a lot about their personal TV lives…

Hmmm…  Kinda sounds like what the Internet does to our private lives today – the Internet, where everyone knows our name and the cyber crooks are always glad we came….

Have you ever done a search for yourself on the Internet?  If you haven’t give it a try and see how easy it is for everyone to know your name…  and other stuff – personal and private stuff.  To help make your name known, information vacuum cleaners are sucking up data all over the internet about you, cleverly combining the bits and pieces they acquire to provide robust profiles about you – easily available and often for FREE – on the Internet!

As an FYI, here are two sites that might know your name.  Maybe you should get to know them and find out how much they know about you:

SPOKEO.com 

This is what they say about what they do on their ABOUT page:

Spokeo makes it easier than ever to help reunite friends and family, browse celebrities, and discover information about your online footprint, by simply searching a name, address, email, phone and username.” 

Oh wow, isn’t that nice of them!  They are helping everyone know my name.  And I didn’t even ask them to do this for me…..  And, Oh, they seem to know more than my name….

The partial good news is that you can “Opt Out” of being listed on their pages. Under the “PRIVACY” tab on their website, you can find out how they gather their information; but more importantly, you can follow the directions to remove yourself from their postings.  It is only partial good news because your opting out of their site won’t remove you from other third party entities that used them to know your name….  To their credit, Spokeo tells you this also on the Privacy page.

PIPL.com

Here’s another site to check out that may have checked you out.   This is what they say about themselves and their mission:

“The most comprehensive people search on the web.  (That is people, like in PIPL – my note).

We dive into the deep web to bring you results you won’t find in any other search engine then we use a powerful identity resolution engine to link those seemingly disparate results into a set of meaningful profiles so you can easily find the person you are looking for.”

If you are wondering what the “deep web” is – that’s the part of the world wide web where data is “buried” – as in data not organized in a way that common searches can find it but definitely findable by skilled information seeking robots.  And the info they vacuum can be damaging.

Now, all this freaks me out a bit.  Much like the way social networking freaks me out.   All the information we put out on Facebook and LinkedIn, for instances, so that people will know our name – they know our name all right.  And more and more…  Brings to mind another song line – “Getting to know you, getting to know all about you…”

So all this is to say, we need to BE AWARE and BEWARE of how we want people to know our name in cyberspace.  We need to be selective about our information and vigilant about how to protect it.   Understand that cyberspace is not a safe space, that there is no such thing as privacy in cyberspace and nothing is erasable from cyberspace.

So having everybody know our name, well, that may be more dangerous than famous.  To paraphrase the first line of the song –

Making our way in the world (wide web) today could take everything we’ve got…..

Cheers

 

Are Your Passwords Inviting Identity Theft?

Comments Off on Are Your Passwords Inviting Identity Theft?

Passwordboy

Is this what your passwords are doing – offering a lock to your personal data and financial accounts BUT offering the keys to that lock as well?

In the time it took you to read this question and give it some thought, a motivated hacker could discover your passwords if they are considered weak.  And with those passwords, the cyber criminal can access your  personal data and carry out his many nefarious intentions.

So, how much thought do you give to creating strong passwords?

There’s a big chance you don’t give it much thought — that you are more concerned about being able to remember your passwords than you are about the security they provide.

Go ahead– feel embarrassed, but know you are not alone.  Imperva, a California internet security firm, confirmed this about most of us in a 2010 report which stated “when people picked passwords, they generally cared more about being able to remember them than about security.”

Actually a good dose of alarm would be helpful here if you use weak password strategies, because those increase your risk to suffer fraud and identity theft attacks and they leave your most personal and financial data susceptible to basic, brute force password attacks   (An attempt to gain unauthorized access to a computing system by generating and trying all possible passwords – McGraw Hill Dictionary)

That’s the bad news.  The good news is there are strategies you can do right now to increase your security protection.  The following are password guidelines from Microsoft that are basic but good strategies:

Strong Password Guidelines

Good Strategies:
•    Length. Make your passwords long with eight or more characters.
•    Complexity. Include letters, punctuation, symbols, and numbers, upper and lower case. Use the entire keyboard, not just the letters and characters you use or see most often. The greater the variety of characters in your password, the better. Be aware, however, password hacking software automatically checks for common letter-to-symbol conversions, such as changing “and” to “&” or “to” to “2.”
•    Variation. To keep strong passwords effective, change them often. Set an automatic reminder for yourself to change your passwords on your email, banking, and credit card websites about every three months.
•    Variety. Don’t use the same password for everything. Cyber-criminals steal passwords on websites that have very little security, and then they use that same password and user name in more secure environments, such as banking websites.
•    Change Passwords Often.  Changing passwords is commonly recommended.  Monthly would be even better.  Immediately, if you feel you’ve been in a security compromising situation.

Even Better Strategies:
Create complex pass phrases:
•  Start with a sentence or two  —  Example:  Safe Passwords Are Complex
•  Remove the spaces between the words in the sentence  — Example:  SafePasswordsAreComplex
•  Turn words into shorthand or intentionally misspell a word — Example:  SafePasswordsAreComplxe
•  Add length with numbers. Put numbers that are meaningful to you after the sentence. —  Example:      SafePasswordsAreComplxe1950

Common Password Pitfalls to Avoid
•    Dictionary words in any language.
•    Words spelled backwards, common misspellings, and abbreviations.
•    Personal information. Your name, birthday, driver’s license, passport number, pet’s name or similar information.
•    Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard.

10 Most Common Passwords
The Imperva report cited the following as the 10 most common passwords:
•    123456;  12345;  123456789;  Password;  iloveyou;  princess;  rockyou;  1234567;  12345678;  abc123.

To finish up with a Warning:
“Amichai Shulman, chief technical officer at Imperva, urges people to avoid using these common passwords when using social networking, shopping and online banking sites.  

He states, “Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second – or 17 minutes to break into 1,000 accounts.”  (http://blog.1-to-1.org.uk/2013/04/the-worst-passwords-to-use-online.html)

Don’t let your passwords betray you.
In your passwords, Be Strong and Be Safe…….
To paraphrase Shakespeare, Security is the chief enemy of hackers (who also are mortals).  

 

Password Humor

Comments Off on Password Humor

Creating Secure Passwords - Tip #1

Creating Secure Passwords – Tip #1

 

 

 

 

 

 

How Can I Minimize the Amount of Spam I Receive?

2 Comments

SPAM – unsolicited email; mail you receive in your electronic mail inbox that you didn’t request and you don’t want! If you don’t get spam, then you need to be telling us your secrets of how you avoid it….!

Notice the question is how to MINIMIZE the amount of spam. It is unlikely you will eliminate all spam.  As already noted in a previous blog, about 80% of email is spam, so minimizing it will truly make managing your email easier and safer. Here are some highly recommended best practices to consider and implement to reduce receiving spam mail.

Don’t give out your email address to anyone except those with whom you want to correspond.

Don’t spam other people.

o Be a considerate and responsible user. Some people consider forwards as spam so be selective and considerate about whom you send forwards to.

o Be discrete about distributing email to multiple users. Resist using the CC option.  Instead, send the original email to your own email address and use the BCC option for those in your distribution list. This option means that all the addresses will not be seen by the other recipients in your distribution. This is a courtesy that protects the privacy of your friends’ addresses.

Use separate, free Web mail accounts like Gmail and Yahoo to do online shopping or correspond with retailers and those with whom you infrequently correspond.

o These accounts have built-in spam filtering.

o You can abandon these accounts easily if you start to get too much spam.

o Consider using this option if you have to post an address on chat rooms, newsgroups, contact lists, etc., as spammers “harvest” addresses from these types of sites.

Don’t Ever use the “Remove Me” option to try to get off mailing lists. NEVER!

o This only confirms to spammers that your email address is valid and a real person has read their spam. It ensures you will get more spam.

Don’t Click on Links in Spam messages. This also confirms that your address is valid and a real person is ready to respond.

Use Fake Addresses when completing web-based sign up forms.

o If possible, write out an address – username ATyahoo.com (AT instead of @). A robot that is trying to “harvest” your address cannot read that address.

Read Website Privacy Policies. If there is no privacy policy but you want to/have to post an email address, then consider an alternate web mail account as suggested above. But don’t give out any personal information!

Report Spam to your Internet Service Provider (ISP).

Mark Spam as such in case spam does get into your mailbox. Doing so helps train your mail filter to recognize spam.

View Email in Plain Text, rather than HTML when possible.

o Spammers can track when a user opens mail with a linked graphic file that is sent as HTML mail. Disabling automatic downloading of graphics in HTML mail and using plain text prevents the spammer from tracking you.

o Note: HTML makes email more attractive but the trade-off is the tracking possibility. Disabling HTML varies with the ISP or email client so doing a search on how to do this is recommended.

Be aware of and cautious to sign up to receive product and service alerts.

o Your email address and personal information can be shared with/sold to spammers if there is no privacy policy.

Be Extremely Cautious using Social Networking Services!

o Useful and fun as these services are, they create huge vulnerabilities for loss of personal information, identity theft, viruses, bot net control, and spam, to name a few things.

o The dangers of social networking will be the subject of another blog….. Stay tuned.

Using these recommendations will minimize the amount of spam you receive, will add to your reputation as a responsible cyber citizen and will enhance your own cyber and personal security — not to mention make it a little bit more difficult for spammers to be so profitable….. Yes to that!

Older Entries