Category Archives: Android

Strange times for Microsoft

Microsoft’s relentless push to get everyone using Windows 10 is creating problems for the software giant. At least one class action lawsuit is underway in Illinois, where annoyed users claim that Microsoft owes more than $5 million in damages related to Windows 10 upgrades, both wanted and unwanted.

Meanwhile, Windows is no longer the most popular way to access the Internet. As recently as 2012, up to 90% of all Internet access was via Windows, but that number has been dropping steadily in recent years, and it’s now at an all-time low. For the first time ever, another operating system is in first place: the mobile O/S Android. Microsoft has bet heavily on Windows 10 and its universal touch interface, alienating traditional desktop enthusiasts and power users in the process. But if consumers are increasingly choosing Android over Windows 10 for their mobile devices, where does that leave Windows?

Microsoft’s efforts to herd users towards their advertising platform Windows 10 includes discontinuing support for newer processors on older versions of Windows. While it’s clearly Microsoft’s prerogative to decide which hardware they support, there’s no obvious technical reason for this limitation. In light of Microsoft’s historical support for older systems, this is particularly annoying news for anyone expecting to be able to use Windows 7 or 8.1 with new hardware.

The April 12 publication of a set of exploits by hacking group The Shadow Brokers included several that were widely reported as unpatched zero-day Windows vulnerabilities. It turns out that most of those vulnerabilities were already fixed by March’s Patch Tuesday updates. While this is good news for Windows users, it raises questions about when and how Microsoft learned about the Shadow Brokers exploits, why there was no mention of the source in March’s patch release notes, and whether this has anything to do with the rescheduling of February’s Patch Tuesday updates. Update: TechDirt’s analysis.

Firefox 48.0

The announcement for Firefox 47.0 highlights a few changes: synchronized tabs (between Firefox instances), improved video playback, and some security and performance improvements for Android users.

According to the release notes, Firefox 47.0 takes a few more steps in the process of moving away from Flash and toward HTML5 for video, and removes support for some older technologies related to plugins. The click-to-activate plugin whitelist, a security feature that was introduced in 2013, has been removed.

Most importantly, Firefox 47.0 fixes at least thirteen security issues. So don’t delay, update Firefox as soon as you can.

Check your Firefox version and trigger an update by navigating to its About page:

  1. Click the ‘hamburger’ (three horizontal bars) menu button at the top right.
  2. Click the question mark at the bottom of the menu.
  3. Click ‘About Firefox’ in the menu.

April security roundup

People who store Slack credentials in Github code repositories learned that this a bad idea, as researchers demonstrated the ease with which this information can be gathered without any explicit permissions.

Scary news: computers at a German nuclear reactor facility were found to be loaded with malware. The only thing that prevented miscreants from playing with real nuclear reactors was the fact that these computers are not connected to the Internet.

Crappy security practices led to the theft of user account information (email addresses and poorly-encrypted passwords) from Minecraft community site Lifeboat.

The notorious hacking group known as Hacking Team made the news again, this time with reports of active drive-by exploits affecting Android devices.

The Nuclear exploit kit is still operating, despite recent, partially-successful, efforts to shut it down. Researchers showed that the kit is still being used, and may be involved in recent ransomware infections.

Good news: the two men responsible for the notorious SpyEye banking trojan, recently extradited to the US to face federal prosecution, will be spending nine and fifteen years in prison.

Zero-day exploits are on the rise, doubling from 24 in 2014 to 54 in 2015. A zero-day exploit is a hack that takes advantage of software vulnerabilities before the software’s maintainers have had a chance to develop a fix.

Cisco security researchers identified vulnerabilities in several enterprise software systems, including Red Hat’s JBoss. As many as three million web-facing servers running this software are at risk of being infected with ransomware, and in fact as many as 2100 infected servers were identified.

More good news: the Petya ransomware was found to contain a flaw that allows its victims to decrypt their data without paying any ransom.

The Mumblehard botnet was taken down by ESet researchers, after it infected at least 4000 computers and sent out countless spam emails.

Microsoft announced plans to prevent Flash content from playing automatically in the Windows 10 web browser Edge. All the major browsers appear to be heading in this direction, if they don’t already have the feature, as does Chrome.

April’s issue of the SANS ‘Ouch!’ newsletter is titled “I’m Hacked, Now What?” (PDF) and provides helpful information for the recently-hacked. The newsletter is aimed at regular users, so it may not be particularly useful for IT professionals, except as a means to educate users.

The wildly popular WhatsApp – a messaging application for mobile devices – now has end-to-end encryption. This will make life more difficult for spy agencies who want to know what users are saying to each other. But WhatsApp users should be aware that this does not make their communications invulnerable, since techniques exist to get around full encryption, such as keystroke loggers.

Bad idea: someone at CNBC thought it would be a good idea to ask users to submit their passwords to a web-based system that would test the passwords and report on their relative strength. The service itself was vulnerable, and exposed submitted passwords to network sniffing. The service was taken offline soon after the vulnerability was identified.

The web site for toy maker Maisto International was hacked and serving up ransomware for an unknown amount of time, probably several days or even weeks. The hack was made possible because the site was using outdated Joomla software.

Security roundup for March 2016

Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.

Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.

Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.

A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.

The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.

Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.

Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.

Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.

Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.

Opera announced that their web browser will now include ad-blocking features that are enabled by default.

Critical security flaw affects millions of systems

Here we go again. Researchers have discovered (actually more like rediscovered) a very bad flaw in the commonly-used GNU C Library, also known as glibc.

The flaw has existed, undiscovered, since 2008. It was discovered and reported to the glibc maintainers in July of 2015 (CVE-2015-7547), but nothing was done about it until Google researchers re-discovered the flaw and reported it on a public security blog.

The glibc maintainers reacted to the Google revelations by developing and publishing a patch. It’s not clear why such a serious vulnerability was not fixed sooner.

But that’s not the end of the story. Any computer or device that runs some flavour of Linux, including most of the world’s web servers and many routers, is potentially vulnerable. Individual software applications that are compiled with glibc are also potentially vulnerable.

Although it’s safe to assume that diligent sysadmins will update their Linux computers, tracking down all the affected software will take time. The Linux firmware running on routers and other network devices will be updated much more slowly, if at all. All of this opens up many exploitation possibilities for the foreseeable future.

The good news is that there are several mitigating factors. Many routers don’t use glibc. In some cases, default settings will prevent exploits from working. Android devices are not vulnerable. Still, this problem is likely to get worse before it gets better.

Update 2016Feb20: Dan Kaminsky just posted his analysis of the glibc vulnerability. It’s very technical, but if you’re looking for a deeper dive into this subject, it’s a great place to start. Dan helpfully explains why it’s difficult to predict just how bad things will get.

Security and privacy roundup for January 2016

Your devices are talking about you

You already know that your web browser is tracking your activity. You are probably also aware of ‘The Internet of Things‘ – the increasing prevalence of devices that are connected to the Internet – and you recognize that any such device can also track your activities. Bruce Schneier reveals the next step in this evolution: enabling devices to share information about you. Of course, since the goal of all this surveillance is merely better-targeted advertising, most people are unlikely to care. Still, if privacy and control are important to you, this will not be welcome news.

Brian Krebs reminded us that ransomware can affect files in your cloud storage space as well as on your physical computer and network-connected devices.

A summary of software vulnerabilities over at VentureBeat shows Mac OS X topping the list for 2015. Microsoft’s security efforts seem to be paying off, as the highest-ranked version of Windows on the 2015 list is Windows 8.1 at number 10, and fewer than half the vulnerabilities as OS X.

Serious vulnerabilities were discovered in OpenSSH (a very commonly-used secure terminal client), OpenSSL (the ubiquitous security library), and Trend Micro antivirus software.

Vulnerabilities in the Linux kernel (affecting Android phones and Linux PCs) remain unpatched on many affected devices.

Google produced more patches for vulnerabilities affecting Android devices, but as always, the patches are finding their way to devices very slowly.

The very weak hashing functions MD5 and SHA1 are still being used in HTTPS encryption in some contexts.

It’s official: your smart TV can become infected with malware.

Network devices made by Juniper and Fortinet were found to contain serious vulnerabilities, including an NSA-developed back-door function and a hard-coded back-door password (more).

The free-to-use deep search tool Shodan made the news when researchers showed that it can be used to find household cameras, including baby-cams. Note that the problem here is not Shodan, which is just a useful search tool. The problem is the failure to properly secure Internet-connected devices.

There were more serious corporate security breaches in January, at Time Warner and Linode. As usual in these cases, the login credentials of subscribers were obtained by the attackers.

Amazon’s security practices were (unwillingly) tested by a customer, and found seriously deficient.

More malicious apps were found in the Google Play store. Google removed those apps, but not until they were downloaded millions of times by unsuspecting Android device users.

LG fixed a critical security hole affecting as many as ten million of its mobile devices.

Security and privacy roundup for November 2015

PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.

A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?

Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.

The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.

With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.

A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.

Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.

Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.

Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.

A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.

An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.

Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).

On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.

The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.

Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.

The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.

October Security Roundup

You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.

There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.

There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.

Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.

A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.

It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.

Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.

Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.

Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.

The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.

Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.

A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.

The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.

Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.

87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.

New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.

A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.

Security & privacy roundup for September 2015

Android made security news in September for a lockscreen bypass hack and a ransomware app designated Android/Lockerpin.A.

Passwords in the leaked Ashley Madison user database became much easier to decrypt, once again reminding us to avoid re-using passwords.

A rogue version of the iPhone development tool XCode was found to have added malicious code to almost 500 legitimate apps. Those apps were published on the Apple App Store, and were subsequently installed by millions of iPhone and iPad users.

In other Apple-related news, a simple bypass for the Gatekeeper process, that protects Mac OS X users from malicious software, was discovered.

This month’s Flash updates prompted Brian Krebs to take another look at Adobe Shockwave. He found that even the most recent versions of Shockwave still contain very out of date versions of Flash, and strongly recommends that you remove Shockwave from all your computers.

A series of exploits against the Imgur and 8chan sites caused little damage, despite their enormous potential. The true goals of the hack are still in question, and the associated vulnerabilities on the affected sites have been fixed.

A researcher discovered several serious vulnerabilities in popular security software from Kaspersky Labs. While there’s no evidence of exploits in the wild, this is rather alarming. Anti-malware software typically has access to core system functionality, making working exploits very valuable to attackers. Kaspersky Labs acted quickly to fix the bugs, but this isn’t the first time security software has been found vulnerable, and likely won’t be the last.

A new botnet called Xor.DDoS is using compromised Linux computers to perform DDoS attacks against a variety of web sites, probably at the request of paying customers. The Linux computers hosting the botnet appear to have been compromised via weak root passwords. So far, most of the targets are in Asia. This marks a shift in platform for botnet developers, which previously focused almost exclusively on Windows.

Security roundup for August 2015

Last month in security and privacy news…

A weakness was discovered in the open BitTorrent protocol, rendering torrent software vulnerable to being used to initiate DDoS attacks. The BitTorrent protocol flaw was quickly updated, and patches for affected software were developed and distributed.

Malvertising continued to spread, most recently affecting popular sites like weather.com, drudgereport.com, wunderground.com, and eBay. Anyone visiting those sites with an unpatched browser may have inadvertently caused their computer to be compromised. Needless to say, the malicious ads were built with Flash.

It was a bad month for Android, as one of the updates released by Google that were intended to fix the Stagefright flaw turned out to be faulty, leaving some devices still vulnerable, and forcing Google back to the drawing board. Security researchers also discovered a flaw in Android’s Admin program that allows apps to break out of the security ‘sandbox’ and access data that should be inaccessible. Two flaws in fingerprint handling were also found in many Android devices, leaving both stored fingerprints and the fingerprint scanner itself vulnerable. And finally, new research exposed the predictability of Android lock patterns, making this particular form of security much less effective.

Lenovo’s hapless blundering continued, with the discovery that many of their PCs were using a little-known BIOS technology to ensure that their flawed, insecure crapware gets installed even when the operating system is reinstalled from scratch. Will these bozos ever learn?

Jeff Atwood reported on a new danger: compromised routers. If an attacker gains control of your router, there’s almost no limit to the damage they can inflict. Worse, there are no tools for detecting infected routers. If your router is compromised, no amount of malware scanning on your network’s computers will help. You’re vulnerable until you realize that the router is the problem and replace it or re-flash its firmware.

Mozilla offered more details on planned changes to Firefox that are expected to improve the browser’s security, stability, and performance. These changes are likely to benefit Firefox users, but will come at a cost: many existing browser add-ons will become obsolete. Add-on developers will be forced to make big changes or retire their software. Certain types of add-ons may not even be possible with the changes Mozilla plans.

In privacy news, the Electronic Freedom Foundation (EFF) released version 1.0 of Privacy Badger, a Chrome and Firefox add-on that blocks tracking mechanisms used on the web. The add-on initially doesn’t block anything, but learns as you browse, detecting cookies that are used on more than one site and blocking them.

And in other EFF news, a new malware campaign uses spearphishing techniques to get targets to visit what is supposed to be an EFF web site but is in fact a source of virulent malware.

Google announced upcoming changes to Chrome that will prevent extension developers from using deceptive practices to trick users into installing their software. Specifically, the ‘inline installation’ process will no longer work for extensions that are associated with these deceptive techniques. This is a good example of a software maker (Google) backing away from a feature that improved usability at the cost of security.

Google also firmed up plans to prevent most Flash media from being displayed by default in Chrome. Flash media won’t be blocked, but users will be required to click on each embedded video before it will play. Google’s official reason for doing this is to improve Chrome’s performance, but the change should reduce the spread of malvertising as well. Of course, Google’s own advertising network still allows Flash-based ads, and those ads will still auto-play. Google’s advice to advertisers is to switch from Flash-based ads to HTML5-based ads, or move to Google’s ad network.

And finally, Ars Technica posted a useful overview and instructions for encrypting your desktop, laptop and mobile devices. Be warned, total device encryption is not for the faint-hearted and comes with certain risks. For example, if you forget to tell your IT person that your hard drive is encrypted and they try to recover your computer from a failure, you may lose everything, even if your data is backed up.