Android Security: Number Track Lock

Smartphones, especially Android devices, have drastically grown in popularity throughout the last decade or so. It seems like everyone has one these days, using them to browse the web, take pictures, write notes, send messages, and much more, all from the palm of our hands. The problem with having such powerful handheld devices, though, is that they are prone to easy theft or being tampered with if left unattended. With the amount of information we access and store on them, it is critical that they remain secure.

While many phones have lock screens that require a pin number or certain swipe pattern in order to unlock, many people choose to disable it for ease of access. Needless to say, this is a bad idea. Even if these measures are enabled, it is still easy to look over a victim’s shoulder while they are unlocking their phone to quickly deduce the pattern they’re entering, or if the attacker cannot see the phone, oil from the user’s fingers can reveal where they’ve made contact with the screen. While sometimes deterring casual snoops, these locking methods aren’t very effective against better prepared attackers.

This is where apps such as Number Track Lock come in. Number Track Lock uses a standard numbered keypad and pin swipe system, but randomizes the position of the numbers each time the unlock screen is accessed. By doing this, it makes shoulder surfing attacks harder and prevents attackers from using fingerprints to deduce passcodes. This is no end-all security app, but it does allow users to take an easy, yet effective, first step in securing their Android devices.

Diebold E-Voting Machines Exploited

In a turn of events reminiscent of the 2004 presidential elections, Diebold has once again supplied our government with laughably insecure voting machines. Their new model, the AccuVote TS, has been cracked using off-the-shelf computer hardware costing $10.50. “Anyone with a eighth grade education could construct the cards using standard tools and off-the-shelf components,” say researchers. When assembled, the small cards can be inserted between the touch screen and the microprocessor, allowing them to modify the information being sent between the two.

With another $15 or so, the attacker can also include hardware that allows him or her to remotely access the machine from up to half a mile away. The only problem with these attacks, however, is the attacker has to physically install the card in every machine. Although it doesn’t take an inordinate amount of time to install, access still has to be obtained. If the machines were stored securely in the time before the election it would be a lot more difficult to pull off this type of attack, but many are simply left to sit out in the voting area for an inordinate amount of time before the ballots are cast. In addition, Diebold’s machine is all electronic and lacks physical paper printouts of the ballots, making it even harder to audit.

Exposing the insecurity of these machines is a step in the right direction, but our government really needs to take this information and either secure or restructure our voting system. Our President should be elected by the people, not by crooks who exploit the system and pull wool over the people’s eyes. It’s been two terms since the last major e-voting scandal and it looks like they’re heading for another one.

Source: http://www.theregister.co.uk/2011/09/28/diebold_electronic_vote_tampering/

Exif Data, Social Networking, and You

EX: GPS location tagging on campus

Ever since the dawn of the cellphone, device manufacturers and service providers have poured billions of dollars into the development of new, unique gadgets to capture the attention and paychecks of the public. This corporate arms race has led to many fantastic developments in handheld technology, rapidly evolving simplistic and bulky mobile telephones into the multitasking powerhouses that we carry today. Modern day smartphones can retrieve email, browse the web, play media, run games, and more, all in a package that fits in the palm of your hand. Recently, this advancement has largely included social networking tools, allowing anyone to broadcast thoughts and information to untold numbers of people around the globe simply by tapping a few keys on their phone.

Unfortunately, the exponentially increasing complexity and feature set of such phones has led to a decrease in their security. Many of these devices are equipped with small cameras, perfect for snapping a quick picture to share with friends via sites like Facebook. What many people don’t realize, though, is that every time they capture an image, their phone is capturing a plethora of other information and including it in that image file. This information is called Exif data. Exif, or the exchangeable image file format, is a standard that specifies the formats for any images, videos, or audio recordings made on modern digital devices. While it includes a lot of harmless data, such as ISO speed, focal length, and resolution, it also records the make and model of the device, timestamp, and potentially GPS coordinates of the shot.

These details present two large security risks. First, including the make and model of the device makes it easy for any potential digital attackers, as once they have that information they can start looking for exploits specific to that product. Second, and in my opinion more importantly, the location information and timestamp included in the image can be immensely useful to any physical attackers. By reading the Exif data of an image, they can potentially tell what you’re doing, when you were doing it, and where it was happening.

By posting these images to social networks, potentially everyone has access to these details. Granted, privacy settings can restrict some access, but anything posted to the internet can be copied and distributed with minuscule amounts of effort. Friends’ accounts can be compromised, the image may be reposted by someone else, or an associate may even turn out to be malicious. Next time you post an unfiltered image from your smartphone or other device, think first. Do you really want to reveal this much information?