Security Risks of Smartphones

                             

In today’s society, having an iPhone, a Droid, or any other smartphone is nowhere near as uncommon as it was in previous years. Popular with preteens, college students, and even retirees, smartphones are taking over social media and are beginning to control our lives. All you have to do is look around to realize how mainstream smartphones are today, and due to the huge increase in smartphone usage, along with the amount of personal information on them, smartphones are major targets for security breaches, that many people are unaware of.

Smartphones are becoming more and more popular because they are easy to use and let you have everything you can possibly imagine at your fingertips. Smartphones are commonly used for mobile banking and for checking other online accounts and, although these examples sound like they would be extremely beneficial, are in fact very harmful to your personal security.

Unlike desktop computers, smartphones do not have the advantage of antivirus software, which makes them much more vulnerable to be targeted by hackers. With so much valuable information laying around, it would be stupid for a hacker looking to make money, to completely overlook the smartphone revolution. Everyone’s information is just laying around, waiting to be stolen. If a hacker really wants to, they can easily steal your banking information and any other information that you have accessed on your mobile device, sometimes without the user even knowing.

Steps to make your smartphone safer:

- using a PIN on your phone

- stay away from sketchy wireless networks

- be careful when using Bluetooth

- only use trusted applications

A CNN article about Cyberattacks on smartphones, September 17, 2012 http://money.cnn.com/2012/09/17/technology/smartphone-cyberattack/index.html

8 Steps to make your smartphone safer

http://www.bullguard.com/bullguard-security-center/mobile-security/mobile-protection-resources/8-ways-to-keep-your-smartphone-safe.aspx

Anonymous – A Brief History

With the amount of time they have spent on the news over the last 18 months I think it is safe to assume that we all know about Anonymous. However, how many people really understand how anonymous was first created? I figured that because we all understand online culture in our own way, and maybe some of the students in this class understand more than others. At the bottom of this posting I will be listing a few websites and blogs that you can follow if you wish to keep a closer eye on Anonymous after reading this post.

To start this story off I will have to take you all back to the year 2003, and an old school blog/image board called 4Chan. When 4Chan was first created by Christopher Poole, he intended it to be a place that American teens would be able to congregate to talk about Japanese anime, post messages and images anonymously.

The reason Anonymous has proven to be a power house on the World Wide Web is that fact that they have no real structure that can be attacked. Think of the group as a living organism that takes on new members, and loses member in the same manner that the human body creates and loses cells. Anonymous members have the ability to do whatever they want within the group, and because there is no leadership in the traditional manner, when members are arrested there is no slowdown in the movement.

The ideology of this organization is something that a lot of online users and legal groups have spent a lot of time talking about because of so many things that the group has taken part in. One thing you need to keep in mind is the lack of true leadership. Because the group has no leaders there is not going to be one set of ethical beliefs that will dictate the actions of the group.  So that is why you have heard about Anonymous attacking government organizations, financial, and even raciest websites.

I first started hearing about Anonymous in 2010 because of the controversy of the website Wikileaks. Wikileaks came under attack by the United States because of the information that was posted. And the fact that the U.S. influenced financial institutions PayPal, Visa, and MasterCard to the point of freezing Wikileaks accounts. Anonymous took it as a personnel attack on people’s freedom to free information, and ended up using a Denial of Service Attack (DDOS) to the point that it crashed their websites.

By Robert Tanner

The blog below showcases almost everything Anonymous has done to date, or is planning to do in the near future.

Website/blogs:

http://anonops.blogspot.com/

http://www.4chan.org/

Carrier IQ

About a month and a half ago it was revealed that there has been tracking software pre-installed on over 141 million cell phones. The software designed by Carrier IQ is responsible for recording and reporting metrics to your phone carrier. This discovery forces a dialogue about the trust relationship that is established between the customers and their carrier and exactly how the carrier treats the information that is being is being stored. There have been many allegations about what is exactly being tracked by the software, some true and some more along the lines of half-truths.

As it turns out Carrier IQ was intended to be a utility that allows for a carrier to be able to intelligently diagnose network and phone issues that a customer might be experiencing. For example, prior to the development of Carrier IQ, a carrier might only be detecting that 1 out of every 100 phone calls being placed on their network are being dropped; when in reality it might be much closer to 8 or 9 calls out of those 100 placed. This disparity between the actual numbers and the ones being recorded by the carrier allowed Carrier IQ to see a possible use case and ended up meeting the needs of the carrier.

They haven’t explicitly admitted everything they track, but have specifically said that they track call drops correlated with GPS information, SMS information, web history and application/CPU usage.

Carrier IQ has made an effort to create a line in the proverbial sand in what they do and do not want to collect from users. They say that they don’t collect any content, whether it be what was actually sent in an SMS text message or the contents of a webpage that you access. They do however track the metadata for your activity, this includes who you sent your SMS message to and if it was successfully sent. The same can be said about your web history, they are tracking the URLs being accessed not what is actually being displayed on your screen.

Carrier IQ thinks that what they are collecting is harmless to the consumer but a debate is now forming on what type of information should be okay to track and what really shouldn’t be. Carrier IQ has stated that they don’t capture the content of what the user is doing. Content is really an ambiguous term. Carrier IQ might not consider my URL history to be a private matter. I consider pretty much all of my usage history sans maybe CPU utilization to be a private matter (no matter how mundane my life really is). Its something that really shouldn’t existing in a database somewhere, ready to be hacked, subpoenaed or looked at by a rogue employee that has decided that they want to know more about me. What becomes even more disconcerting is that this information is being tracked even while I am out of the country, on a Wi-Fi network not even connected to their cellular network.

Who knows, maybe I’m just being a paranoid parrot. Maybe no one really cares anymore about their privacy, it has been said by numerous individuals that “Privacy is dead – get over it.” I for one don’t like it and I think I’ll take my ball and go home. In all seriousness though, this software really should be industry vetted to make sure that it cannot be exploited by malicious individuals and it should be established exactly what information each carrier is tracking and for how long. This would allow consumers to identify what tabs the carriers are keeping on their customers; which I’m sure most consumers won’t like and allow for free market forces to stifle the ones being over exuberant with this tracking technology.

http://www.theverge.com/2011/12/5/2609662/carrier-iq-interview

http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/

http://www.edition.cnn.com/2011/12/02/tech/mobile/carrier-iq-reactions/

Clickjacking

Clickjaking seems to be going on a lot lately, you may have heard of it with the whole Facebook attack going on right now. Many people are victims of Clickjacking attacks, and its a hard attack to detect them. Many times it happens in the background without the user ever knowing. So what is Clickjacking? Well just check Wikipedia its a good enough description. http://en.wikipedia.org/wiki/Clickjacking

Simply put by wired.com

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website is overlaid by an invisible layer that sits on top of the site underneath it.

Wired.com also had a fairly good example explanation:

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button. You don’t think twice about it — you’ve done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie. It just so happens that a button allowing access to your camera and microphone has been placed over the movie’s play button. Now, when you think you’re playing the movie, you’re actually permitting the hacker to access your video camera and microphone.

So your click on something that isn’t what it seems to be causes bad things to happen. Usually without you knowing. So how do you prevent it?

Keeping your browser and flash player up to date is the first step. Instead of repeating the rest of the information that’s already on the internet here’s a link that will give you some tips:
http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks#Upgrade_Flash_Player

 

Hopefully this information will help for people who haven’t heard about Clickjacking yet. For those who have, hopefully all of you, this is just a reminder to make sure your secure.

 

 

 

 

Android Updates taking to long?

Through some searching online and reading multiple articles I found that many users are not on the latest Android version. This can obviously be seen as a security problem. As with many different software updates often include important security fixes. I doubt Android is any different. Although phones are shipped with a fairly recent version of the Android OS, the problem seems to be with how long it takes before the user even gets an update to the latest version. It can be a long process before the provider offers the update to its users. An article on computer world explained it better:

Google releases code that is in turn adapted by hardware manufacturers, and that in turn is adapted by various service providers. The software release latency from Google to device is long in the best of situations, and insurmountably long in many others.

With smart phone becoming some of the more popular devices to target for attacks, I feel this long process for updates could soon become a big issue. That is if it’s not already.

http://www.computerworld.com/s/article/9221844/Kenneth_Van_Wyk_The_security_implications_of_being_stuck_with_an_old_Android_OS

New WordPress security vulnerability through Timthumb

WordPress is very popular blogging tool thats used by 14.7% of Alexa’s top 1 million web pages and its of course the same tool we use to write these posts on. Because of its widespread use and popularity, it finds itself coming under attack pretty frequently.

One of the more recent attacks on it exploits the php script for Timthumb, an tool for image cropping and resizing. The attack works by mimicking a GIF image by using fake header data. This confuses the intrusion detection and prevention systems by making think its an image file and thus ignoring it. In reality though its a zip carrying malicious code. The attackers then obfuscate it further by encoding it and compressing it multiple times so that it can only work when decoded and uncompressed in the correct order.

The payload of this attack is usually some sort of code that opens a backdoor up on the server hosting the site. From there attackers can do what they want with the server and that usually mean making part of botnet.

This attack also goes beyond just WordPress because Timthumb is a common php script that’s used in many other applications too.

For protection against this attack, users can disable remote images or get further protection through something like Timthumb Vulnerability Scanner .

http://blog.spiderlabs.com/2011/11/wordpress-timthumb-attacks-rising.html

Facial recognition on Android 4.0 has some bugs

A new feature of the new Android 4.0, a.k.a. Ice Cream Sandwich, has a new feature that will allow you to unlock the phone using facial recognition. Though if you prefer security over convenience you should try not to use this new feature.

As seen in a video created by a mobile blog, the face unlock feature can be fooled by showing it an image of the face used to set up the locking mechanism.  You can do this by taking a picture with one phone and holding it up to another to try to fool the unlock feature.

A google representative has stated that it is considered a low security and experimental way of locking your phone and the interface warns users the face unlock is less secure than a pattern, pin, or password and that someone who looks similar to you could unlock your phone.

So this poses the question do I use this new feature because of the ease of use and the convenience even though it has been show that it has weakness and vulnerabilities. Good has said that they have started looking into the problem and that because Android 4.0 has not been released yet they are still working out the experimental system.

The False Rumor

The way information travels has continually advanced as time has passed.  At first there were letters, then there was radio and television, and in the present day we have the Internet. With each technological advancement the speed at which this information travels has increased exponentially, especially today.  Therefore, any sort of news of them spreads quite quickly.  According to an article at HomelandSecurityNewsWire.com, “social media sites have proven useful in quickly disseminating information, and raising awareness during disasters or disease outbreaks.”  However, the only problem with information passing in this manner is that it can be a “double-edged sword” because any number of times this new information could just be a false rumors or false information in general. This can be especially troubling in the case of news about epidemics, natural disasters, and the like.

Info obtained from:http://www.homelandsecuritynewswire.com/social-media-double-edged-sword-epidemics

Don’t assume you’re safe playing in the sandbox

Very basically, sandboxing for those of you that don’t know, tries to control the rights of an application through permissions , or entitlements as Apple calls them, so that they don’t automatically have full control over the whole computer or smartphone. Sandboxing however gives the user a false sense of security “by implying that apps which run in a sandbox are automatically not malicious – which simply is not true.” On top of that the majority of malware dies not get onto a device through applications but rather through “drive by downloads”; again basically- surfing the wrong place. Another downfall of the sandboxing method of “protection” is that most users slide right past the permissions part of installing an application and simply click ‘ok’ to everything. Furthermore in the Andriod market the applications are not curated or vetted (examined by someone to make sure it’s safe) so a developer could install nearly anything within an application. Don’t think you’re safe if you use an iPhone however…even with the scrutiny there are still major holes

You think I’m blowing smoke up your. ..app…then just watch this video.

http://www.youtube.com/watch?v=ynTtuwQYNmk&feature=player_embedded

I could go on with my views about smartphone apps and malware but you’d be better off reading this article for yourself. Honestly I think anyone that either has a smartphone or is interested in security should definitely read it.

http://www.guardian.co.uk/technology/blog/2011/nov/08/sandboxing-malware-failure

Black Boxes in Personal Vehicles

It is virtually impossible to buy a car these days without it containing at least one computer system. Cars are now being equipped with black boxes which monitor your driving, such as brake application, steering, etc. Information which is collected by the card could be used in the court of law, and essentially your car could be used to ‘testify against you’.

I know that they have been installing black boxes inside firetrucks, and they log everything that happens when the truck is turned on, such as its speed, applying brakes, and whether or not everyone’s seat belts are buckled while its in motion but I didn’t think they would start to put them into personal vehicles.

I think that its interesting that they are implementing black boxes into cars. It is scary to think about the amount of information that could be collected about an individual regarding where they drove, how fast they were driving, and how it could be used. Other than using it for motor vehicle accidents, the information could potentially be used many other types of crimes as well.

Source:
http://openchannel.msnbc.msn.com/_news/2011/11/11/8743687-digital-evidence-becoming-central-in-criminal-cases