malware

A bad day for Mobile…

azarc3, , , , , , Leave a comment

Today is turning into a really bad day for the majority of the mobile industry. First I noticed this #EpicFail…

To hack an Android phone, just type in a really long password
http://money.cnn.com/2015/09/16/technology/android-hack/index.html

… and right on it’s heels came this one:

Hundreds of legitimate iOS apps infected by malware; remove from App Store
http://lifehacker.com/hundreds-of-legitimate-ios-app-store-apps-infected-by-m-1732035828

I notice that Windows Phone hasn’t been mentioned yet; here to hoping it stays that way.

A bad day for Mobile…

It’s time to let USB drives go the way of the Dodo…

azarc3, , , , , , Leave a comment
… because they are insecure in a fundamental way that currently isn’t defendable or fixable.

UPDATE: I’ve edited the section dealing with alternatives after some further research.

Here’s the background:
Worse yet, you see in Article #2 above that the exploit is IN THE WILD AND FREELY AVAILABLE.
So what are we supposed to do? The alternatives are simple:
  • Use Cloud services.
    – Such as OneDrive, Dropbox, Box, Google Drive, etc.
    – The downside is that you have to be connected and allowed to reach that service to get your files.
  • Use other storage media.
    – The SD card family (standard, mini, micro, etc).
    – The first downside is that SD cards aren’t supported by everything.
    – The second downside is that, hands down, USB is the current ruler of connected media.
    – The third downside is that SD cards also have a controller chip inside and eventually those might be co-opted like the USB controller chips have.
  • Use storage media that has a different physical interface.
    – FireWire is a good example.
    – Unfortunately, the same issue exists here because drives using this cable standard have controller chips too.
  • Use storage media that ha no physical interface.
    – WiFi Drives are currently a decent alternative but are not intuitive enough for everybody, and open up a whole different can of worms.
If these things aren’t feasible then you can still purchase brand new drives from “big box” stores (BestBuy, TigerDirect, etc.). Just be aware that you’re potentially in the same boat as if you had an infected USB drive. Infected drives infect the machines they are plugged into, and infected machines infect USB drives that are plugged into them. As of right now there’s simply no “protection” for this type of infection.
It’s time to let USB drives go the way of the Dodo…

Android really ISN’T your friend

azarc3, , , , Leave a comment

It is simply amazing to me that people don’t pay more attention. Case in point, I wonder how many of the devout (yes, that is the word) Android (and in the first case iOS) users know about the following two articles that I saw today…

How Fandango and Credit Karma exposed millions of smartphone users’ data

Apps with millions of Google Play downloads covertly mine cryptocurrency

The first is a clear example of an utterly-reputation-damaging-yet-probably-survivable breach of trust that we’ve seen in the media recently (Target anyone?). Even though the situation and circumstances are different the outcome is the same: they blew it when it came to relatively easy security practices and it’s up to the consumer to make them pay for it.

The second is much more malicious in that someone is willing to most certainly shorten the life of your smartphone to make themselves richer. The onus of this one is on the greed of the app author… but the blame is needs to be shared with Google and anyone else who provided the app because of their very-much flawed application certification processes. Although comfortably couched in legalese and corporate rhetoric in their TOS and statements to the media about those apps, at the end of the day they pulled apps that should’ve never been published in the first place.

And let’s not forget this little ditty where Google tries to say that Android is “more secure because it’s open”… if that isn’t round-robin logic I don’t know what is.

Logic Fail #1: Google assumes “people” will review and contribute fixes to the OS. Hmm…. that’s like assuming your neighbors will willingly mow your lawn for you while you’re sitting by the pool drinking lemonade and working on your tan.

Logic Fail #2: Google says that hackers will go where most people are. Hmm… No, it’s been my experience that hackers go where the low-hanging fruit is. I’m not talking about the hacking elite that are trying to change the world; I seriously doubt they even care about this stuff. I’m talking about the script-kiddies and malware cartels that are intent on using you to make them money.

Logic Fail #3: Google says their app certification process is state of the art and that every submitted app is checked for malware. Really? Then how did the two Google summarily pulled from the Play Store get there in the first place. And let’s not forget that this ISN’T the first time Google has been to this particular dance… (http://www.bing.com/search?q=google+pulls+malware+apps)

Anyway, I think I’ve ranted long enough.

Please pay more attention to what is real and not the bull the marketers push on you.

Vote with your wallets, people.

Android really ISN’T your friend