Posts Tagged ‘Android’

Samsung Galaxy phones, LastPass, and purging online databases

Posted: June 17, 2015 by IntentionalPrivacy in Cell phone, Password need-to-knows, Security Breach, Tips
Tags: , , , , , , ,

As I do almost every day, I was looking through security news this morning. An article by Graham Cluley about a security issue—CERT CVE-2015-2865 —with the SwiftKey keyboard on Samsung Galaxy phones caught my eye. The security issue with the keyboard is because it updates itself automatically over an unencrypted HTTP connection instead of over HTTPS and does not verify the downloaded update. It cannot be uninstalled or disabled or replaced with a safer version from the Google Play store. Even if it is not the default keyboard on your phone, successful exploitation of this issue could allow a remote attacker to access your camera, microphone, GPS, install malware, or spy on you.

Samsung provided a firmware patch early this year to affected cell phone service providers.

What to do: Check with your cell phone service provider to see if the patch has been applied to your phone. I talked to Verizon this morning, and my phone does have the patch. Do not attach your phone an insecure Wi-Fi connection until you are sure you have the patch—which is not a good idea anyway.

~

An interesting article in Atlantic Monthly discusses purging data in online government and corporate (think insurance or Google) databases when it is two years old, since they cannot keep these online databases secure. I can see their point, but some of that information may actually be useful or even needed after two years. For instance, I would prefer that background checks were kept for longer than two years, although I would certainly like the information they contain to be secured.

Maybe archiving is a better idea instead of purging. It is interesting option, and it certainly deserves more thought.

~

Lastly, LastPass: I highly recommend password managers. I tried LastPass and it was not for me. I do not like the idea of storing my sensitive information in the cloud (for “cloud” think “someone else’s computer”), but it is very convenient. Most of the time, you achieve convenience by giving up some part of security.

LastPass announced a breach on Monday –not their first. They said that “LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.”

For mitigation: They have told their user community that they will require verification when a user logs in from a new device or IP address. In addition,

  1. You should change your master password, particularly if you have a weak password. If you used your master password on other sites, you should change those passwords as well.
  2. To make a strong password, make it long and strong. It should be at least 15 characters—longer is better—contain upper- and lowercase letters, digits, and symbols. It should not contain family, pet, or friend names, hobby or sports references,  birthdates, wedding anniversaries, or topics you blog about. Passphrases are a good idea, and you can make them even more secure by taking the first letter of each word of a long phrase that you will remember. For example:

    I love the Wizard of Oz! It was my favorite movie when I was a child.

    becomes

    IltWoO! IwmfmwIwac$

    Everywhere a letter is used a second time, substitute a numeral or symbol, and it will be difficult to crack:

    IltWo0! 1>mf3wi<@c$

  3. When you create a LastPass master password, it will ask you to create a reminder. Let’s say you took your childhood dog’s name, added the number “42,” and the color “blue” because he had a blue collar to make your new master password: osC@R-forty2-Blew! If your reminder is “dog 42 blue,” your password could be much easier to crack. Maybe you even talked about Oscar in a Facebook post. So again, do not use a pet’s name in your password. Then put something in for the reminder that has no relation to your password: “Blank” or “Poughkeepsie” for instance.
  4. Keep your master password someplace safe. Do not leave a copy in clear text on your phone or your computer or taped to your monitor. Put it in a locked drawer or better—your safe deposit box.
  5. Back up your password database periodically to a device you store offline, and printing the list and storing both the printout and the backup in a sealed envelope in your safe deposit box is a good idea as well.
  6. Use two-factor authentication. If you don’t know anything about it, this Google account article will explain it.

Malware and free download sites

Posted: January 21, 2015 by IntentionalPrivacy in Financial vulnerabilities, First Steps, Tips
Tags: , , , , , , , , , , , , , , ,

A friend of mine called me for help after she started getting pop-ups every time she opened her web browser. She asked me how her computer got into this mess. While I could not pinpoint an exact cause (no log files), I suspect she downloaded crapware with a software installation she trusted.

She also wanted to know why anyone would want to inflict this malware on her computer. The answer is simple: Money.

So what can you do to avoid this problem? The consensus advice is to only download programs from a trusted source. Ok! That’s great advice! But what is a “trusted source”?

HowToGeek.com explains in “Yes, Every Freeware Download Site Is Serving Crapware” that all the major free download sites–Tucows, CNET Downloads / Download.com, FileHippo, SnapFiles, MajorGeeks, and yes, even SourceForge–include adware and even malware with their installers. While some sites are better than others about telling you what they’re including and about allowing you to uncheck those additions, they all do it.

What to do instead? Go to the developer’s website and download from there. And support those software authors that do not include crapware by donating to support their development work.

Other steps to take:

  • Back up regularly (at least once a week or oftener), then disconnect the media. Test your backups by periodically restoring a file. I also recommend alternating backup media to offsite storage, such as a safe-deposit box. Backup media–just like any other technology–can break, become corrupted, get lost or stolen.
  • If you back up to a  cloud provider, your back ups can become unavailable if their storage media becomes unavailable for any reason, so use physical backup media as well.
  • On Windows systems, set System Restore Points.
  • Change your IMPORTANT passwords as soon as you can from a computer that is not infected. Use a unique, strong password for each site.
  • Can’t remember all those passwords? Use a password manager. Note: Do NOT lose this password! I use the Professional versions of KeePass and Portable KeePass, and KeePass2Android (available from Google Play), but cloud-based LastPass is also very popular. (LastPass is more convenient, but I am leery of cloud-based services for availability reasons.)

If you have recent back-ups and your files get locked by a version of CryptoLocker / CryptoWall, you may not have to pay to get your files back (depending on how recent your backups are).

For an interesting read, check out Kaspersky’s 2014 Trends in the Internet Security Industry.

Trading convenience for security

Posted: December 22, 2014 by IntentionalPrivacy in Tips
Tags: , , , ,

These are some great tips from Gary Miliefsky at SnoopWall. You can either watch his video or read the interview. I just installed his SnoopWall Privacy app on my Android phone. I’ll let you know how it goes!

Flash!

Posted: February 8, 2013 by IntentionalPrivacy in Browser Vulnerabilities, Identity theft, Vulnerabilities
Tags: , , , , ,

Ok, now Adobe has released a security update for Flash, which applies to Flash versions for Windows, Macintosh, Linux, and Android operating systems, as well as Google Chrome and Internet Explorer browsers.

  • The version you should be running for Windows and Mac is Adobe Flash Player 11.5.502.149.
  • Linux users should update to Adobe Flash Player 11.2.202.262.
  • If you’re using Google Chrome as your browser, it should automatically update to the latest Chrome version. Chrome’s latest version runs Adobe Flash Player 11.5.31.139 for Windows, Macintosh and Linux.
  • If you’re using Internet Explorer 10 on Windows 8, it will automatically update to the latest version of Internet Explorer, which includes the latest version of Adobe Flash Player, 11.3.379.14 for Windows.
  • Android 4.x devices should be running Adobe Flash Player 11.1.115.37.
  • Android 3.x devices should be running Adobe Flash Player 11.1.111.32.

How to keep up with all these security updates? You have several choices.

  • Sign up for US-CERT email bulletins and follow the instructions.
  • Run Secunia PSI and set it to check for updates weekly.
  • Set Adobe and Java to send you updates automatically. Java will ask you questions; make sure you check for any obnoxious add-ons before you click ok.

In the Adobe security bulletin about this Flash vulnerability that you can read at http://www.adobe.com/support/security/bulletins/apsb13-04.html, Adobe recommends that you verify the version of Flash running on your device.

  • To verify the version of Adobe Flash Player installed on your system, access the About Adobe Flash at http://www.adobe.com/software/flash/about/, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
  • To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.