Update your Android Phone NOW

There is a massive Android bug called Stagefright.

It’s being called the biggest Android flaw ever, it affected about 950 million devices.

It even has its own logo.

Hundreds of millions of phones are affected.

Above is a list of vulnerable devices.

That’s Adrian Ludwig, lead engineer for Android security at Google, speaking about Stagefright at Black Hat 2015.

The bug was discovered by Joshua Drake from the Zimperium security firm. He tells FORBES magazine,

“All devices should be assumed to be vulnerable. Only Android phones below version 2.2 are not affected.”

The Attack

Uses MMS (texting.) It installs with no user interaction required, scary.

A MMS message is sent > it contains a media file > that the phone opens automatically > which releases and installs the bug > MMS is deleted > no trace of attack

Watch the attack.

What can Stagefright do?

Turn on both the camera and microphone, and secretly record video and listen to conversations.

A level deeper, and it’s view photos; read the device’s email, Facebook and WhatsApp messages; access contacts and data; or use the mobile as a jumping-off point into the victim’s cloud applications.

The Defence

Google shut down some functions, that’s why the messenger app stopped auto-loading and thumbnails reverted to static-only. Nexus devices are being updated automatically over the air.

What you can do:

1 – update your phone

2 – disable “auto-fetching in MMS” to stop the media from auto-downloading. How to here.

3 – never open a photo, video or click a link, from someone you don’t know

4 – download Zimperium’s Stagefright Detector App for Android Devices 

Further reading – Zimperium’s blog post

From Black Hat 2015

Blog tag = Black Hat

 

 

Facebook is Copying your Contacts

Finally upgraded my phone, and with it all apps including Facebook Messenger. Which really wants access to my contact list.

“Your contacts will be continuously synced with our servers.”

No no, and if you have little dossiers attached to a contact, bet those are copied too.

The app is aggressive, and about every 12th use it prompts.

Now begins the game of “it’s one slip of the finger and I accidentally hit okay…”

Then what, turn my phone off? That’s seconds, it’s likely done hoovering the list by now, or just pick up where it left off when the phone is turned back on.

Do you have a hard copy of your contact list?

Saved on a USB that’s tucked away safe?

How would you find your loved ones if you lost access to your account? Everything’s in the cloud and it fails? If your only copy of your contacts is stored in Facebook, please leave my blog.

Maybe it’s me. Maybe just give Facebook everything it wants, forget this all, and look at my new coat.

Blog tag = Facebook

 

 

My Photos of Vegas will Bore You

A lump of blah – view from my room, my cab driver and I laughing our guts out, a BigMac.

I had a great trip, it just doesn’t translate in the photos.

Don’t like this city – the level of excess, how people turn up their inner d-bag, the level of entitlement. The irony is the size of the blog tag Vegas (30)

It’s bad form to take photos at the conference (why.)

Actually, aside from that steak photo, the only pic of me all week is this selfie.

Like any good gambler, I’m only showing you my wins.

The Black Hat NOC – Network Operations Centre.

Spotted on the vendor floor.

The arrow is pointing at a blinking light, which is what made me stop, which is what the booth guy said makes everyone stop, which we laughed about because how ridiclous is it that – one little light!

Another vendor – give your email and get to smash computers.

The Rapid 7 party.

You’ve seen that name, I use them for my home entertainment system.

To conclude, here’s new headers.

Blog tag = headers