Update your Android Phone NOW

There is a massive Android bug called Stagefright.

It’s being called the biggest Android flaw ever, it affected about 950 million devices.

It even has its own logo.

Hundreds of millions of phones are affected.

Above is a list of vulnerable devices.

That’s Adrian Ludwig, lead engineer for Android security at Google, speaking about Stagefright at Black Hat 2015.

The bug was discovered by Joshua Drake from the Zimperium security firm. He tells FORBES magazine,

“All devices should be assumed to be vulnerable. Only Android phones below version 2.2 are not affected.”

The Attack

Uses MMS (texting.) It installs with no user interaction required, scary.

A MMS message is sent > it contains a media file > that the phone opens automatically > which releases and installs the bug > MMS is deleted > no trace of attack

Watch the attack.

What can Stagefright do?

Turn on both the camera and microphone, and secretly record video and listen to conversations.

A level deeper, and it’s view photos; read the device’s email, Facebook and WhatsApp messages; access contacts and data; or use the mobile as a jumping-off point into the victim’s cloud applications.

The Defence

Google shut down some functions, that’s why the messenger app stopped auto-loading and thumbnails reverted to static-only. Nexus devices are being updated automatically over the air.

What you can do:

1 – update your phone

2 – disable “auto-fetching in MMS” to stop the media from auto-downloading. How to here.

3 – never open a photo, video or click a link, from someone you don’t know

4 – download Zimperium’s Stagefright Detector App for Android Devices 

Further reading – Zimperium’s blog post

From Black Hat 2015

Blog tag = Black Hat

 

 

About the HeartBleed Vulnerability

What is it

It is not a virus, it’s a bug in OpenSSL. It is potentially the largest vulnerability in the history of the internet, affecting an estimated two-thirds of secure websites worldwide.

Heartbleed is:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

Very basically – an attacker can move in and out, stealing sensitive data and passwords, and leave zero trace.

Sites that have little lock icon in the URL bar are what’s affected, seen when using HTTPS (like email, Facebook or banking).

Learn More

Mashable – here / Bruce Schneier – here / Heartbleed site here

Check if Your Site is Vulnerable

Here – Filippo.io

What to do

Everyone: change any passwords that may use OpenSSL. Mashable has a list of affected sites here.

Small Business Owners: you need to call your IT guy now. Now. If you are taking credit cards, or any sensitive or private data, you have a responsibility to protect your customers who have trusted you.

Judging eyes :|

A Rant

This Shangri-lala land we’re living in will soon end, maybe with a massive, worldwide compromise, that will force us to change the way the way we conduct ourselves online.  One day, you’ll tell your grandchildren, of a time when people’s passwords were all the same 

This Heartbleed bug is the beginning of that. Go change your passwords.

</rant>

(via XKCD.com)

Imagination.

 

 

1 Million Apple UDIDs Leaked Online Last Night

Last night, the hacking group AntiSec posted 1 million UDIDs online, claiming they have 11 million more, and that they had stolen them from an FBI laptop in March, when they exploited a Java vulnerability.

UDIDUnique Device ID

Think of it like a serial number for your iOS device, the fingerprint of your phone or iPad.  It is a unique, 40-character alpha-numeric number, and is used by Apple, ad networks, and app developers to identity devices.

It has long been touted as insecure (it’s sent back to app developers un-encrypted), and Apple started to phase it out in April.

Your UDID doesn’t mean much on its own, it’s like your driver’s licence number but without information like your name, address, etc.  However, according the AntiSec, they found more information attached to the numbers, but stripped it out before posting them online, which I think is kind of them.

From Forbes.com:

If the UDIDs are determined to be real, just what that means about law enforcement and Apple users’ privacy isn’t entirely clear. Much more than passwords or even email addresses, UDIDs are already spread around the Internet by app developers and advertisers–a study by one privacy researcher in 2011 found that 74% of the apps he tested sent a user’s UDID to a remote server. But the same researcher also found that five out of seven social gaming networks he tested allowed users to log in with only their UDID, making a stolen UDID equivalent to a stolen password.

How to find your UDID number

You have to do this on your computer, it’s not displayed on your iPhone.

Connect your phone to your computer.  Open iTunes, click on your device in the left column, this screen will look familiar.

Click “Serial Number’, and the number to the right will change to your UUID.  You won’t be able to copy & paste this, you’ll have to record it manually.

Next step is to check if yours was one of the million posted online.

The Next Web has created a tool to see your number was on the leaked list.

TWO THINGS  TO KNOW BEFORE YOU DO THIS.

YES, I’M YELLING HERE

1I can’t guarantee you this is safe.  I don’t know Next Web. What I do know though, is I found this link posted on Twitter by Mikko Hypponen, whom I met and interviewed last year at DefCon 19, who is one of the world’s leading experts in information security.    I felt confident enough to enter mine.  Best I can do, guys.

2 Don’t paste your entire UUID into the box.  Next Web says they’re not storing the UDIDs, but continues that they’re also not being encrypted during this process.  The best thing to do is not enter your entire number; I entered only the first half of mine, good enough.

Click here to check yours.  Mine came back not leaked, and looked like this:

What do do if your UDID has been leaked?  

Call Apple.

Further Reading

Forbes

Lifehacker – definition of a UDID

Corte.si

TechCrunch

 

UPDATE: 6:40pm

The FBI has replied to the claim, made by AntiSec, that it is “totally false”. Privacy-advocacy groups are freaking out. AntiSec then said it won’t say another word, until journalist Adrian Chen poses in a tutu, on the Gawker homepage for 24 hours.

And so he did.

The hashtag #FBI has been trending on Twitter all day, that’s rare.  If you’re following the story out there, be careful what you click.

Gizmodo posted a good article, “Why You Shouldn’t Freak Out if Hackers Leaked Your Apple Device ID

True or not, you probably thought about your online security more today than in a long time, so good.  Your online life is very valuable, treat and protect it accordingly.  

And I learned about being a part of the news cycle.

 

 

Change Your Yahoo Password Right Now

Yahoo! had a major security breach yesterday.  

An estimated 450,000 passwords were stolen.  

The passwords were stored on Yahoo!’s servers in plaintext, meaning, not encrypted, could have been kept safer.  Expect Yahoo! to take some heat for that, which is good, because doing that is dumb.

Some outlets are reporting 100,000+ Gmail, 50,000+ Hotmail accounts, and more were part of the stolen data.  Others are saying the accounts are old, only 5% are in use.

Sucuri Labs has created a way to check if your email was affected, click here.

I recommend you change your password regardless;

it’s doubtful we’re getting the whole story.

Remember too, Flickr and Yahoo are the same thing.

Further reading:

Gizmodo

Mashable

CNN

 

The Flashback Trojan is Turning Macs into Zombies

It’s here – the largest EVER Mac trojan has arrived. It’s called Flashback, it’s huge, and if you are running Mac OS X 10.6 you may be affected.

600,000 Macs around the world have been compromised. Statistically, that is a giant botnet.

A botnet: think of it like your computer has been turned into a zombie, and is under someone else’s control. Gather together enough zombies, now you have a botnet army. Most scary of all: you likely wouldn’t even realize you’ve been affected.

What you need to do:

FIRST – check to see if you are vulnerable. If you are running Mac OS X 10.6 you might be. If you are running Mac OS X 10.7 you are likely okay.

SECOND – Let’s check to see if your machine is infected. We’re going to use Terminal to do that, your Mac’s command-line interface.

Open ‘Terminal’.

Don’t be scared if you’ve never used Terminal. You’re going to feel a bit like a hacker, fun!

But – don’t screw around in here, stay focused; a couple wrong keystrokes and you’ll change and alter things you do not want to.

Now you’re looking at a window like this:

Copy and paste this line into Terminal, then hit ‘enter’:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

 

NOT AFFECTED: if it returns this line:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

That’s what you want, “does not exist”

AFFECTED: if it returns anything but. If infected, click here for the remedy. F-Secure is an antivirus and computer security company in Finland. You’re going to download a Java update from Apple here.

Remember the golden rule to avoid problems:

The Golden Rule: If you installed it, update it.

 

We Mac users have enjoyed relatively virus and malware-free living, till now. I blogged about it last year over on KeriBlog, click here for why it’s no longer the case.

Further Reading:

Gizmodo

The Register

The Internet Storm Center

 

UPDATE – April 13 2012

Yesterday, Apple released a fix for the Flashback trojan.

To install it: go up to the apple top left corner, choose “Software Update”, and say yes to installing the Java update that looks like this:

Apple’s official release page is here. I’ve copied some of the text below and bolded the important parts.

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

I suggested the other day it was good security practice to ensure your computer is NOT set up to “automatically open downloaded files”. Good idea to do that now. Snow Leopard users might have to do this manually.

Remember, nothing is ever 100% with this stuff. Always err on the side of caution.