Archive for June 16, 2015

Long Standing Flaw In Samsung Phones Leaves Users Exposed To Being Hacked

Posted in Commentary with tags on June 16, 2015 by itnerd

If you have a Samsung S4, Mini, Galaxy S5 or even the recently released Galaxy S6, you might have a security flaw that may result in you getting hacked. Cybersecurity firm NowSecure discovered a unpatched security hole that allows an attacker to remotely execute code as a system user via the keyboard upgrade mechanism on their phones.

Now here’s the really bad part via The Wall Street Journal:

In March, Samsung told NowSecure it had sent a fix to wireless carriers that they could distribute to users. It asked NowSecure to wait three months before going public.

Last week, the researchers bought two new Samsung Galaxy S6’s from Verizon Wireless and Sprint. They found both were still vulnerable to the security hole, which involves how the phone accepts data when updating keyboard software.

There’s more:

In this case, NowSecure said it contacted Samsung in November 2014. On Dec. 16, Samsung asked for more time, Hoog said. On Dec. 31, it asked for a year to fix it, he said.

Wow. That’s insane. You have a serious security issue in your phones in an age where such issues are found very quickly and you want a year to fix it? Then a few months later you say that you’ve fixed it but it quickly gets proven that you haven’t?

Mind blown.

Samsung hasn’t said anything in regards to this yet. But one hopes that they do so quickly for this reason from the research that NowSecure did:

Unfortunately, the flawed keyboard app can’t be uninstalled or disabled. Also, it isn’t easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update. To reduce your risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing.

Your choices are don’t use insecure WiFi or don’t use a Samsung phone? That’s not good if you’re Samsung..

Leave a comment »

Person Shot And Killed While Trying To Retrieve Their Smartphone

Posted in Commentary with tags , on June 16, 2015 by itnerd

We’ve all heard stories about people who have had their smartphone stolen and used a service like Find My iPhone to find the location of the people who stole it and then confront them. I’ve always considered this to be risky behavior as you could get really, really hurt or worse by doing this. Sadly, this has proven to be the case in London Ontario where a teenager by the name of Jeremy Ryan Cook lost his smartphone in a cab and he tracked it down using a service like Find My iPhone. Here’s what happened next according to the National Post:

He left his cellphone in a taxi on the weekend. Using a tracking device on the phone, Cook ended up in a parking lot on Highbury Ave. standing outside a 2004 silver Mazda at 5:15 a.m. Sunday.

There were three men inside and they weren’t giving the phone back to Cook, who was there with a relative, police said.

During the confrontation over the phone, one man jumped out of the car and walked away.

The driver stepped on the gas.

And that’s when Cook did what many 18-year-olds might do if someone was stealing their stuff: He tried to stop them.

Cook grabbed on to the driver’s door and held on to the car while it peeled away, out of the parking lot, heading north on Highbury, then turning east into a plaza on the southeast corner of Huron St. and Highbury, police said. Gunshots rang out. When police arrived, Cook was already dead.

Police are now searching for three people in relation to this murder.

I’ll say two things on this topic. Feel free to disagree with me on any or all of these points. I’m good with that.

First, I suggest that you set up your phone so that you can remotely wipe it and lock it so that nobody else can use it. iPhones, BlackBerry phones, and a lot of Android phones have this capability. That way any personal info can be zapped and the phone can be made to be useless. You should also consider backing up your data (including your photos) to your home computer or to a cloud service like iCloud or to one of Google’s cloud based services. That way you can recover from having your smartphone stolen painlessly. Finally if you do have the location of the phone, give the location to the police and let them get it back for you. I get that the phone is expensive, but it’s not worth your life.

Now, that brings me to the police. One of the reasons why the average person takes these sorts of risks to get back their phone is that most police agencies don’t consider smartphone theft to be a high priority. Now if you compare smartphone theft to say murder, I get where they are coming from. But in my mind it is still a crime and given that in this day and age where it is easy to find the stolen smartphone and the evil doers who stole it, I would like to think that the police will act upon that and take one or more bad guys (or girls) off the street. Perhaps police agencies may want to re-evaluate this going forward. Maybe that would prevent another story like this from hitting the news.

Leave a comment »

Password Service LastPass Hacked…. Users Asked To Change Master Password

Posted in Commentary with tags , , on June 16, 2015 by itnerd

I get that having multiple passwords for each and every online service that you use can be a pain. But it make you more secure which is why I keep encouraging users to do that. I also get that to keep yourself sane you may require a password management system to keep track of all those passwords. The problem with that is that if you pick something that is cloud based, you run the risk of it being hacked and your digital life being left in a state where it is under threat.

Today, we’re being provided a great example of that with the news that popular cloud based password management service LastPass was hacked. Here’s what the company said on their blog:

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

Lovely. Here’s what they are doing about it:

An email is also being sent to all users regarding this security incident. We will also be prompting all users to change their master passwords. You do not need to update your master password until you see our prompt. However, if you have reused your master password on any other website, you should replace the passwords on those other websites.

Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. As always, we also recommend enabling multifactor authentication for added protection for your LastPass account.

Now, if you need a product to keep track of your passwords, it should be local to your devices and not be cloud based. Such an application is eWallet which I reviewed here and while it does have the ability to sync over WiFi to keep all your devices up to date, it only does a sync to devices that are paired to each other, such as an iPhone and a Mac, and only on the same WiFi network. Your data doesn’t take a trip to the cloud so you don’t get exposed to this sort of hack.

In the meantime, if you’re a LastPass user, I’d strongly suggest taking their advice. Then I would strongly suggest reconsidering your password management strategy as this sort of hack could have catastrophic results for end users.

Leave a comment »