Android flaw puts personal data at risk for millions

Nearly half of Android devices are vulnerable to an attack that could replace a legitimate app with malicious software that can collect sensitive data from a phone.

Google, Samsung and Amazon have released patches for their devices, but 49.5 percent of Android users are still vulnerable, according to Palo Alto Networks, which discovered the problem. Google said it has not detected attempts to exploit the flaw.

A malicious application installed using the vulnerability, called "Android Installer Hijacking," would have full access to a device, including data such as usernames and passwords, wrote Zhi Xu, a senior staff engineer with Palo Alto.

The company wrote two exploits that take advantage of the flaw, which involves how APKs (Android application packages) are installed.

The vulnerability only affects applications that are installed from a third-party app store. Security experts generally recommend using caution when downloading apps from those sources.

Apps downloaded from third parties place their APK installation files in a device's unprotected local storage, such as an SD card, Xu wrote. From there, a system application called PackageInstaller finishes the installation. The flaw allows an APK file to be modified or replaced during installation without anyone knowing.

An attack would work like this: A user downloads what appears to be a legitimate application. The application asks for certain permissions on the device. During that process, Palo Alto found it was possible to swap or modify the APK file in the background because the PackageInstaller fails to verify it, Xu wrote.

After clicking the install button, "the PackageInstaller can actually install a different app with an entirely different set of permissions," he wrote.

Android devices do not need to be rooted for the attack to work, although rooting does make devices more vulnerable.

When the flaw was discovered, in January 2014, close to 90 percent of all Android devices were affected. That has since dropped to 49.5 percent, but many devices have not been patched.

Palo Alto's exploits were successful against Android versions 2.3, 4.0.3 to 4.0.4, 4.1.x, and 4.2.x. The 4.4 version of Android fixes the issue. Some Android 4.3 devices may still be affected, however, since some manufacturers have not patched yet, Xu wrote.

Google has published a patch here, and Amazon recommends downloading the latest version of the Amazon AppStore, which will update its Fire devices, Xu wrote.

Palo Alto has also developed an Android app that will detect if a device is still vulnerable.

Microsoft: Office will be free for devices under 10 inches

Microsoft drew a line in the sand on Tuesday, as its Office 365 chief said that editing and viewing documents on small-screen devices would continue to be free—likely killing off the idea of a small-screen Surface Pro mini, incidentally.

Kirk Koenigsbauer, the corporate vice president for the Office 365 Client Apps and Services team, revealed in a blog post that Microsoft believes that 10.1 inches is the dividing line between a “personal” and “professional” experience. Pros need the reliability and security of paid apps, while “personal” users are more interested in free.

“Currently, we are also using screen size to delineate between professional and personal use,” Koenigsbauer wrote. “Based on our research, we are classifying anything with a screen size of 10.1 inches or less as a true mobile device: You’re probably using it on the go, when it’s not practical to use a larger computing device such as a PC or a Mac. You probably aren’t using a mouse or a keyboard, instead navigating via touch interface. It’s probably not a “pro” category tablet that is used for design or presentations.”

On these mobile devices, the core editing and viewing experience will be free, Koenigsbauer wrote, until you get to those “premium, subscription features,” like integration from one app to another, security, and reliability—all part of the Office 365 suite, and not the individual apps.

Why this matters: Everyone understands what differentiates a desktop from a phone. But as the lines between phones, tablets, and phablets blur, software vendors have to make a decision: What does the software experience look like as the screens they’re displayed on grow and shrink? At Microsoft, that dividing line will be about the dimensions of the Surface Pro tablet: 10.1 inches. And given that Microsoft’s definition of “professional” doesn’t include anything under 10.1 inches, that's game over for a small-screen Surface Pro tablet.

Note though, that Microsoft hasn't said anything about actually creating documents on smaller screens. So you won't necessarily be able to launch a new Office document on a small-screen tablet, just edit one you've already created. It's just another of these annoying, lawyerly distinctions that are a legacy of the old Microsoft.

Microsoft will continue to push its free individual apps, such as Word, PowerPoint, Outlook, Skype, and others, to third-party hardware makers, as Microsoft did Monday. The company partnered with Samsung, Dell, and others to bring Office and Office 365 to Android tablets.

Office for iOS has been downloaded more than 80 million times already, Koenigsbauer said. Office 365 Home and Office 365 Personal grew to more than 9.2 million subscribers in the last quarter, up 30 percent, he said. And as Microsoft continues to push its apps across the whole of the computing ecosystem, that number will continue to grow.

Facebook login exploit 'a phishers dream'

Data breaches happen in numerous ways. So many ways in fact that it's difficult for security teams to predict where an attack will happen next. The latest is an exploit of Facebook login on numerous websites. Once accounts are hijacked in this way, they can be held for ransom or used by a phisher to work their way into much larger and more profitable data sets.

It's accomplished through the use of a ready-to-use tool called Reconnect. The tool has been released to the wild and is therefore accessible by anyone. Essentially, Reconnect enables the user to log on to a website using stolen Facebook credentials.

"I tested this out and it looks legitimate. This is a phishers dream really, I am sure we will see a lot of Facebook accounts compromised by this. Hopefully, Facebook is working on a fix," said Ken Westin, senior security analyst at Tripwire.

Security researchers believe that most if not all websites that enable Facebook login are vulnerable to the exploit. The blackhat release site says Reconnect can be used to hijack accounts on websites such as Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable.com, Vimeo and many others.

"This is indeed a very big issue as many popular websites use Facebook's delegated identification, so a widespread exploit could wreak a lot of havoc," said Branden Spikes, CEO of Spikes Security.

"Giving Facebook a little benefit of the doubt here, this looks like an instance of an unfortunate practice where black hats or corrupt penetration testing firms discover big vulnerabilities like this, and rather than submitting them through the standard bug bounty channels (or on the terms of their professional contract with the victim) they choose to ransom them instead," he added.

Phishing: it's not just for email anymore. Until Facebook finds a fix, it may behoove companies to disable the login.

PwC sets up Cyber Security Centre of Excellence in Singapore

PwC (PricewaterhouseCoopers) has launched a new Cyber Security Centre of Excellence in Singapore, which will be headed by Vincent Loy, Cyber Leader, PwC Singapore.

The Centre of Excellence aims to serve the business community both locally and in the region through the provision of research, training & skill development, information sharing, communication, awareness and policy, standards and international cooperation.

“As Singapore moves closer to becoming a Smart Nation, the need for the right talent to ensure that the nation and our systems are well guarded against threats will become a growing imperative,” said Loy. “PwC is working to build capabilities that will support businesses as they ‘go digital’.

“We are already in the process of heavily recruiting globally to bring different capabilities and skill sets to Singapore. In addition, we are training existing staff and new recruits on cyber related capabilities.”

PwC Singapore has been actively providing services in cyber security and related areas since 2012. In response to the growing demand for talent in the cyber and data risk areas, PwC Singapore aims to expand its practice from 40 staff to approximately 300 over the next three years.

PwC also plans to invest S$50 million over the next three years in capability and technological development in its continued commitment to be a thought leader in the area of cyber risk and security.

“Businesses and organizations need to move beyond focusing on tactical technology solutions,” said Yeoh Oon Jin, Executive Chairman, PwC Singapore. “The right culture and mindset to manage and mitigate digital risks need to seep through the entire organization.

Processes will need to become even more robust and standardized across all access channels. The end game is to prevent cyber threats and vulnerabilities for a safer, smarter and sustainable eco-system.”

Yahoo! Releases On-Demand Passwords

Yahoo! Is taking a new tack in authentication with the implementation of on-demand passwords, which are texted to a mobile phone when a user needs them.

Yahoo! subscribers in the US can opt into the scheme via their security settings page in the account information section.  Once a mobile phone is added to the account, a one-time password will be sent every time a login is required.

It’s sort of like two-factor authentication—without the first factor involved.

“We’ve all been there…you’re logging into your email and you panic because you’ve forgotten your password,” said Chris Stoner, Yahoo! director of product management, in a blog. “After racking your brain for what feels like hours, it finally comes to you. Phew! Today, we’re hoping to make that process less anxiety-inducing…You no longer have to memorize a difficult password to sign in to your account—what a relief!”

But not everyone agrees that the method boosts safety. Tim Erlin, director of product management and a security and IT risk strategist for Tripwire, pointed out that the method simply directs hackers’ efforts to intercepting text messages.

“While Yahoo is lifting the burden of remembering a password, they are maintaining a single target for compromise: your SMS messages,” he noted in an email. “Malware on your phone could be used to grab those SMS messages, and then have full access to your account. On-demand passwords are also mutually exclusive with Yahoo’s two-step verification, so enabling them forces users to effectively downgrade security on their account.”

TK Keanini, CTO of Lancope, told Infosecurity that he agreed that users will need to pay more attention to mobile security.

“While only leveraging a single factor (something you have—your phone), the security of the system will depend on how secure that device remains over time,” he said. “We will see a major shift by the attacker to target malware on these mobile platforms because of their larger role in the overall security of the individual. It is also important these days to ensure that the mobile account is secure because you don't want attackers changing features like call forwarding and other features that can put them in the middle of this communication stream.”

Nonetheless, he applauded Yahoo! for thinking creatively.

“We need more innovation like this with authentication,” he said. “Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden. Yahoo! knows that the most personal device on a person these days is their mobile phone. And let’s not stop here, let’s keep innovating even more techniques to raise the cost to our attackers.”

Malicious Android App Fakes Shutdown and Allows Bad Guys to Take Control

Is this thing on?

Unless you have your Android device in one hand and its batteries in another, you might not be sure if it's turned off. An Android Trojan app called PowerOffHijack, which originated from Chinese app stores, was found tricking users into believing that their devices were turned off though they're actually powered on.

Digging into the issue, Trend Micro researchers found that an app believed to be an earlier version of PowerOffHijack appeared as early as September 2014. The app named AndroidFramework (detected AndroidOS_AndFraspy.HAT) disguised itself as a Google service with the package name com.google.progress.

Fake Shutdown Routines
As mobile device users are aware, pressing the power button can result in two things. Tapping the button will turn off the screen, while holding it down will cause it to prompt with device options that include shutting the phone down.

The AndroidFrameworkmalware was designed to perform its malicious operations in the background after you press the power button and the screen goes black.

On the one hand, the PowerOffHijack version was made to run in the background even after you hold the power button down and chose to turn the device off. It will even display the Android shutdown animation to make you believe that your device is shutting down. At this stage, the malware can still make phone calls, send SMS, take photos, and do other malicious routines without user consent.

Both these malware apps were found in third party app stores outside of Google Play and require a rooted device to run.

The PowerOffHijack reportedly works on devices running on Android operating systems that are older than version 5.0, Lollipop. It is said to have originated from third-party Chinese app stores, which explains why most of the 10,000 affected devices are from China.

How to Get Rid of AndroidFramework and PowerOffHijack 
It was previously suggested that users can only be truly safe from the PowerOffHijack threat if they remove the batteries of their devices. However, this is not practical for many users who do need to use the devices as well as for devices with batteries that can't be easily removed.

Halt production of ‘creepy’ interactive Barbie doll

Child advocates want toymaker Mattel to pull the plug on a new interactive Barbie doll that records children’s voices and uploads them to a cloud server.

The Hello Barbie doll – expected to arrive in stores this fall – uses WiFi to hold two-way conversations by “listening” to a child’s words and responding appropriately.

In a videotaped demonstration of the doll at the New York Toy Fair last month, a saleswoman chatted with Barbie about New York City. “I love New York, don’t you?” Barbie gushes. “Tell me, what’s your favorite part about the city?”

When the saleswoman says she enjoys Italian restaurants, Barbie says, “You have to take me to try it!”

Susan Linn, executive director of the nonprofit Campaign for a Commercial-Free Childhood, says the doll is “creepy” and “dangerous.” The group is calling on Mattel to stop all production and marketing of Hello Barbie.

“Kids using ‘Hello Barbie’ aren’t only talking to a doll, they are talking directly to a toy conglomerate whose only interest in them is financial,” Linn said Wednesday in a statement.

Mattel says Hello Barbie was developed in response to the wishes of girls from around the world, whose top request was to be able to have a conversation with Barbie.

Hello Barbie conforms to government standards and employs safeguards to protect children’s data from access by “unauthorized users,” Mattel said in a statement.

“Mattel is committed to safety and security,” Stephanie Cota, senior vice president for global communications at Mattel, said in the statement.

But advocates with the Campaign for a Commercial-Free Childhood complain that Hello Barbie eavesdrops on children, exploiting private dialogues with dolls for profit.

“If I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed,” Angela Campbell, faculty adviser to the Center on Privacy and Technology at the Georgetown University law school, said in the group’s statement.

“ In Mattel’s demo, Barbie asks many questions that would elicit a great deal of information about a child, her interests and her family,” Campbell said. “This information could be of great value to advertisers and be used to market unfairly to children.”

Computer algorithms shouldn’t displace children’s real conversations with real friends, pediatrician Dipesh Navsaria, an assistant professor at the University of Wisconsin School of Medicine and Public Health, said in the statement.

“Children do not need commercially manufactured messages – artificially created after listening in on anyone within range of Mattel’s microphones,” Navsaria said.

Read more here: http://www.mcclatchydc.com/2015/03/11/259366/child-advocates-halt-production.html?linkId=12862933#storylink=cpy

More vendors join Cyber Threat Alliance in effort to combat advanced cyber threats

Fortinet, McAfee Labs, Palo Alto Networks and Symantec, co-founders of the industry’s first cyber threat alliance, announced that Barracuda Networks, Inc., ReversingLabs, Telefónica, and Zscaler have joined the Cyber Threat Alliance in its efforts to make united progress in the fight against sophisticated cyber adversaries.

The mission of the Cyber Threat Alliance is to drive a coordinated industry effort against cyber adversaries through deep collaboration on threat intelligence and sharing indicators of compromise.

While past industry efforts have often been limited to the exchange of malware samples, the Cyber Threat Alliance provides more actionable threat intelligence from contributing members, including information on zero-day vulnerabilities, botnet command and control (C&C) server information, mobile threats, and indicators of compromise (IoCs) related to advanced persistent threats (APTs), as well as the commonly-shared malware samples.

By raising the industry's collective actionable intelligence, alliance participants will be able to deliver greater security for individual customers and organizations.

 “We appreciate the charter of the Cyber Threat Alliance and believe there should be closer collaboration across security researchers, industry, education, and government,” said Stephen Pao, GM Security of Barracuda, which provides cloud-connected security and storage solutions that simplify IT.

Pedro Pablo Pérez, CyberSecurity Director, Telefónica, which is one of the largest telecommunications companies in the world believes that the collaboration against cybercrime with leading companies in the security practice will lead to a better cyber-resilience in the digital world.

“Organizations combatting today’s cyber threats require both internal monitoring and external context to identify an adversary’s intentions and tactics. The Cyber Threat Alliance provides a collaborative vehicle for sharing critical external information and improving identification of advanced threats," said Mario Vuksan, CEO of ReversingLabs, which provides enterprises and security vendors a foundation for protecting digital assets.

For his part, Michael Sutton, Vice President, Security Research for Zscaler, which provides a Security-as-a-Service platform delivering a safe and productive Internet experience, said: “Today’s security threats are more insidious and difficult to thwart than ever and they are outpacing the ability of organizations to protect themselves. The exchange of actionable threat intelligence fostered by the Cyber Threat Alliance is a critical step toward a new level of industry collaboration that will result in greater security for vendors and clients alike.”

How a Blu-ray disc could install malware on your computer

A pair of vulnerabilities found in hardware and software for playing Blu-ray discs might come in handy for secret snooping by the U.S. National Security Agency.

Stephen Tomkinson of NCC Group, a U.K.-based security consultancy, engineered a Blu-ray disc which detects the type of player the disc is running on and then picks one of two exploits to land malware on a computer. He presented the research at the Securi-Tay conference at Abertay University in Scotland on Friday.

One of the problems is in PowerDVD, an application made by Taiwanese company CyberLink for playing DVDs on Windows computers. The company’s applications are often preinstalled on computers from manufacturers including HP, Dell, Acer, Lenovo, Toshiba and ASUS, according to its website.

Blu-ray discs can support rich content like dynamic menus and embedded games, which are built using Blu-ray Disc Java (BD-J), a variation of Java for embedded systems. BD-J uses “xlets,” or small applications, for things such as user interfaces.

Xlets are prohibited from accessing a computer’s operating system and file system for obvious reasons. But Tomkinson found a flaw in PowerDVD that allowed him to get around the sandbox that xlets can run in and launch a malicious executable.

The second vulnerability lies in some Blu-ray disc player hardware. Tomkinson wrote that he analyzed a “fairly minimal’ embedded system running Linux with a command-line BusyBox interface although he did not identify the make or model.

His second attack uses an exploit written by Malcolm Stagg to be able to get root access on a Blu-ray player. From there, he wanted to see if it was possible to trick the system into running a command that would install malware.

He found it was possible to write an xlet that fooled a small client application called “ipcc” running within the localhost into launching a malicious file from the Blu-ray disc.

To refine the attack, Tomkinson figured out a way to detect what kind of system the Blu-ray disc is running on in order to know which exploit to launch. To mask the strange activity, the Blu-ray disc is coded to start playing its content after one of the exploits has run.

Disc attacks have been tried before
Distributing a batch of malicious media has been used in the past to attack specific targets. Last month, Kaspersky Lab wrote about the Equation group, a highly advanced group of attackers suspected to be the NSA that used ingenious ways to deliver malware.

Kaspersky described how some participants of a scientific conference held in Houston later received a CD-ROM of material. The CD contained two zero-day exploits and a rarely-seen malware backdoor nicknamed Doublefantasy.

Tomkinson wrote that NCC Group has contacted “the vendors to resolve these issues with varying degrees of success.” CyberLink officials could not immediately be reached for comment.

There are a few defensive precautions users can take. Tomkinson wrote that people can avoid Blu-ray discs that come from unknown sources and also stop discs from running automatically.

If it is possible, users should also turn off the capability that allows Blu-ray players to connect to the Internet or block it from connecting to a network, he wrote.

Blackphone 2 Is Probably the World's Most Secure Smartphone

"While the rest of the market is going one way, with selfie sticks and curved screens, we're going down another, to the heart of problems, sticking with privacy and security," said Silent Circle's Mike Janke at the launch of the company's new secure smartphone, the Blackphone 2. And he's not kidding — though no frills in design, it's kitted out with some serious security features.

First, the hardware. A 5-inch handset with a Full HD screen (protected on the outside by Gorilla Glass 3), it's running on a 64-bit Qualcomm octa-core processor, backed by 3GB of RAM. A removable 3060mAh battery sits inside (with Quick Charge 2.0 features), with microSDXC support for expandable memory. So far, so standard.

It's on the software side where things get a bit more interesting, and that 3GB of RAM shows its worth. Though Running on Android, the phone is equipped with Silent Circle's PrivateOS 1.1, an enterprise-orientated, highly secure layer that sits on top of Google's OS.

This gives users a "Spaces" UI, which keeps the different areas of your mobile life encrypted and compartmentalised. It's essentially a virtualisation system, letting the Blackphone 2 act as separate "devices" within itself, even offering different log-ins running concurrently on each app or service. So, you can set up an Enterprise Space for your work documents and communications, a Personal Space for your private emails and saucy sexting pics, and a Silent Space that's pretty much a phone-wide version of Chrome's "Incognito Mode".

Each space can be filled with the "Silent Suite" apps, whose functions are pretty self explanatory; Silent Text, Silent Contacts and Silent Phone, each keeping your communications encrypted and isolated from each other. The phone will also come equipped with the Silent Store, the world's first-privacy and security orientated app store.

Those looking to use the phone for conference calling will benefit also from the new Silent Meeting function. This lets you set up secure conference calls with as many as 50 participants, offering scheduling and invitation tools too. Providing all users are using the Silent Meeting feature, there's no need for annoying log-in passwords, with the encryption and security being handled behind the scenes.

"We're replacing BlackBerry, we don't care that BlackBerry's CEO is throwing nasty things about us onto Twitter. We're going to dominate them," said Silent Circle security specialist (and former Navy Seal) Mike Janke at today's launch. While that's not a massive claim to make with BlackBerry on the backfoot, if the Blackphone 2 can live up to its secure claims, it'll certainly fill a hole left by BlackBerry's disappointing touchscreen smartphones.

Due out in the summer, the Blackphone 2 is expected to retail at $629 usd.