Google, Samsung to issue monthly Android security fixes

LAS VEGAS - Google Inc. and Samsung Electronics Co. will release monthly security fixes for Android phones, a growing target for hackers, after the disclosure of a bug designed to attack the world's most popular mobile operating system.

The change came after security researcher Joshua Drake unveiled what he called Stagefright, hacking software that allows attackers to send a special multimedia message to an Android phone and access sensitive content even if the message is unopened.

"We've realized we need to move faster," Android security chief Adrian Ludwig said at this week's annual Black Hat security conference in Las Vegas.

Previously, Google would develop a patch and distribute it to its own Nexus phones after the discovery of security flaws.

But other manufacturers would wait until they wanted to update the software for different reasons before pushing out a fix, exposing most of the more than 1 billion Android users to potential hacks and scams until the fix.

Ludwig also said Google has made other security changes. In an interview, he told Reuters that earlier this year the team broke out incidence rates of malicious software by language. The rate of Russian-language Androids with potentially harmful programs had spiked suddenly to about 9 percent in late 2014, he said.

Google made its roughly weekly security scans of Russian phones more frequent and was able to reduce the problems to close to the global norm.

Ludwig said improvements to recent versions of Android would limit an attack's effectiveness in more than nine out of 10 phones, but Drake said an attacker could keep trying until the gambit worked. Drake said he would release code for the attack by Aug. 24, putting pressure on manufacturers to get their patches out before then.

Nexus phones are being updated with protection this week and the vast majority of major Android handset makers are following suit, Ludwig said.

Samsung Vice President Rick Segal acknowledged that his company could not force the telecommunications carriers that buy its devices in bulk to install the fixes and that some might do so only for higher-end users.

"If it's your business customers, you'll push it," Segal said in an interview. Samsung is the largest maker of Android phones.

Ludwig said many Android security scares were overblown. He added that only about one in 200 Android phones Google can peer into have any potentially harmful applications installed at any point.

Drake noted that those figures exclude some products, including Fire products from Amazon, which use Android.

As with Apple's iPhones, the biggest security risk comes with apps that are not downloaded from the official online stores of the two companies.

Stolen files from Hacking Team, an Italian company selling eavesdropping tools to government agencies around the world, showed that a key avenue was to convince targets to download legitimate-seeming Android and iPhone apps from imposter websites.

source: www.abs-cbnnews.com

How hackers can control Android phones via text message

Cyber security firm Zimperium on Monday warned of a flaw in the world's most popular smartphone operating system that lets hackers take control with a text message.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS (text message)," Zimperium Mobile Security said in a blog post.

"A fully weaponized successful attack could even delete the message before you see it. You will only see the notification."

Android code dubbed "Stagefright" was at the heart of the problem, according to Zimperium.

Stagefright automatically pre-loads video snippets attached to text messages to spare recipients from the annoyance of waiting to view clips.

Hackers can hide malicious code in video files and it will be unleashed even if the smartphone user never opens it or reads the message, according to research by Zimperium's Joshua Drake.

"The targets for this kind of attack can be anyone," the cyber security firm said, referring to Stagefright as the worst Android flaw discovered to date.

"These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited."

Malicious code executed by hackers could take control of smartphones and plunder contents without owners knowing.

Stagefright imperils some 95 percent, or an estimated 950 million, of Android phones, according to the security firm.

Zimperium said that it reported the problem to Google and provided the California Internet firm with patches to prevent breaches.

"Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that's only the beginning of what will be a very lengthy process of update deployment," Zimperium said.

It did not appear as though hackers had taken advantage of the Stagefright vulnerability, according to Zimperium.

Updating Android software powering mobile devices is controlled by hardware makers and sometimes telecommunication service carriers, not Google.

While Apple controls the hardware and software in iPhones, iPads, and iPods powered by its mobile operating system, Google makes Android available free to device makers who customize the code and update it as they see fit.

More about Drake's research was to be disclosed at a Black Hat computer security conference taking place in Las Vegas early in August.

source: www.abs-cbnnews.com

Security experts raise flags over WhatsApp

WASHINGTON - The Facebook deal for WhatsApp drew attention for its whopping price tag, but has also brought out fresh criticism over security for the billions of messages delivered on the platform.

WhatsApp, which is to be acquired for $19 billion, says on its website that "communication between your phone and our server is fully encrypted."

The company warns users need to be aware that when they send messages, the recipient's device may not be secure. But it says it does not store any chat history and that messages are wiped off its system after delivery.

Yet security researchers and others point out that there may be vulnerabilities in the system used by some 450 million people globally.

Paul Jauregui at the security firm Praetorian said in a blog post Thursday that WhatsApp security and encryption are not ideal, citing vulnerabilities in the way it handles SSL, the secure socket layer protocol for communications.

The group's mobile security test "picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers," Jauregui said.

"This is the kind of stuff the NSA (National Security Agency) would love. It basically allows them -- or an attacker -- to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk."

Jauregui noted that Praetorian would need authorization from Facebook and WhatsApp to do a more thorough security evaluation.

He added that it would be "not very difficult" to patch the security flaws.

Serious Privacy Concerns

Meanwhile in Germany, the data commissioner in the state of Schleswig-Holstein, said in a statement this week the deal raises serious privacy concerns and that WhatsApp does not comply with European data protection rules.

The official, Thilo Weichert, said in a statement that people should opt out of WhatsApp for more "trusted services."

Last October, Dutch security researcher Thijs Alkemade posted a blog saying that the encryption can be circumvented, making it feasible "that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort."

WhatsApp did not respond to an AFP query on the security claims.

But some rival services say the Facebook-WhatsApp tie-up is likely to hurt confidence in the messaging app.

Nico Sell, co-founder of the security-focused app Wickr said it has seen "thousands more people than normal" downloading its app since Facebook's announcement.

"I think people will swap quickly out of WhatsApp now that it's part of Facebook," she told AFP.

Sell said Facebook's core business is monetizing data, while Wickr aims at protecting user anonymity and privacy, by using top-grade encryption and paying bounties to hackers who discover any security flaws.

'Tons of data vulnerable'

"They say they won't put ads on WhatsApp. But that doesn't mean they can't feed the beast with the data they are sitting on," she said. "There are tons of data that can be analyzed from conversations with your friends and family."

Sell said that in light of documents leaked about NSA surveillance in the past year, "people are becoming more aware of how easy it is to abuse your conversations and your data."

Serge Malenkovich at the security firm Kaspersky said however users should not panic over WhatsApp and Facebook.

"There are no new reasons to worry about messaging privacy," he said in a blog post.

"Honestly speaking, WhatsApp was never meant to be a true confidential messaging tool... confidential data shouldn't be sent unencrypted over standard communication channels, be it Facebook, WhatsApp or e-mail. Use dedicated security tools to protect your data from prying eyes."

But he said a bigger threat is scammers who send messages urging you to "confirm your WhatsApp account" or "opt out of Facebook ads inside WhatsApp."

"Those messages will definitely contain a malicious link and clicking on it may infect your device or lead you to a phishing page trying to steal personal data from you," Malenkovich said.

source: www.abs-cbnnews.com