Snapchat Spectacles: A Brewing Security Storm

Snapchat Spectacles have been making waves recently, and it’s not just due to their unique delivery system. With any innovative device there comes a series of questions and concerns from the purchasing community at large. Now, Snapchat Spectacles have turned the wearables model on its head and, while receiving praise for the product’s design and overall vision, the company is dealing with a number of potential security issues affecting consumers and unsuspecting passers-by.

Snapchat Spectacles work as follows: the glasses capture 10-second video that transfers wirelessly to your Snapchat account. Simple enough, but while early adopters across the country shoot and post their live action videos, many fail to realize that a major security issue is in play. When these videos are filmed and posted to the Snapchat account, Snapchat Spectacles capture metadata that includes location tracking and facial and voice recognition. Now it should be stated that the same privacy regulations for the Snapchat application apply to the Spectacles. However, using an application isn’t inherently the same as wearing a pair of video-taking glasses; sooner or later there will have to be additional and different security measures. Until that happens, a lot of protected user data could be at risk.

Now this isn’t the industry’s first foray into “wearables” – an easy comparison can be made between Snapchat Spectacles and now-defunct Google Glass. In theory, the idea was simple – a pair of glasses that could capture images and video, while allowing the user to view media on the glass themselves. While they were meant to revolutionize, they fell flat in a big way. One significant difference in their model is that Snapchat has an audience willing to be early adopters – in the US alone around 41% of 18-34 year olds use Snapchat. Another is the price point – while Google Glass stood at a whopping $1,500, Snapchat Spectacles are marked at a much more reasonable $130.

Snapchat Spectacles are very much in their infancy but already are posing a number of pressing security questions for the company and users alike. Until those questions are answered, understanding the security implications that come along with new and innovative products is a major step toward cyber security awareness on a user and business level.

Android Encounters Linux Bug Infestation

Here’s one for the Android users – a new vulnerability has been found that could affect about 1.4 Billion of total Android users worldwide, amounting to nearly 80% of all Android devices. The bug was found starting in Linux version 3.6, so it makes sense that so many devices were affected. This Linux bug is able to launch a phishing attack through the operating system; if you use unencrypted wireless, your device could be the next target.

Here’s how it works: attackers are able to target a vulnerability in the Linux operating system that is within a kernel. A kernel is the central part of the operating system (obviously a big deal) and manages the tasks of the computer and hardware, specifically memory and CPU time. But before this Linux bug gets into the nitty gritty of the operating system, an attacker needs to determine whether two parties are linked – an example would be the Android user in question and any major corporation. From there, the Linux bug can successfully inject malicious content if the user has an unencrypted connection. By terminating the unencrypted internet connection, the attacker sends a prompt to log back into the site they were visiting (meaning they would have to understand the user’s browsing habits). The information is keyed into the fake login page provided by the attacker, who in turn receives that data. Initial findings show that it would be extremely time consuming to exploit this vulnerability for a large group of people, instead making it much easier to target a particular person once you know a few minor facts about their online activity.

In a statement provided to Ars, Google advised that they are aware of the issue and are taking “appropriate actions,” but were quick to point out that it is a bug in the Linux kernel, and is not Android specific. They further advised that on their overall risk-tracking this issue rates “moderate.” Bottom line: be aware of the latest threats to your cyber safety, and learn how your organization can benefit from outside experts like Neovera. With 24×7 managed and monitored support for your vital data and infrastructure, rest assured that vulnerabilities like the one described above are taken care of with utmost precision.

How Will the US Govern Autonomous Vehicles?

Autonomous vehicles are trending toward becoming more of a general commodity – with Uber testing autonomous vehicles in Pittsburgh, Google continuing to deploy its faction near the California home campus, and multiple automobile companies investing in the technology for future mass production, now comes the time that the government steps in to regulate and hopefully continue to keep the roads as safe as possible. With the US Department of Transportation having just issued its own set of rules of the road for autonomous vehicles, a number of different topics must be considered when it comes to the technology used – namely, cyber security and big data.

Data collection is a major point to consider – not only will the government need to record all accidents that occur, but any malfunctions, upgrades, or general tweaks that need to occur must be logged by the manufacturer and available in accordance with their security and privacy guidelines as it relates to the company and owner of the vehicle. Furthermore, these vehicles may be able to take the data logged and continue to learn as they drive. With artificial intelligence coming further into the limelight, these vehicles should be able to, say, avoid a situation if it occurs multiple times.

Another is cyber security, something that has been a point of contention from the time that wireless came equipped in mass produced vehicles. Having covered this in past pieces on the Neovera blog, it’s safe to say that cyber security on autonomous vehicles is an entirely different animal to consider. An immediate thought is that, hypothetically, there wouldn’t be a “human override” in the car at some points, or even at all. Not only could a significant cyber attack harm the vehicle and anything its carrying, but it could even cause significant damage to whatever is around it. The Department of Transportation suggests that information be shared amongst automobile companies, and each vehicle with wireless capabilities should have robust, full-fledged mobile cyber security protection.

To be clear, everything that the US Department of Transportation released are all guidelines – they aren’t laws by any means, as those will most likely come much later. But given the grand scope of autonomous vehicles in the market already, and how this industry could continue to grow, more significant legislation is hopefully on the horizon. In the short-term, however, the argument is continually made for vehicles with wireless capabilities to have a solid cyber security protection protocol in place. When purchasing a vehicle, confirm that cyber security protection is available and working – if not, you are putting yourself, as the driver, and your passengers at risk each time you get behind the wheel.

 

Phony App Stores Put Mobile Device Security at Risk

Bogus online app stores have begun to lure unsuspecting users to download fake applications, putting their security at risk. Once solely reliant on Android users, these third party app stores have shifted onto iOS and given countless iPhone users quite the headache. This particular trend isn’t directly targeting any one particular gaming or social community, meaning that all mobile users should be well aware of what they are downloading, and from where.

The reason that these fake online storefronts haven’t tapped into iOS until recently is due to Apple’s Developer Enterprise Program (DEP) – created to assist companies in building and distributing proprietary applications internally to their employees, third party stores use it to create fake store applications. Potential customers come to these online stores, download what they assume is the latest version of Pokemon GO, Facebook, or Twitter, while adware in the store itself is busy sifting through your mobile device and network. While the user continues to interact with the application, hackers get paid because they are able to access the user’s information and send super targeted ads within the application.

It should be noted that Apple polices its online app store and the DEP to a fault – however, the reason hackers were able to finally use iOS is because each company is granted a certificate in exchange for their $299 payment. Since there isn’t a limit, a hacker could easily create multiple fake accounts and make it that much harder for Apple to track which are legitimate – essentially, it is a game of cyber whack-a-mole and Apple is losing.

Here are the takeaways – make sure you are going directly to verified online app stores and be aware of the applications themselves. Repackaged applications are a common problem online, and luckily these only send advertisements to users; the alternatives vary and could be much more threatening. Keeping yourself up-to-date on the latest trends in cyber security and tips on how you can stay vigilant when online is imperative, whether you are at home or in the office. And, most importantly, blind faith in any third party vendors, app stores or otherwise, is putting your vulnerable data at risk if you or your company doesn’t have proper cyber security protocols in place.

iPhone Spyware Terrorizes Users

When it comes to spyware on mobile devices, Apple products aren’t first on the list by any means – if anything, they’re known for being practically impenetrable in comparison to their competing counterparts. In this most recent incidence of malicious cyber attacks, the NSO Group has bucked tradition and shown that even those that seem to be the strongest can be taken down a peg or two.

The NSO Group recently found a way to exploit certain security holes found in the iPhone’s iOS. It should also be noted that NSO Group deals with assisting government’s in spying on their country’s citizens. The attack starts through a spear phishing campaign, and NSO Group created almost identical pages to high-traffic websites like BBC and then filled the mock websites with malicious code to track the user without their knowledge. One user in particular received an email with a link that, had he clicked it, would have remotely cracked his iPhone through zero day exploits and installed spyware. It’s an invasive move called “Trident”, and can be used to view and hear everything from text messages to phone conversations and more.

This most recent report of spyware poses a number of reminders and lessons learned for consumers and businesses alike. One, security updates are key. It’s that simple. Updates are made available to enhance the user experience while simultaneously patching security inconsistencies that may have been recognized after the application went live. Second, even the most “impenetrable” products are vulnerable. It’s been proven with those connected to the IoT and those that are not; making a blanket assumption that a particular product is so safe it cannot be infiltrated makes the user a prime target for a cyber attack.

So, this is the solution: short term, update all your devices, iOS or otherwise. Long term, keep cyber security protection at top of mind. Zero day exploits are lethal because no one knows about them except for the attackers. Consulting a monitoring and management firm on your cyber security standing and whether your organization can improve will put you leaps and bounds beyond the competition, and increase your client’s trust in your company.

The Dark Side of End-to-End Encryption

As the battle rages between Apple and the FBI in the media and courts, more applications and programs are coming to light that use end-to-end encryption. From popular messaging programs and applications to email servers and beyond, authorities from around the world are running into walls when it comes to actually seeing what is messaged between the parties they are investigating. So is end-to-end encryption truly a complete barrier to those hoping to infiltrate messages sent that threaten our security? Does the necessity of having access to these private messaging options outweigh what authorities see as a potential threat to communities spanning the globe? And what are the next steps in this journey toward total encryption?

Demanding backdoor entry exceptions from various companies due to security concerns poses a huge threat to the future of technology security. End-to-end encryption, also known as “going dark” when these messaging apps are used to escape detection, isn’t as ironclad as initially thought. A team of researchers at Johns Hopkins University were able to not only intercept these encrypted messages but decrypt them as well. This team created software that posed as an Apple server, then intercepted an encrypted message sent from a phone running outdated software. Finally, they began repeatedly guessing a 64-character decryption key corresponding to an encrypted photo on Apple’s iCloud servers. Once they found the correct key, they could download the photo from Apple’s server and view it. So, while even Apple cannot view the iMessages sent (unless they are backed up by the user on iCloud), these researchers were able to intercept and decode a variety of text and photo messages, demolishing the assumed end-to-end encryption barrier.

As mentioned previously, end-to-end encryption works as such: the people communicating are the only ones privy to the messages. Most importantly, no one – ISPs, telecom providers, or the company running the messaging service – can get access to what is being sent. Obviously for the user it ensures the utmost level of privacy from potential prying eyes. The counter argument that security and government officials pose is they need that data so a full spectrum of security and safety can be obtained. However, the cost for doing so is quite steep – as one recent publication points out, there is already so much publicly available data to these parties. The issue resides in being able to quickly disseminate what is being collected and analyzing it in a coherent and timely fashion; this obviously has not happened yet. By creating a system to do so, however, could change the approach toward these so-called secretive messaging applications.

End-to-end encryption is extremely helpful but can also be used by those with ulterior motives. Though there are not any finite answers just yet, continuous education about security policies and compliance standards is key for any employee at any company, and will continue to morph and evolve as these types of events come to light.

Hacks on Third Party Applications Pose Hazard to Long-Haul Vehicles

Previous posts have addressed the security issues surrounding vehicles, third party applications and IoT – specifically, what barriers are in place to stop hackers from not only stealing data from your car, or even taking complete control over your vehicle and put you and your passengers in harm’s way? Newer vehicles are coming direct from factories with all the bells and whistles drivers need to stay constantly connected. Essentially morphing into driving hotspots through third party applications, plenty of white hat hackers have proven that these tools are not secure and automakers need to take immediate control of the situation. Now it is starting to become a very real issue facing truck drivers and emergency vehicle personnel; somehow a large 18-wheeler barreling down the highway seems slightly more intimidating than a Prius…

Sarcasm aside, Wired Magazine broke the story after hearing about the data collected by Spanish security researcher and EyeOS CTO Jose Carlos Norte.  By scanning for third party applications called “telematics gateway units” or TGUs (small radio-enabled devices that track location, gas mileage and other data) on long-haul vehicles and narrowing down to those that aren’t password protected, Norte could have easily interfered with everything from the steering to speed controls. Thinking about it in smaller terms, imagine the vehicles that come equipped with autonomous parking capabilities – or, taking it a step further, Google’s self-driving car. Now, imagine if a hacker was able to break into that vehicle’s system. How is the driver and their data protected?

Unfortunately automakers are balking when it comes to taking the blame for this security inconsistency with regard to third-party applications installed in their vehicles. At this year’s RSA Conference, studies were released that showcased a resounding sentiment from those polled – though a separate company may have created the third-party applications installed in cars across the country and around the world, the carmakers should be held accountable if a breach were to occur. Another troubling tidbit? Surveyed carmakers, including Fiat-Chrysler, estimated that it would take 1 – 3 years for their technology to catch up with the growing cyber security protection demand for their vehicles. Consider this a major case of the automobile manufacturer’s wanting to run before they’ve even learned to walk.

Currently there are a lot of third party applications on the market, and more will be released without much thought to the cyber security issues at hand. For example, Zubie is an external piece of hardware that, when attached to your car, can store your car’s diagnostic data. Not a huge deal, but it’s taken a step further – this same device can turn your car into a rolling hotspot provided you’ve signed up with an LTE carrier. One day they even hope to be able to send your car’s information to the repair shop of your choice so they can alert you about necessary testing before you’re even aware it needs to happen! Helpful? Sure. Unsettling that nothing is mentioned about their cyber security measures to protect this data? Absolutely.

What can be done? Until carmakers and third party application developers are able to work together on cohesive cyber security tactics for their vehicles, it is very much an unknown. While being diligent about what data goes over both secured and unsecured connections is always a must, consumers may be holding their breath until the other shoe drops in this cyber security situation.

Online Banking: How Safe Are Your Hard-Earned Dollars?

Online banking, or simply transferring money from one online entity to another – whether through an application or website, on your mobile device or desktop computer – has become the norm. Don’t have time to go to the bank to deposit a paper check? Not a problem! Most online banking apps allow you to deposit them digitally by taking a photo. As banking becomes digital, cyber security concerns eventually come to the forefront of the discussion.

TechCrunch posted an article about a new disruptor in the online banking world – Checkbook is the creation of PJ Gupta, the former chief architect behind Visa’s network, and allows users to send a certain number of digital checks for free via email. Those that benefit the most are companies – individuals just have to deal with paying for postage and envelopes when sending a check via snail mail. Businesses deal with this overhead cost plus the amount it takes to issue the check through their brick and mortar bank (the price range is anywhere from $7 – $16). And with over 19 Billion checks sent in 2013 alone, that’s a lot of paper, time and money being spent. Checkbook cuts out the miscellaneous costs and allows businesses to send their digital checks directly to the inbox of their choosing. But what happens if it gets caught in the Spam folder? Will they get their money back if it is somehow intercepted by those with malicious intent? Sure, Checkbook may just be a startup but it’s also a startup that is asking users to trust them with their company’s money, or individual funds.

Unfortunately, hackers can get into websites and steal money and data connected to funds, with the IRS being a prime example. While it is wishful thinking that the IRS wouldn’t be the topic of conversation again this time of year, it’s sad to say that not much has changed. Reported on Twitter and by various other sources, the IRS announced that hackers were able to infiltrate their systems once again this January. The target? E-file personal identification numbers which are sometimes used to submit tax returns electronically by individuals. Over 464,000 SSNs were utilized to gain approximately 101,000 E-file PIN numbers; granted those SSNs were stolen in a previous sting but who’s counting. While this attack didn’t allow hackers to steal money directly from users, it did something much worse in giving away the very information that is needed to function in this 21st century society.

Both of these organizations have one thing in common – you can protect your identity and funds on top of the protection they afford to you as a user.

  • Assess the cyber security of all your devices – what firewalls do you have in place? Is a VPN available to use while you’re on the Internet?
  • Set account notifications for any online banking so you are alerted to any distinguishing or unusual activity.
  • Be wary of notifications and messages that look even slightly suspicious; check the return address or contact the provider in question to confirm their identity.

At the end of the day attacks will happen, but with hot, new applications coming up every day that promise to make a business’s life easier, or the now almost yearly threat of an attack on your IRS return, it’s good to make sure that your information is guarded as much as possible in order to protect your funds.

Uber Set to Pay for Recent Data Breach

It hasn’t been a great start to the new year for taxi and private car service, Uber. On New Year’s Day the company took heat over the ‘surge charges’ it imposed on New Year’s Eve – increased pricing during times of high demand on the service. Many users described encounters where they were told one price at pick up yet charged another at drop off, sometimes amounting to a several hundred dollars difference for relatively short trips.

Right when the fervor from the New Years debacle dies down Uber finds itself in the news once again; this time for a much more serious reason – a data breach and a lack of urgency in notifying anyone about it.

In 2014 Uber was the subject of a data breach that affected a number of its drivers’ names and license numbers. Uber reportedly discovered this data breach as early as September of 2014, yet didn’t notify the drivers or the New York Attorney General Eric Schneiderman’s office until February of 2015.

This week Uber agreed to a fine of $20,000 for its inability to quickly notify the people affected by the breach and the AG’s office. The investigation also looked into the misuse of the “God View” by Uber executives, allowing them to track a particular user’s or driver’s rides and locations. An inquiry by Schneiderman in 2014 spurred this initial investigation, in particular relating to the company’s handling of customer information such as names, payment information, emails, and phone numbers.

Lawmakers, including Senator Al Franken, have begun to question Uber’s privacy practices and policies as well as to determine why Uber executives would have access to such information and why they would need to use it.

This, of course, brings up several issues when it comes to personal privacy of those who use services like Uber which not only store personal information, but can track an individual’s location fairly easily.

Privacy is a major concern as almost every major app and social service uses a location-based system to track their users. Of course, this information is provided willingly and these same users are often given the option to not have their location tracked – in Uber’s case, it would be virtually impossible.

Not a lot of personal choice involved there; I guess the only surefire way to ensure your privacy is to not use the app at all.

Hmm, hail a cab on the street and pay cash? What a novel idea.

Outdated Web Browser Presents Big Security Concerns

Browsing the Internet is pretty simple these days. Pretty much every computer in almost every place has an Internet connection, and for the average user all it takes to access web pages and other content is a web browser.

Some of the most common web browsers are, of course, Internet Exlorer, Safari, Mozilla Firefox, Opera, and the most popular of all – Google’s Chrome.

Since 2008-09 there has been a major shift in browser usage. Internet Explorer used to be the king of the hill when it came to web browsing. In 2009 IE garnered about a 70% share of users for their browser, with Firefox having just under 30%, and all the others muddled within a 1% share. However, as security has become the major concern for Internet users and businesses their web browser of choice has drastically changed.

Today, Google Chrome takes the cake when it comes to web browsing. Chrome has a nearly 70% share of users while Firefox has about 20%, and IE, Safar, and Opera share the remainder.

One of the main reasons Chrome is so popular today is its inherent security. Of course, there are several other benefits including consistent updates, add-ons, and speed. However, security is the most pressing issue of our time, and users are beginning to choose their web browsers accordingly.

Internet Explorer was the browser of choice for a long time. Well, perhaps not by choice, really, so much as that most people used Windows based computers in their homes and offices, all of which came equipped with Internet Explorer. So, unless you made the decision to download another web browser IE was really all you had.

IE has seen many different versions over the years, and we’ve now surpassed version 11, which Microsoft is ceasing support for.

Ceasing support for old web browsers brings up concerns when it comes to security.

Older web browsers no longer get updated, which means there are no security patches or fixes along with support to prevent certain forms of malware.

However, some people need to use older browser versions because certain website or web apps don’t work on newer browser versions. Rather than re-write the entire code base for an app, most of those companies prefer to just let people use older versions of browsers.

This leads to an interesting conundrum. While most of us want to be safe online and actually do care about what security measures we’re taking, some of us don’t have a choice in the matter.

It happens most often in the workplace, where an employee may need access to another company’s platform but must use an older browser version that is no longer supported by the developer. Of course, this presents security concerns throughout the organization.

So, what recourses do we have? In reality, not many. We can do out part by keeping our web browser updated. Browsers like Firefox and Chrome do this automatically, so it’s nearly impossible to be using an old version. Consequently, some websites don’t support newer browsers due to outdated code. In order to view the site, an older browser must be used.

So we find ourselves in between a rock and a bit of a hard place. We want to be secure, but sometimes we can’t be. It’s not our fault most of the time, but in the end, we’re putting ourselves and our companies at risk by using old, unsupported web browsers.

Can we find our way into a standard practice? Will websites and apps universally support all browsers? Who knows if or when that time will come. What we do know is something needs to happen and happen quickly before we find ourselves in the web browser black hole that we can’t get out of.