Tuesday, July 28, 2015

CNET - 7-27, 15 - Most Android phones at risk from simple text hack, researcher says

Last year, more than 1 billion Android devices shipped around the globe. Security firm Zimperium says this vulnerability could affect 95 percent of them.
 
A security research company claims to have found a vulnerability baked into Android that could endanger nearly all devices running the popular mobile software.
The flaw, says researcher Zimperium, exists in the media playback tool built into Android, called Stagefright. Malicious hackers could take advantage of it by sending to an Android device a simple text message that, once received by the smartphone, would give them complete control over the handset and allow them to steal anything on it, such as credit card numbers or personal information.
So far, Zimperium told National Public Radio, the flaw has not been exploited, but in a blog post on its own website, it said that 95 percent of Android devices worldwide are vulnerable.

And that is potentially a lot of phones. In 2014, over 1 billion Android devices shipped worldwide, according to researcher Strategy Analytics, which expects the number to rise in 2015 and beyond. Zimperium called Stagefright the "mother of all Android vulnerabilities."
Google's Android software has been highly susceptible to security flaws for years, in part because of the open design that makes it popular as an alternative to Apple's iOS, the software that underlies the iPhone and iPad. In the first quarter, 99 percent of mobile malware targeted Android devices, according to security firm F-Secure.

And fixes to Android can take time to get to people's smartphones as those updates ripple through various phone makers and wireless service providers.
Zimperium said it discovered the issue in April and promptly informed Google.
A Google spokeswoman said that those intermediaries are armed with the patches they need to safeguard devices, though she did not offer specifics on which were ready to push those changes through, or when that might happen.

"The security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device," the Google spokeswoman said. "Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device."

How the vulnerability gets exploited

The malware that would exploit the Android vulnerability hides inside a short video sent to a person's phone number, according to NPR, which reported on the bug Monday. As soon as the malicious text is received, features built into Stagefright to reduce lag time for viewing videos process the video to prepare it for viewing. That processing apparently is enough for bad guys to get their hooks into the platform and take control.

Exactly when the device might be exploited depends on the messaging platform a person employs. Those using the standard Messenger app built into Android would need to open the text message (but not necessarily watch the video) to fall victim to the trap. Those who are running Google's Hangouts app to handle text messaging, however, need not even open the application, according to Zimperium. As soon as Hangouts receives the text, it processes the video and the hacker is in. (The Google's Play app marketplace says Hangouts has been downloaded between 1 billion and 5 billion times.)
To compound the threat to Android devices, Google is largely powerless when it comes to actually getting patches to users. Phone makers including Samsung, LG and Huawei, as well as wireless carriers, all have control over how updates are sent to products.
Once Android is bundled into a product, it's typically been modified by those third parties. When security updates are required, Google can only send out a patch and after that, it's up to the phone maker or carrier to push those updates to phones.

Acknowledging that Android has become a destination for malware, Google in June announced a rewards program that pays researchers cash for finding bugs and holes that may be exploited in the operating system. Google has offered similar rewards programs to researchers for years with great effect. The company has doled out rewards to researchers who find flaws or security vulnerabilities in its Chrome browser and other software. In 2013, one security expert going by the name Pinkie Pie earned $50,000 for finding a particularly nasty bug in Chrome. Last year alone, Google paid out over $1.5 million to security researchers finding flaws in Chrome and other Google products. In total, the company has paid out $4 million since its bug bounties started in 2010.
Zimperium, which sent a patch to Google that the Android maker has accepted, told NPR that he estimates only 20 percent to 50 percent of Android devices currently in the wild will actually get the updates due to vendors  being slow to react -- if they react at all.

While Zimperium says the risks are high for Stagefright to be exploited, and it's possible that malicious hackers will soon take advantage of the flaw, Android device owners have been dodging at least some malware. In April, Google issued a report claiming that malware installs on Android devices fell by 50 percent in 2014. By the end of the year, Google said that fewer than 1 percent of all Android devices had "potentially harmful applications" installed on them.

According to Zimperium's blog, it will show exactly how Stagefright works and can be exploited at the Black Hat hacker conference in Las Vegas, which starts August 1.
Zimperium did not immediately respond to a request for comment.                                                                                                           
 
 

Tuesday, July 21, 2015

FTC: Dept. of Justice, 1st arrests of six Nigerian nationals from Sth. Africa for Internet Fraud acts in America

It’s A Criminal - 1st Arrests Dept. of Justice, Arrests made for Internet Scams and Fraud


You hear from us fairly often about imposter scams. In recent months, we’ve told you about IRS imposters, romance scams, and work-at-home scams. We always give you tips on how to spot and avoid these scams. We tell you about the cases we’ve brought to shut down the scammers. But, as a civil law enforcement agency, we don’t often get to tell you about the criminal charges brought against the scammers. Until today.

The Department of Justice (DOJ) recently announced the extradition of six Nigerian nationals from South Africa to Mississippi to face a nine-count federal indictment for various Internet frauds. These six people join 15 others who were previously charged with, among other things, conspiracy to commit mail fraud, wire fraud, bank fraud, identity theft, and money laundering.

What were the scams? According to the indictment, the defendants found and reached out to their potential victims through online dating websites and work-at-home opportunities. In some cases, they carried on so-called romantic relationships with their targets, trying to get their victims to do things like re-ship merchandise purchased with stolen credit cards, deposit counterfeit checks, and send money to the defendants – whether via wiring money or sending prepaid debit cards.

Here’s where you come in. If you know someone who lost money or information to romance, reshipping, fake check, or work-at-home scammers, please tell them to visit DOJ’s announcement. Why? Because there’s a list of aliases and email addresses that the defendants allegedly used in carrying out these scams. If you recognize a name or email address, you could help in the investigation of these crimes.

It’s not every day you get to help lock up alleged bad guys. Unless, of course, you work at the Department of Justice, the US Postal Inspection Service, or Homeland Security Investigations – all of which had a hand in this case. Please check out the list and see if you might have information to share with the investigators.

* Click on the link below for the Dept. of Justice announcement on the arrests of six Nigerians for scams and fraud. The names and email addresses used are listed.

Department of Justice

Monday, July 6, 2015

Michigan Cyber Security Initiative Newsletter , July 2015

Michigan Cyber Initiative News offers updates on Governor Rick Snyder’s cyber initiative as well as knowledge and awareness on cybersecurity issues. This monthly newsletter is produced by the Michigan Department of Technology, Management and Budget , Office of Cybersecurity.
Click on the link below for the current issue.


MI Cyber Security Newsletter for July 2015