Tuesday, August 26, 2014

When USBs Attack!

   Sometimes it seems that the more things change, the more they stay the same.  In information security, we've known for a long time that if someone can get physical access to your system, there's a chance they can get into your system.  Once an attacker has possession of your computer, laptop, tablet or smartphone, they can take their time and try multiple attacks.  We can take some preventative measures like encryption, but it needs to be implemented well.

   Of course, it's best to keep your portable devices in your possession!  But they do get lost or stolen.

   Unfortunately, there's more than one way for an attacker to physically get to your system.  If you've ever been to a conference, or a state fair, or just about any kind of gathering with give-aways, you've probably seen free USB sticks (also called thumb drives).  These supposedly have programs, games or advertising files.  And they usually do.  But they can also contain viruses or other malware.  To make matters worse, USB systems have an auto-run feature to make (legitimately) running these files "easier".

Tuesday, August 5, 2014

When Androids Attack!

   All computers, devices and software have flaws.  In fact, there are so many it's hard to keep up.  In the past (not so long ago), we only had to worry about computers... and they were mostly big desktops.  Then came laptops, and with them the additional problems introduced when connecting to unknown and open networks.  And lately, we seem to spend plenty of time talking about flaws in smartphones and tablets.

   The latest in a long string of smartphone issues is the so-called "Fake ID" flaw affecting Android devices.  This attack exploits a vulnerability in the way an Android device checks the authenticity of an app.

   The issue is kind of similar to controls around US credit cards.  When you sign a credit card receipt or at a terminal, the clerk or cashier might check that signature against the one on the card.  Even if the signatures match (and when does that happen???  I can barely duplicate my own signature! :-), that doesn't mean that you are the owner of the card nor does it let anyone know if the card is fake or stolen.

   In a somewhat analogous way, apps are "signed".  The flaw allows Android phones to accept unverified apps.  This provides a potential opportunity to download fake or malicious apps.

   This issue should be patched on your phone by now.  But this is not the first time this kind of problem has emerged. And it won't be the last time!  This can be a serious issue.