Topic: Security
New exploit turns Samsung Galaxy phones into remote bugging devices – Ars Technica (Jan 25, 2017)
This is another one of those occasions where Android’s relatively open and complex structure allows for malware which couldn’t exist on iOS. In this particular case, it’s the layering of third party software (a customized version of the SwiftKey keyboard) on top of a customization of the UI and services (by Samsung) on top of the Android base layer. To be fair, this attack isn’t nearly as broad a threat as malware distributed through the Google Play Store – it requires a man in the middle attack and is therefore mostly a risk to those who might be deliberately targeted by hackers – but it’s still not good news, especially given the wide distribution of the devices in question. The complex route security patches have to take in the Android world is another element that will hamper the resolution of this issue.
via Ars Technica
Microsoft victory in overseas email seizure case is upheld – Reuters (Jan 24, 2017)
This was one of those rare cases where many of the big tech companies banded together to support one of their number on an issue of concern to all of them. The case concerns data held by Microsoft in a data center in Ireland but requested by US authorities investigating a crime (there’s a good summary of the case here). Microsoft and its pals have argued that this data should not be subject to US law enforcement requests because it resides outside the US, even though Microsoft is a US-headquartered company. Were the government’s argument to be upheld, data held anywhere by a US-based company could be obtained by the authorities in the US, regardless of whether the user has any ties to the US, which could dramatically impact tech companies’ ability to operate in overseas jurisdictions. That’s precisely why Microsoft has had the support of Apple, Amazon, and others, because the effects of upholding the government’s arguments here would be significant. This is a victory not just for Microsoft but the sector as a whole, and I would hope that the Supreme Court either refuses to hear the case or upholds the current verdict.
via Reuters
Virulent Android malware returns, gets >2 million downloads on Google Play | Ars Technica (Jan 23, 2017)
Malware continues to be one of those things that essentially only affects Android in the smartphone world – iOS is for all intents and purposes immune to it because of the strong review process that all apps go through and because apps are sandboxed within the OS. The biggest single downside of Android’s relative openness is this vulnerability to malware, and that’s especially worrisome when the malware is distributed through the official Google Play Store. The numbers here are small in the grand scheme of the Android installed base of well over a billion users, but if you’re one of those two million, that doesn’t matter.
via Virulent Android malware returns, gets >2 million downloads on Google Play | Ars Technica
Yahoo reportedly under investigation by SEC over data breaches | VentureBeat (Jan 23, 2017)
The only Yahoo stories I’ve covered here on Tech Narratives so far are those concerning the breaches and subsequent fallout, which is a great indicator of Yahoo’s current state – the only news it’s capable of making is negative, with no meaningful new features or products produced in recent months, while the damage from the breaches continues to reverberate, with a formal SEC investigation just the latest step. Verizon seems to be leaning towards completing its acquisition despite all this, but at the very least should secure a significant discount in the price it will pay as a result of all this. Though the user fallout will be far less severe than the negative press coverage, Verizon will still have to deal with all the ongoing ripple effects of the breaches, and that’s worth a significant cut in the acquisition price.
via Yahoo reportedly under investigation by SEC over data breaches | VentureBeat (full coverage on Techmeme)
Hacker Steals 900 GB of Cellebrite Data – Motherboard (Jan 12, 2017)
Cellebrite was in the news about nine months ago because Bloomberg reported it was the security firm the FBI used to hack the San Bernardino shooter’s iPhone after Apple refused to help, though the Washington Post contradicted those reports. Whether or not its technology was used in that particular case, that’s exactly the sort of work Cellebrite regularly does for US and other government agencies, and it appears that it has itself now been hacked. It’s not clear that the hack goes beyond some user data, though there’s a vague reference to technical data in the article, but this sort of thing reinforces the sense that no hacks of encryption or other security technologies, even for apparently noble reasons, can ever be deemed 100% safe from being hacked themselves. That, of course, was one of several arguments Apple made in the FBI case.
via Hacker Steals 900 GB of Cellebrite Data | Motherboard
Apple’s CareKit apps get enhanced security option – Mashable (Jan 11, 2017)
From the beginning, Apple has been extremely careful with its HealthKit developer tools, making some really granular choices about how data is shared (my favorite example is that developers can’t even query whether or not there is insulin data, because its presence would suggest diabetes). Now, CareKit is getting end-to-end encryption for better HIPAA compliance, through a partnership between Apple and a third party (here’s the official Apple announcement). We’re going to see lots more partnership work by Apple to solve some of the thornier problems relating to both HIPAA and FDA compliance as it gets deeper into healthcare.
via Apple’s CareKit apps get enhanced security option – Mashable
FTC takes D-Link to court citing lax product security, privacy perils | Network World (Jan 5, 2017)
This is yet another story about IoT security, and the many vulnerabilities that exist in a variety of connected devices in the home. The difference this time around is that this isn’t some low-cost Chinese vendor, but D-Link – one of the larger router manufacturers, and the FTC claims its gear suffers from some of the same basic flaws that enabled the Mirai botnet attack a while back. We could still see far worse attacks taking advantage of these vulnerabilities, and with the growth of home automation gear there will be even more attack vectors. All this makes it even more important that those selling connected gear from the home bake in really serious security protections and educate users on the risks.
via FTC takes D-Link to court citing lax product security, privacy perils | Network World
Plenty of users sticking with Yahoo despite data breaches – San Francisco Chronicle (Jan 2, 2017)
As per a previous piece I linked to, despite all the attention the various Yahoo breaches have received in the press, they’ll likely have little impact on usage, which makes it likely Verizon will go ahead with the acquisition, though it may use the breaches as leverage to lower the price. The key point is that users have short memories, and the very people still using Yahoo (largely out of apathy in a world with better alternatives) are least likely to jump ship, which obviously helps.
via Plenty of users sticking with Yahoo despite data breaches – San Francisco Chronicle
The Verge 2016 tech report card: Apple – The Verge (Dec 29, 2016)
I’ve seen lots of this sort of thing as we approach the end of the year – quite a number of Apple observers seem to see 2016 as an off year for the company. And yet so much depends on how you few key innovations – yes, the Watch changed relatively little, but those features will please runners, swimmers and wheelchair users, and the price drops that accompanied them created new markets. The same can be said for many of the other changes. Apple news continues to be something of a Rohrschach test for observers.
via The Verge 2016 tech report card: Apple – The Verge
Yahoo’s Data Breaches Unlikely to Derail Verizon Deal – Bloomberg (Dec 27, 2016)
This is an interesting take on the repeated Yahoo breaches and the implications, and it goes along with my gut sense that people have very short memories when it comes to security and privacy breaches. There’s lots of outrage in the short term, but it blows over very quickly, as any Google Trends search relating to a major breach will tell you. The hits keep coming with Yahoo, but ultimately I expect Verizon’s acquisition will still go through.
via Yahoo’s Data Breaches Unlikely to Derail Verizon Deal – Bloomberg
Hackers can remotely steal fingerprints from Android phones | ZDNet (Aug 5, 2015)
This sort of thing is exactly why Apple makes such a big deal about the secure enclave on iPhones (and the new MacBook Pro) – fingerprint security is only as secure as the encryption and protection for the sensor data on the device. The biggest issue for Android vendors here is that this isn’t really the kind of vulnerability that can easily be patched after the fact.
via Hackers can remotely steal fingerprints from Android phones | ZDNet