Category: Blog

700,000 Potentially Malicious Apps Removed From Google Last Year

Google recently released their Play Store stats for 2017.  The results are both encouraging and disheartening.  Overall, Google caught and removed more than 700,000 malicious apps from the Play Store, minimizing their impact on the company’s massive Android user base.

That’s unquestionably good news, but it comes with a bit of a dark side.  That figure represents a staggering 70 percent increase in the number of apps removed compared with 2016 figures.  The hackers are not only relentless in their efforts, but they’re picking up the pace dramatically.

Last year, Google made a significant change, putting Play Store security under the umbrella of the Google Play Project.  This system is driven by “smart” detection software that automatically scans and provides alerts for any software that exhibits questionable behavior and gets better on its own thanks to Machine Learning protocols.

So far, that approach seems to be working pretty well.  It’s not without its flaws, of course.  Google found itself in the news a few times last year when some malicious apps managed to slip through their impressive detection mechanisms, and got downloaded by several thousand users.  Even so, it’s clear that the company is committed to the process and takes the security of its users very seriously.  Given today’s digital landscape, that’s important.  That means something.

As for Google’s plans for 2018:

More of the same.  Continued, incremental improvements in the Google Play Project, continued support for the Zero-Day initiative, and keeping a watchful eye on all things security-related.  The company is by no means perfect, but it’s nice to know that we’ve got such a large company out there, fighting back.

Of course, it still falls to each individual user to be careful what apps you install on your various devices.  No matter what Google does in the coming year, due diligence is still your last, best defense.

Fitness Trackers Could Be A National Security Risk

If ever there were two phrases that didn’t seem to go together, they would probably be “Fitness trackers” and “National Security Risk.”  The very idea that a simple fitness tracker could pose such a risk seems laughable on the surface, but this is no laughing matter.

Recently, a popular fitness tracking app called “Strava” published a heat map, which displayed the activity of its massive user base from around the world.  In all, the heat map contained more than a billion activities, tracking every jog, bike ride, walk, swim, downhill, and other activity that users opted to log.

Unfortunately, this app is a favorite of military personnel, and when the heat map was published, researchers made a disturbing discovery.  In logging their physical activity, military personnel gave away the locations of their (sometimes secret) bases.

Although the data was stripped of personally identifying markers before being loaded onto the map, other researchers have been able to de-anonymize the data, tying individual activity routes to specific people.

From a national security standpoint, this is disturbing on two levels.  First, of course, is the fact that the locations of supposedly top-secret bases could be discovered so easily, and by something as innocuous as a fitness app.

Second,  and every bit as disturbing, is the fact that since it has been demonstrated that the data can be de-anonymized. This means that enemies of any existing government  can accurately locate key personnel.  Armed with an activity map that establishes a “reliable pattern of life,” it can use that data to plan carefully orchestrated attacks against specific individuals.

Needless to say, the presence of apps that know so much about us and our precise whereabouts is going to require a total rethink by government agencies around the world.  One has to wonder, how many other unintentional side effects will we see in the months and years to come?

If your Point Of Sale Uses Oracle, Update Now

Oracle is currently the third-largest provider of POS (Point of Sale) software on the market today, which means that there’s a fairly good chance you’re using an Oracle POS system.  If you are, there’s trouble ahead.  A recently discovered security flaw could put your system at risk.

Oracle has already identified and patched the security flaw, but there’s a problem.  Since POS systems are deemed “mission critical” by most businesses, System Administrators rarely schedule maintenance for them on fears that an unstable patch or update could cause undue downtime for the company.  Because of that, it will likely be a month or more before the new update finds its way to all 300,000 of the at-risk systems.

As security flaws go, this one is fairly nasty, too, as it allows a hacker to collect configuration files from any vulnerable Micros POS system.  This data can then be used to grant the hacker full, unrestricted access to the POS system,  as well as the database and server it feeds information to.

Most hackers attacking a POS would be content with simply collecting credit card details for resale on the Dark Web However, with this exploit, any sort of malware could be installed to use against the company later.

Even worse, a hacker need not be in close proximity to the device in question.  A carefully crafted HTTP request could trigger the security flaw and open the door.  Of course, if a hacker is in close proximity to the system, then there are many easier ways to infect it.  One only needs to distract the sales clerk long enough to attach a simple Raspberry Pi board equipped to run the exploit code and the damage is done.

The bottom line is, if you use an Oracle POS, make installing the latest security patch a priority.  You’ll be vulnerable until you do.

Malware Makers Testing Vulnerability Of Meltdown And Spectre

Security researchers from around the web are reporting finding an increasing number of instances of proof of concept (PoC) code that incorporates the recently discovered Spectre and Meltdown vulnerabilities.

If you somehow missed those earlier reports, Spectre and Meltdown are a pair of critical security flaws recently discovered in literally every Intel chip set made over the last decade.  Exploiting these vulnerabilities would give a hacker root-level access to the impacted system.

Since the discovery, the chip giant has been scrambling to fix the issue. However, their first attempt to do so caused so many system problems for people who installed the patch that the company is now recommending that users avoid it until they can come up with a better solution.

Unfortunately, that leaves you between the proverbial rock and a hard place.  Installing the patch will protect you, but cause you to experience system reboots several times a day and seriously degraded performance.  Not installing it leaves you at the mercy of the hackers.

So far, at least, it appears that most of the proof of concept code found is the result of security researchers playing with the exploits.  This includes testing them, seeing how they work, and how to prevent them.  That said, the researchers point out that it’s all but certain that some of the PoC examples were created by teams of hackers who plan to use them in their next round of attacks.

To make matters worse, Mozilla has confirmed that the Spectre flaw can be executed remotely by inserting commands into Javascript.  Given that, plus the increased appearance of PoC code fragments, it seems it’s just a matter of time before we see the first ever Spectre-based hack.  The clock is ticking.

Microsoft is Adding Much Needed Feature To Windows Defender

Microsoft is getting tough on so-called “registry cleaners”, and it’s about time.  The company recently announced a planned change to Windows Defender (the anti-malware program that comes standard with every Windows installation).  The change will see to the deletion of an increasing number of these registry cleaners.  It’s a great move, and the company deserves credit for it, but there’s a catch.  This type of software has been around for decades. So the move, as welcome as it is, comes very late in the game.

It’s overwhelmingly likely that you’ve seen these programs in action.  They’re usually free downloads (though there are a few web based services too) that scan your system to find problems with your registry that the software claims are causing performance issues and slowing your machine down.

There are two major problems with this:  First, the software tends to be light on details, refusing to provide much information about exactly why the “problems” that have been identified are impacting system performance.  Worse, the software often incorrectly identifies critical system files and registry entries as being problematic. So of course, when they are deleted, they actually create many more problems than they solve.

Second, in order to actually fix the problems that have been identified, you’ve got to buy the premium version of the package.  The result is that you’re losing money, and the software often breaks your system.  Not a pretty picture.

This latest move by Microsoft builds on action they took back in 2016, when the company started penalizing the makers of such registry cleaners if their software didn’t provide adequate information. This missing information included why the problems they found needed to be fixed in the first place, and if they utilized a high pressure up-sell technique.

Ultimately, those moves proved to be insufficient, so Microsoft decided to take things to the next level.  Now, they’re simply going to start deleting these no- or low-value programs.  Late or not, that’s one less headache for you, and a very good thing.

Ransomware Affected Over 50 Percent Of Surveyed Companies

Sophos has released the results of their annual “State of Endpoint Security Today”, and it doesn’t paint a pretty picture. A full 54% of companies surveyed reported having been hit by a ransomware attack in 2017. Another 31% reported that they expect to be on the receiving end of such an attack in the near future.

If the headline statistic wasn’t bad enough, it only gets worse from there.  According to the data collected, the average cost of a ransomware attack (including network costs, manpower, downtime, and device replacement cost) was $133,000. Five percent of respondents reported total costs between $1.3 million and $6 million, before factoring in the cost of any ransom paid.

As bad as those figures are, what makes them even more painful is the frequency. On average, survey respondents report having been struck an average of twice in the past year.

Dan Schiappa, the Senior VP and General Manage of Products at Sophos explains: “Ransomware is not a lightning strike – it can happen again and again to the same organization.  We’re aware of cyber criminals unleashing four different ransomware families in half-hour increments to ensure at least one evades security and completes the attack.

If IT managers are unable to thoroughly clean ransomware and other threats from their systems after attacks, they could be vulnerable to reinfection.  No one can afford to be complacent.  Cybercriminals are deploying multiple attack methods to succeed, whether using a mix of ransomware in a single campaign, taking advantage of a remote access opportunity, infecting a server, or disabling security software.”

In light of this relentless attack methodology, and in spite of the headlines all last year warning of the dangers, Schiappa warns that most companies are starting 2018 woefully unprepared for a ransomware attack. With all that said if you haven’t done so already, it’s well past time to review the state of your network security.

Apple And Google No Longer World’s Top Brands

The latest Brand Finance Global 500 report out and contains some surprises this year.

In the battle of the Brands, two companies have long topped the list:  Apple and Google.  This year, there’s a new Sheriff in town.  Amazon blew past the top two claiming the top spot for itself.  It is now the most valuable brand in the world with an impressive $150.8 billion dollar value.

David Haigh, the CEO of Brand Finance had this to say about the upset in the rankings:

“Jeff Bezos once said that ‘brands are more important online than they are in the physical world.’  He has proved himself right by choosing the name Amazon, known as the largest, most powerful river in the world, as 23 years later the Amazon brand carries all before it as an unstoppable force.  The strength and value of the Amazon brand gives it stakeholder permission to extend relentlessly into new sectors and geographies.  All evidence suggests that the amazing Amazon brand is going to continue growing indefinitely and exponentially.”

The new number two, Apple, saw the value of its brand increase by a hefty 37% to $146.3 billion.  While impressive, the report stresses that Apple’s long-term prospects look bleak because the company has failed to diversify. It relies on its aging line of iPhones for more than a third of its total revenue, which hampers its opportunities for growth.

Third ranked, Google’s brand saw more modest growth in value (just 10 percent), and now stands at $120.9 billion.  Like Apple, the report stresses that although Google is a Titan in certain sectors (search, cloud, and Mobile OS), its relatively narrow focus has kept it from unleashing the full power of its brand in the same way Amazon has.

All hail the new King of the brands, Amazon!

Almost Half Of Top Ranking Websites Are Vulnerable

Menlo Security just released their third annual “State of the Web” report and it’s not pretty.  The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.

The report defines a risky site as one that meets one of three criteria:

  • The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
  • The site has been used to launch attacks or distribute malware
  • The site has suffered a security breach in the past twelve months

This first point is key, and often overlooked by security professionals.  Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit.  Worse, most security professionals lack the tools to properly monitor those connections.

As bad as that sounds, there’s an even worse detail lurking in the pages of the report, and that concerns emails.

Hackers are increasingly moving away from setting up their own domains.  Instead, they’re preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot.  Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms.  Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.

Also, hosting services typically allow customers to set up multiple subdomains.  For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”

The bottom line is:  The web and even the most popular sites on it, aren’t nearly as safe as you think.

Vulnerability Found In Popular Grammar Checker

On February 2, Tavis Ormandy, a researcher on Google’s Project Zero team discovered a critical flaw in the popular online grammar checking app, “Grammarly.”  Tens of millions of users make regular use of the app to improve the quality of their writing.  The bug allowed a hacker to steal a Grammarly user’s authentication token and use that token to log on and access every document they’ve run through the Grammarly system. This along with that user’s history, logs and other data. They were able to do it all using just four lines of JavaScript code.

The bug was found in both the Firefox and Chrome Grammarly extensions and was reported immediately.

While response time to such a report varies greatly, Grammarly set a new record for speed and efficiency.  The bug was reported on a Friday, and by Monday, it was patched.  If you use either the Chrome or the Firefox Grammarly extension, there’s nothing for you to do, as these should update automatically.

A spokesman for Grammarly had this to say about the matter:

“Grammarly resolved a security bug reported by Google’s Project Zero security researcher, Tavis Ormandy, within hours of its discovery.  At this time, Grammarly has no evidence that any user information was compromised by this issue.

We’re continuing to monitor actively for any unusual activity.  The security issue potentially affected text saved in the Grammarly Editor.  This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension.  The bug is fixed, and there is no action required by Grammarly users.”

Kudos to Tavis Ormandy for finding the bug, and a hearty round of applause to Grammarly for their speedy and deft handling of the issue.  Given the severity of the bug, it’s easy to see how such a discovery could have gone an entirely different direction. As it turns out, Grammarly set a new bar for excellence with their handling of the issue.

Some Smartwatches May Be Able To Diagnose Diabetes

That smartwatch you’re wearing might save your life.  Literally.

A new study conducted by the University of California San Francisco, and a healthcare startup called Cardiogram revealed that smartwatches and other wearables were able to detect diabetes in previously diagnosed patients an impressive 85 percent of the time.

The study monitored health statistics of more than 14,000 smartwatch wearers (both Android and Apple) over the course of several months.  All health data that was collected was fed into a deep neural network which compared the collected data to samples taken from people both with, and without diabetes.

Obviously, while 85 percent is good, it falls short of greatness.  Then again, the AI routine (dubbed “DeepHeart”) is still in its infancy and is all but certain to continue improving over time.

That’s important, given how many people in America have diabetes.  It is estimated that there are more than 100 million Americans who either have the disease or who are prediabetic, and many of these haven’t been diagnosed yet.

Given these results, and in a bid to further improve DeepHeart’s accuracy, the company plans to incorporate the AI into the next update of its app on both iOS and Android platforms.

All that to say, if you currently have and wear a smartwatch or other wearable, it may help you in ways you can’t even begin to imagine.  This is the bleeding edge of a segment of the market that is only just beginning to emerge.  At this point, it’s so new that it would be difficult even to say it’s in its infancy.  Although we can’t know for certain what new revelations and advances wearable technology will bring to the medical field, based on what we’ve seen so far, we can say there will be a bunch of them, and they’ll all be exciting.

If you’ve been considering getting one but haven’t yet, this is a pretty solid reason to do so.