Update: WiFi Security Issue That Could Impact Most Routers, Smartphones

Recently, we wrote an urgent article about a serious security flaw in the current WiFi standard that could impact almost every wireless router and smartphone on the planet.

Dubbed the “Krack Attack,” this flaw allows a hacker to make a carbon copy of your WPA2-encrypted network, spoof its MAC address, change the WiFi channel and reroute all network traffic through the clone that they control.

This, of course, allows them to spy on all network traffic and execute a wide range of “man in the middle” attacks against any traffic passing through, which opens the door to tremendous damage.

Microsoft has been quick to respond to the latest threat and has already released a patch which addresses the issue for Windows-based PCs. If you’re running Windows 8 and above and automatically getting security updates, then you should already have the patch, and you are protected.

That’s good news, given how large a footprint Windows has, but sadly, it does not completely solve the problem.

That’s because Android and Linux-based systems are even more at risk. In those cases, a second flaw makes the problem worse. They do not demand a unique encryption key, which makes it easier, by far, for hackers deploying the Krack Attack to abuse devices running those operating systems.

There’s been no word on an ETA for a Linux fix, but Google has announced that an updated planned for release on November 6 will resolve the issue on that front. For Apple’s part, the company reports that the flaw has been addressed in beta versions of MacOS, iOS, tvOS, and watchOS. They are anticipating rolling out live versions of these fixes later this month, although a specific release date has not been announced at this point.

All that to say, regardless of which platform you’re using, hang tight. Help is on the way, and kudos to Microsoft for being the first tech giant out the gate with a solution.

Google Has Announced Earbuds That Translate Language In Real Time

Google Labs has produced some amazing ideas. Some of them have found their way to the market, and many others have not. The one thing they have in common, though, is that they’re all intriguing and exciting.

That’s especially true of Google’s latest offering, Google Pixel Buds.

If you’ve ever read “The Hitchhiker’s Guide To The Galaxy,” then you know the term “Bable Fish.” If you grew up watching Star Trek, then you know all about the Universal Translator. Well, Google has built the version 1.0 of that very device.

The new earbuds are able to translate forty different languages in something close to real time. Close enough, in any case, to be useful in day to day conversation.

Obviously there are some glitches and limitations at this point, just as there were in the first smartphones and computers, but the fact that this new technology exists at all, in any form, is nothing short of amazing.

The potential applications are limitless, and the number will only grow as the technology matures. We can see the possibility of seamless global communications that cut across language barriers. It boggles the mind.

If you do business with vendors all over the globe, imagine how much simpler this is going to make your life. As mentioned, it’s a given that early adopters will face certain limitations and no doubt chafe under the shortcomings of the early versions of the device, but that’s been true of just about every invention we’ve ever seen enter the marketplace.

Consider speech-to-text technology, for example. The early versions were quite buggy and you could count yourself lucky if they successfully interpreted 40 percent of your words, translating them into text. These days, that percentage is closer to 98.

The best way to help this new product succeed is to jump in and start using it, bugs, flaws, shortcomings and all. Kudos to Google Labs!

Google Personal Data Requests Are On The Rise

Google’s latest Transparency Report is out, and the results have raised concerns with privacy advocates from around the world.

This time last year, Google received 44,943 requests relating to 76,713 user accounts from the governments around the world. This year’s figures have increased to 48,941 requests relating to 83,345 accounts. The company acceded to 65 percent of requests made.

The US government was, predictably, the biggest requestor, with the German, British and French governments also featured prominently.

Note that these figures specifically do not include FISA (Foreign Intelligence Surveillance Act) requests, as such requests are subject to a six-month reporting delay.

Of interest, a key component of FISA is set to expire at the end of 2017, and Google is working with Congress to try and pass a reform that will improve netizens’ privacy protections.

The core argument is that processing requests from foreign governments is too slow, and could be replaced by an update to the US Electronic Communications Privacy Act (ECPA). According to Richard Salgado, Google’s Director of Law Enforcement and Information Security:

“ECPA should also be updated to enable countries that commit to baseline privacy, due process, and human rights principles to make direct requests to US providers.

Providing a pathway for such countries to obtain electronic evidence directly from service providers in other jurisdictions will remove incentives for the unilateral, extraterritorial assertion of a country’s laws, data localization proposals, aggressive expansion of government access authorities and dangerous investigative techniques. These measures ultimately weaken privacy, due process, and human rights standards.”

It’s too soon to say whether Google’s efforts will bear fruit, but if they do, it would be a big step in the right direction, and an unqualified win for privacy watchdog groups everywhere.

Interestingly, Apple also released its annual Transparency Report, which revealed a six percent drop in government requests, compared to last year’s figures. At the same time, though, the number of FISA requests Apple received soared from 2750-2900 related to 2000-2249 accounts to 13,250-13,499 related to 9000-9249 accounts.

Regardless of what happens to FISA in congress later this year, the main takeaway is that governments around the world are making an increasing number of requests for personal data of our biggest tech companies, which is a disturbing trend that is sadly not unexpected.

Popular Chrome Ad Blocker Faked, 30k Users Infected With Malware

“Fool me once, shame on you. Fool me twice, shame on me,” as the saying goes. Unfortunately, Google has now been fooled by the same trick twice.

For the second time in recent years, Google has allowed a malicious variant of the popular extension “AdBlock Plus” onto its Chrome Web Store. It was noticed by a security researcher going by the alias “SwiftOnSecurity.” Before Google removed it, it had been installed more than 37,000 times by unsuspecting users.

This incident underscores a serious flaw in the way that Chrome extensions are uploaded to the Web Store.

The entire process is automated, and Google only intervenes if an extension is reported as being problematic. Unfortunately, given the automated nature of the process, it’s almost frighteningly easy to abuse, and since there are no significant checks on the front end, hackers can upload extensions bearing the same or highly similar names as extensions from legitimate developers. Unless a user clicks on the “reviews” tab to read what other users are saying about the extension, at first glance, they’d have no real way of knowing that there was a problem until they started experiencing it for themselves.

As mentioned, this is actually the second time this very extension was abused, the first being back in 2015.

As malware goes, this one is annoying, but not awful. Instead of blocking ads, it has a tendency to open multiple new windows, displaying a torrent of unwanted advertising. Fortunately, there don’t seem to be any other “hooks” built into the code, so it doesn’t install more destructive malware, but it’s still annoying.

All that to say, if you’ve been experiencing a sudden flurry of advertising popups, you may have been one of the unlucky few to have grabbed a malicious variant of an otherwise excellent web extension. If you have, just uninstall it and go grab a new copy, and you should be all set.

Be Careful Of Downloads – Google Play Store Sees Malware Increase

Google’s Play Store is under siege. In recent month, there has been a sharp spike in malware campaigns launched against the store, with a shocking number of poisoned apps slipping past Google’s robust system of checks designed to prevent, or at least minimize such occurrences.

The spike in poisoned apps has been reported by three different security companies: Dr. Web, McAfee and Malwarebytes.

According to the latest McAfee report, 144 Play Store apps have been identified as containing malware. To give you a sense of the scope and scale of the attack, McAfee analyzed a sample of 34 of the malicious apps and found that they had been downloaded between 4.2 million and 17.4 million times.

Of the malware strains found to be present on the Play Store, far and away the most common is Grabos, which is designed to push fake notifications that trick unsuspecting users into installing other apps. Based on the observed behavior, it’s likely that Grabos’ authors generate revenue based on the number of installs achieved. Based on the sheer number of downloads, it’s a model that’s paying handsome dividends for the hackers.

The second most common malware strain identified in the McAfee report is AsiaHitGroup, which utilizes an IP blacklist to specifically target users in Asian countries. This malware was initially found in an app named “QR Code Generator,” and once it infects a user’s machine, it will download a second-stage threat in the form of an SMS Trojan, which auto-subscribes infected users to premium phone numbers using SMS text messages.

Since its initial discovery in QR Code Generator, the AsiaHitGroup malware has been found in a variety of other apps, including alarm clock, photo editor and internet speed test apps.

The security firm Dr. Web found a third distinct malware strain called Android.RemoteCode.106.origin, which was found to be embedded on nine different Play Store apps that had been downloaded between 2.37 million and 11.7 million times.

This campaign opens an “invisible” browser page that shows ads and is the least intrusive of the malware strains found. It’s likely that the hackers controlling this one get paid via ad impressions which are spoofed on the invisible browser window.

In addition to these, ESET has identified a fourth threat, having identified eight different apps that are infected with the MazerBot banking Trojan. This one is potentially the most damaging of the recently identified threats.

Google’s Play Store is clearly a fair bit more dangerous currently than its users are accustomed to. Be very careful when downloading apps until Google can beat back these recent attacks.

Google Can Still Track You With Location Services Disabled

Google recently found itself in a bit of hot water after an investigation by Quartz revealed that the company was intrusively collecting location data on literally every Android device in use today. That’s billions of devices all over the globe.

There are many instances when there’s an expectation that location data can and will be tracked. In fact, one of the most commonly used features of smartphones in general (GPS and directions) demands it.  After all, Google Maps can’t tell you how to get where you’re going if it doesn’t know where you are to begin with, so that’s all fine and good.

The problem, as revealed by the recent investigation, is that for all of 2017, Google was collecting location data on every Android device. This was happening even if the user took a series of frankly heroic measures in an effort to prevent it, including turning off location services, not allowing any apps to track their location and even pulling their SIM card from the phone.

The practice, as Quartz rightly pointed out, goes far beyond any reasonable expectation of consumer privacy and is wildly intrusive.

When Quartz made inquiries of Google regarding the matter, part of the official company response, sent via email, was as follows:

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivers. However, we never incorporated Cell ID into our network sync system, so that the data was immediately discarded, and we updated it to no longer request Cell ID.”

In recent years, all the major tech companies have come under fire for the vast amounts of data they collect on consumers of their products. Although Google made it clear that they were formally ending the practice, the current climate makes their intrusive data collection effort (which, again, went completely undetected for the better part of a year) even more disturbing, especially given the lengths the company has gone to in an effort to position themselves as champions of user privacy.

Popular Android Keyboard App Collected Private Information, Has Been Breached

How many apps do you have on your smartphone? Do you know how much data they’re collecting about you?

Most people have scores of apps installed (and often hundreds), even if they only use a few on a regular basis, and shockingly, most users have no idea just how much information those apps are collecting about them.

However much you imagine, the answer is probably “more.”

This point was driven home painfully, courtesy of a recent discovery by a team of researchers at the Kromtech Security Center. They found completely insecure database online, a staggering 577GB in size, owned by an Israeli-based startup called AI.type, makers of a virtual keyboard app bearing the same name.

The information it contained is simply mind boggling.

Not only does it contain personal information on 31 million of the app’s 40 million users, but the database contents reveal just how intrusive AI.type actually is. The data includes:

  • Each user’s full name, email address and phone number
  • What OS version the user is using (AI.type is only available to Android users)
  • Each user’s nation of residence, mobile network name and what languages each user has enabled
  • IP and GPS location data
  • All information included with each user’s social media profiles, including birthdays, photos, posts, etc.
  • Each user’s device name, the make and model of their smartphone and screen resolution

As If that wasn’t enough, the research team also discovered that each user’s contact list had been scraped (including names, email addresses and phone numbers), and that the company was tracking a whole range of internet behaviors, including Google search queries, number of messages sent per day, the average length of those messages and more.

Obviously, there’s no reason that a simple keyboard app needs this level of information on its users. The only possible explanation is that it’s being collected for resale. If you use the app, be aware that the company knows almost everything about you and everyone you’ve been in contact with on your phone, and now, so do a lot of other people who don’t have your best interests at heart.

Chrome OS To Get App Multitasking Soon

Chromebooks have brought Android apps to a much wider market, making them accessible to virtually everyone, but the Chrome OS has always lagged behind other platforms developmentally.

One of its most serious limitations where running apps was concerned centered on its inability to multitask. Basically, if the app you’re using is not “in focus” or in the window you’re currently viewing, all activity in the app ceases.

There are a few exceptions such as the Spotify app, but most apps that rely on real time data and most games will freeze when a user clicks out of the window. If you’re coming to Chromebook from almost any other platform, it can be annoying and hard to get used to.

Fortunately, you won’t have to deal with this for much longer. Google recently announced the release of Chrome OS 64, which will, among other things, allow apps to continue running in the background, even when you’re not using them in the active window.

Right now, the update is available on the company’s Beta channel, so it’s a fair bet that it will be rolled out to the general user base in the very near future. However, the company has not given a firm timeframe for that.

If you have a Chromebook, this is good news indeed as it corrects what many industry insiders have long seen as a glaring weakness of the platform.

While Chromebooks don’t get much use at the Enterprise level, they are a cost-effective computing option for students and low-income people, and it’s good to see Google spending time and resources improving them.

While the latest version offers a number of enhancements, the two biggest are the multitasking support mentioned above, and the “split view” feature which will further enhance the multitasking capabilities of the platform.

Vertical Video Support On YouTube For iOS Finally Here

The owners of Android devices have been able to properly view vertical videos for more than two years, but for Apple users, it was a different story.

Instead of getting the traditional full-screen experience when viewing vertical videos, Apple users were saddled with annoying vertical bars that would appear on either side of the video itself. It’s a small thing, but undeniably annoying. Now, at long last, the problem has been solved and now Apple users can enjoy the same vertical, full-screen experience as the rest of us.

YouTube announced the upgrade in a tweet that read as follows:

“Bye-bye, black bars. Now the YouTube player on iOS will automatically adapt to the shape of the video you’re viewing!”

It matters because smartphones were designed to be held in that position, so it’s the natural way to interact with the device, no matter what you’re doing with it, including watching videos.

There’s one caveat, however: A surprising number of vertical videos won’t go full screen because they’ve actually been encoded with black bars on the sides, which technically makes them landscape vids that are only mimicking the appearance of a vertical video.

Now that YouTube has made this change, over time, you’ll probably see fewer and fewer videos shot like this and uploaded. In the short to medium term, don’t be the least bit surprised if you run into videos shot like this on a regular basis.

Why it took the company so long to update the Apple version of their app with this functionality, no one knows, but it’s not hard to hazard a few guesses. In any event, it’s not something that’s likely to have a major impact on your life, but it is a welcome change and we were happy to see it.

Electronic Device Search Rules Better Defined By US Customs

There’s a constant tug of war playing out on the national stage. On one side, privacy advocates are pushing for greater autonomy for end users, and hard limits to the types of searches that law enforcement agencies are allowed to conduct.

On the other side are the government agencies themselves, which often cite national security concerns as the justification for more and easier access to the sensitive data contained on personal devices like laptops and smartphones.

Generally speaking, the privacy advocates lose those battles. This was the case recently, when the CBP (the US Customs and Border Protection agency) published their latest electronic search guidelines. The most significant change is that the new guidelines explicitly define the difference between basic and advanced searches.

CBP agents are authorized to choose any travel, with or without cause or suspicion, for basic searches. Under the clarified rules, a basic search is limited to an examination of data found on the device itself, which is accessible through already installed apps, or through the device’s OS.

Advanced searches may be conducted, but agents must demonstrate that there’s a reasonable suspicion of criminal activity, or that the person carrying the device represents a “national security concern.”

The individual singled out for an advanced search may be permitted to be present while the search is conducted, but are not permitted to view the actual search itself for fear of revealing law enforcement techniques. Of significance, even during the conduct of an advanced search, agents are not permitted to search cloud-based data. They are restricted to data stored on the device itself.

While none of this sounds especially heavy-handed, the biggest complaint privacy advocates have about the updated rules is the fact that border agents can, at their own discretion, still carry out warrantless searches without any judicial oversight whatsoever.

Although this may not impact you directly, it pays to be mindful of the recent changes.