Connect with us

Tech

Security researcher says to 'stop buying' Samsung phones – Tom's Guide UK

Published

on


SAN FRANCISCO — Don’t use a mobile authenticator app on an old smartphone, because the app is only as secure as the operating system in which it’s running, two security researchers said at the RSA Conference here earlier this week.

In fact, one of the researchers says to avoid Samsung phones altogether.

Aaron Turner and Georgia Weidman emphasized that using authenticator apps, such as Authy or Google Authenticator, in two-factor authentication was better than using SMS-based 2FA. But, they said, an authenticator app is useless for security if the underlying mobile OS is out-of-date or the mobile device is otherwise insecure.

“You don’t want the risk associated with 32-bit iOS,” said Turner, adding that you should use only iPhones that can run iOS 13. “In Android, use only the Pixel class of devices. Go to Android One if you can’t get Pixel devices. I’ve had good experiences with Motorola and Nokia Android One devices.”

And he warned the audience to stay away from one well-known Android brand.

“[German phone hacker] Karsten Nohl showed that Samsung was faking device updates last year,” Turner said. “Stop buying their stuff.”

The problem is that if an attacker or a piece of mobile malware can get into the kernel of iOS or Android, then it can do anything it wants, including presenting fake authenticator-app screens. 

“One of my clients had an iPhone 4 and was using Microsoft Authenticator,” Turner said, indicating another authenticator app. “All an attacker would need to do is to get an iPhone 4 exploit. My client was traveling in a high-risk country, his phone was cloned and then after he left the country, all sorts of interesting things happened to his accounts.”

Some Android phones are safer than iPhones

And don’t think iOS devices are safer than Android ones — they’re not. There are just as many known exploits for either one, and Weidman extracted the encryption keys from an older iPhone in a matter of seconds onstage.

The iPhone’s Secure Enclave offers “some additional security, but the authenticator apps aren’t using those elements,” said Weidman. “iOS is still good, but Android’s [security-enhanced] SELinux is the bane of my existence as someone who’s building exploits.”

“We charge three times as much for an Android pentest than we charge for an iOS one,” Turner said, referring to an exercise in which hackers are paid by a company to try to penetrate the company’s security. “Fully patched Android is more difficult to go after.”

Attacking from underneath

Authenticator apps beat SMS texted codes as 2FA second factors because app codes can’t be intercepted over the air, aren’t tied to a phone number and never leave the device. But authenticator app codes can be stolen in phishing attacks, and as we saw yesterday, by Android malware in screen-overlay attacks.

However, even the best training against phishing attacks and the best Android antivirus apps won’t stop attacks that come from the kernel, the underlying part of the mobile operating system to which the user doesn’t have access.

“What could possibly go wrong when installing a user-mode application with sensitive cryptographic key materials on a platform with kernel vulnerabilities?” Turner asked rhetorically.

Kernel vulnerabilities also can be used to hack two-factor push notifications, which Google uses for its own accounts and which can’t be phished. 

In short, “we need to move away from usernames and passwords,” Turner said.

Fingerprints aren’t the answer, but this might be

Asked about biometric authentication such as fingerprint readers and facial recognition, Weidman said that it’s “better than nothing when used in addition to passwords.”

Turner wasn’t so sure.

“I am fundamentally opposed to using biometrics because it’s non-revocable,” he said, citing a famous case from Malaysia in which a man’s index finger was cut off by a gang to steal the man’s fingerprint-protected Mercedes. “Fingerprint readers are biometric toys.”

The only form of two-factor authentication without security problems right now, Turner said, is a hardware security key such as a Yubikey or Google Titan key.

“I’ve got two Yubikeys on me right now,” Turner said. “Hardware separation is your friend.”

Let’s block ads! (Why?)



Source link

Continue Reading

Tech

Zoom adds new security and privacy measures to prevent Zoombombing – The Verge

Published

on


Zoom will soon turn on passwords and waiting rooms by default for all meetings in an effort to help prevent “Zoombombing,” or the recent trend of people disrupting Zoom meetings uninvited and sharing shocking or even pornographic content. The new defaults will add real friction to the process of joining a meeting — a process that Zoom had previously made as frictionless as possible to help spur its growth. The changes will take effect starting April 5th.

Zoom passwords were already turned on by default for new meetings, instant meetings, and meetings you joined with a meeting ID — what’s new starting April 5th is that they’ll be turned on for previously scheduled Zoom meetings as well. And once you’ve joined a meeting, you’ll have to wait for the host to let you in from the new virtual waiting room. The host of the meeting can choose to let people in individually from the waiting room or all at once.

You can see the new changes in this video from Zoom:

[embedded content]

Zoom usage has skyrocketed during the COVID-19 pandemic as people have turned to the free video conferencing service to stay in contact with friends, family, colleagues, and even their yoga teachers. But that increased usage has also made the platform a target for hacks, pranks, and harassment, often through Zoombombing. The issue has become serious enough that federal prosecutors are now warning there could be serious legal implications for Zoombombing perpetrators.

The service’s new default protections may also address other security issues with the platform. Yesterday, it came to light that some security researchers had developed an automated tool that is able to identify 100 non-password-protected Zoom meeting IDs in an hour and scrape information about those meetings — perhaps Zoom’s new passwords-by-default policy could prevent similar scanning tools from finding meeting IDs and private information in the future.

Yesterday, Zoom announced a 90-day freeze on releasing new features so it can focus on fixing privacy and security issues with the platform.

Let’s block ads! (Why?)



Source link

Continue Reading

Tech

Google releases location data to show if coronavirus lockdowns working in 131 countries – Deccan Herald

Published

on


Alphabet Inc’s Google on Thursday published reports for 131 countries showing whether visits to shops, parks and workplaces dropped in March, when many governments issued stay-at-home orders to rein the spread of the novel coronavirus.

Follow latest updates on the COVID-19 pandemic here

Google’s analysis of location data from billions of users’ phones is the largest public dataset available to help health authorities assess if people are abiding with shelter-in-place and similar orders issued across the world.

Its reports show charts that compare visits in recent weeks to subway, train and bus stations, grocery stores and other broad categories of places with a five-week period earlier this year. For some countries, Google charts regional data, such as at the county-level within the United States.

Facebook Inc, which like Google has billions of users, has shared location data with non-governmental researchers that are producing similar reports for authorities in several countries. But the social media giant has not published any findings.

The coronavirus has infected more than 1 million people globally, and COVID-19, the respiratory illness it causes, has killed 52,000, according to a Reuters tally.

Infectious disease specialists have said analyzing travel across groups by age, income and other demographics could help shape public service announcements.

Coronavirus India update: State-wise total number of confirmed cases, deaths

Google, which infers demographics from users’ internet use as well as some data given when signing up to Google services, said it was not reporting demographic information. The company said, though, it was open to including additional information and countries in follow-up reports.

“These reports have been developed to be helpful while adhering to our stringent privacy protocols and policies,” Dr. Karen DeSalvo, chief health officer for Google Health and Jen Fitzpatrick, senior vice president for Google Geo, wrote in a blog post.

Google said it published the reports to avoid any confusion about what it was providing to authorities, given the global debate that has emerged about balancing privacy-invasive tracking with the need to prevent further outbreaks.

China, Singapore, South Korea and other countries have asked residents to use apps and other technology to track their compliance with quarantines, but privacy activists argue such measures can compromise individual liberties.

Data in Google’s reports come from users who enabled Google’s “Location History” feature on their devices. The company said it adopted technical measures to ensure that no individual could be identified through the new reports.

Consultations with officials in California, Texas, the U.S. Centers for Disease Control and Prevention and the World Health Organization helped inform data shared, Google said.

The company declined to comment on whether it has received any legal requests to share more detailed data to help with efforts to tackle the pandemic.

Let’s block ads! (Why?)



Source link

Continue Reading

Tech

Zoom will enable waiting rooms by default to stop Zoombombing – TechCrunch

Published

on


Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.

The changes could prevent “Zoombombing,” a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by screensharing offensive imagery. New Zoombombing tactics have since emerged, like spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages or just screaming profanities and slurs. Anonymous forums have now become breeding grounds for organized trolling efforts to raid calls.

Just imagine the most frightened look on all these people’s faces. That’s what happened when Zoombombers attacked the call.

The FBI has issued a warning about the Zoombombing problem after children’s online classes, Alcoholics Anonymous meetings and private business calls were invaded by trolls. Security researchers have revealed many ways that attackers can infiltrate a call.

The problems stem from Zoom being designed for trusted enterprise use cases rather than cocktail hours, yoga classes, roundtable discussions and classes. But with Zoom struggling to scale its infrastructure as its daily user count has shot up from 10 million to 200 million over the past month due to coronavirus shelter-in-place orders, it’s found itself caught off guard.

Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn’t sufficient, so now waiting rooms are on by default for everyone.

Zoom communicated the changes to users via an email sent this afternoon that explains “we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.”

The company also explained that “For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.” Some other precautions users can take include disabling file transfer, screensharing or rejoining by removed attendees.

NEW YORK, NY – APRIL 18: Zoom founder Eric Yuan reacts at the Nasdaq opening bell ceremony on April 18, 2019 in New York City. The video-conferencing software company announced it’s IPO priced at $36 per share, at an estimated value of $9.2 billion. (Photo by Kena Betancur/Getty Images)

The shift could cause some hassle for users. Hosts will be distracted by having to approve attendees out of the waiting room while they’re trying to lead calls. Zoom recommends users resend invites with passwords attached for Meeting ID-based calls scheduled for after April 5th. Scrambling to find passwords could make people late to calls.

But that’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The rash of trolling threatened to sour many people’s early experiences with the video chat platform just as it’s been having its breakout moment. A single call marred by disturbing pornography can leave a stronger impression than 100 peaceful ones with friends and colleagues. The old settings made sense when it was merely an enterprise product, but it needed to embrace its own change of identity as it becomes a fundamental utility for everyone.

Technologists will need to grow better at anticipating worst-case scenarios as their products go mainstream and are adapted to new use cases. Assuming everyone will have the best intentions ignores the reality of human nature. There’s always someone looking to generate a profit, score power or cause chaos from even the smallest opportunity. Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs.

Let’s block ads! (Why?)



Source link

Continue Reading

Trending