IT Support and Hardware for Clinics
32.0K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Apple and Google ask Obama to leave smartphone security alone

Apple and Google ask Obama to leave smartphone security alone | IT Support and Hardware for Clinics | Scoop.it

FBI director James Comey has asked Congress for help getting around the upgraded encryption on Apple's smartphone, something he believes is creating too high a hurdle for law enforcement. It's not clear if his calls for new legislation have much chance for success, but they are clearly causing ripples in Silicon Valley. In a letter obtained by The Washington Post, tech heavyweights like Apple and Google call on President Obama to reject any new laws that would weaken security.

Better domestic surveillance is not an easy sell


There have been laws kicking around Congress for a while that would create the kind of backdoors Comey and other security hawks have been pushing for. CALEA II is one such bill, but it trips over all the outsized fears about government surveillance that the public has long held, even more so in the wake of Edward Snowden and revelations about just how much of our everyday communication is being vacuumed up by the NSA.


As we wrote back in October of 2014, that means "Comey's left exactly where we started, making ominous noises and generating headlines favorable to the FBI, but not actually doing anything. It's a bluff, a way to nudge public opinion without committing the bureau to anything. This isn't a crypto war — it's a pageant."


more...
No comment yet.
Scoop.it!

930 Million Android Devices at Risk?

930 Million Android Devices at Risk? | IT Support and Hardware for Clinics | Scoop.it

Information security experts are calling on Google to rethink its patch priorities after it confirmed that it will no longer update a critical component that runs on Android 4.3 "Jelly Bean" and older devices. As a result, 61 percent of all Android smart phones and tablets - or about 930 million devices - will be running a version of Android that contains known vulnerabilities that an attacker could remotely exploit to seize control of the device or steal the data it stores, according to data security firm Rapid7.


At issue are the versions of WebView, which is used by Android to render Web pages, that are present in pre-Android 4.4 devices. Rapid7 researchers say that after finding and reporting a newly discovered vulnerability in older versions of WebView to Google's security@android.com team, Google responded that it was not going to issue a related patch.

Google says that if it receives a patch for older versions of WebView from a third party, it will distribute it to anyone who develops Android distributions. But Google says it no longer plans to create and distribute its own patches for such flaws. "If the affected version [of WebView] is before 4.4 [KitKat], we generally do not develop the patches ourselves but do notify partners of the issue," Google's e-mail to Rapid7 says. "If patches are provided with the report [from a third party] or put into AOSP [Android Open Source Project] we are happy to provide them to partners as well."

But Rapid7, citing data published by market researchers Gartner and Strategy Analytics, says Google's policy will leave the estimated 930 million mobile devices that run pre-KitKat versions of Google's open source Android operating system at risk, because they will be stuck running outdated - and vulnerable - versions of WebView. Device manufacturers could, theoretically, issue related patches themselves, but to date they have not done so.

A Google spokeswoman declined to comment on Rapid7's report.

Numerous hardware and software developers stop issuing updates for their products after they have been on the market for a specified period of time. But today, only 37 percent of in-use Android devices run version 4.4 of the operating system - introduced in November 2013 - and just 1.5 percent run the most recent version 5 - code-named Lollipop - according to market research firm Net Market Share.

In other words, 61 percent of still-in-use Android devices won't be receiving WebView updates from Google, and thus could be at risk from "mass-market exploits" designed to seize control of millions of devices at once, says Tod Beardsley, who's the technical lead for the Metasploit open source penetration testing framework, which is maintained by Rapid7.

"This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy," Beardsley says in a blog post. "Unfortunately, this is great news for criminals," because it gives them potential new ways to penetrate devices, implant malware, steal data or intercept communications.

Beardsley says that in the past year, two researchers have discovered nearly a dozen exploits in WebView - most of which affect versions of the component that run on Android 4.3 "Jelly Bean" and earlier devices - and that Metasploit currently ships with 11 exploits for known WebView flaws.

Newer WebView Auto-Updates

WebView is a widely used Android component. Indeed, Google's developer guide encourages Android developers to use WebView "to deliver a Web application - or just a Web page - as a part of a client application." Google's developer documentation further outlines a number of scenarios in which it might be employed, ranging from retrieving an end-user agreement or user guide from inside an app, to accessing any type of information that requires an Internet connection, such as retrieving e-mails.

When Google introduced Android 4.4 KitKat, it debuted a new, stand-alone WebView component, based on its Chromium open source project, that was decoupled from the Android operating system. "The new WebView includes an updated version of the V8 JavaScript engine and support for modern Web standards that were missing in the old WebView," Google's developer documentation states.

From a security standpoint, the big-impact change was the ability - now found in all modern browsers - for WebView to be automatically updated by Google. In other words, thanks to Google uncoupling WebView from the innards of the Android operating system, WebView updates can be piped directly to all users of Android 4.4 and newer, just as Google does with any other app that's available via the Play Store and Google Play services, news site Android Police reports.

Here is why that change is good: Many Android devices run a version of the operating system that's customized by whichever OEM produces the device. As a result, every time Google releases an Android operating system update, the OEM has to test the update, then create a customized version for its devices. Thanks to the newer version of WebView, however, Google can now directly update that component on all Android 4.4 and newer devices, without the OEM having to build the patch into their version of Android and then distribute it to their users.

Android Is Open Source

But the question of whether it's right for Google to cease updating older versions of WebView, an important component that still runs on nearly 1 billion Android devices, remains. Rapid7's Beardsey notes that Android is technically an open source project, and that OEMs could, in theory, obtain patches for newly discovered flaws in older versions of WebView from third parties. But he says that to date, the OEMs that do patch Android have relied on updates issued directly from Google. "The update chain for Android already requires the handset manufacturers and service carriers to sign off on updates that are originated from Google, and I cannot imagine this process will be improved once Google itself has opted out of the patching business," he says. "After all, is AT&T or Motorola really more likely to incorporate a patch that comes from some guy on the Internet?"

Some OEMs have a relatively good track record at keeping customers' Android devices updated with the latest security fixes. But others rarely - if ever - release security patches for devices.

With Google ceasing to update a core component of Android that runs on pre-4.4 versions, the risks to users will only increase, Beardsley warns. "Please reconsider, Google," he says. "As a software developer, I know that supporting old versions of my software is a huge hassle. I empathize with their decision to cut legacy software loose. However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives."


more...
No comment yet.
Scoop.it!

Sony Hackers Threaten A Media Organization, Likely CNN, And Others

Sony Hackers Threaten A Media Organization, Likely CNN, And Others | IT Support and Hardware for Clinics | Scoop.it

The hackers who compromised Sony Pictures Entertainment’s servers, releasing private files and emails to the public which detailed everything from the personal, financial and medical data of present and past employees’ to Sony’s plan to revive SOPA with the MPAA’s help to the MPAA’s plans to break DNS in an effort to fight piracy, and much more, are now threatening a “news media organization,” according to a new report. That organization may be CNN, based on information posted on anonymous sharing site Pastebin.

The Intercept today published a join memo from the FBI and the Department of Homeland Security it obtained which says the hacking group, known as the “Guardians of Peace,” have threatened to attack a U.S. new media organization, and the threat “may extend to other such organizations in the near future.”

The memo doesn’t state the news media organization by name, but instead references Pastebin messages that taunt both the FBI and “USPER2,” which is how the FBI’s memo referenced the news media organization. The memo only mentioned the news organization was mocked for the “‘quality’ of  their investigations,” and an additional threat was implied.

Further investigation by Matthew Keys at The Desk uncovered copies of messages posted to Pastebin on December 20th, which have since been removed. One message mocked CNN for its “investigation” into the Sony hack, and offered a gift in the form of a YouTube video entitled “you are an idiot!”

Google’s cache still hosts the Pastebin message in question, which reads in part:

The result of investigation by CNN is so excellent that you might have seen what we were doing with your own eyes.
We congratulate you success.
CNN is the BEST in the world.

The message ended with a demand that CNN “give us the Wolf,” which probably refers to CNN news anchor Wolf Blitzer, notes The Desk.

It’s unclear at this point how legitimate a threat this was (beyond being mentioned in the FBI memo, of course). And it’s also unclear if or how the FBI may have authenticated this Pastebin message to attribute it to the same group behind the Sony hack.

The DHS and FBI memo concludes that “hacking groups have historically made exaggerated threat statements,” but still warns that federal, state and local governments’ cyber, counterterrorism and law enforcements, first responders, and private sector security partners “remain vigilant to threats of physical violence or cyber attacks.”

The FBI stated it believed North Korea was behind the attack on Sony Pictures, though some claim their evidence is flimsy. North Korea also denied it was involved. More recently, a report from a cybersecurity firm Norse Group states the hack appears to be an “inside job” involving disgruntled ex-employees.

The Guardians of Peace stole an estimated 100 terabytes of data from Sony’s servers, but the hack itself wasn’t very sophisticated. Sony’s technology infrastructure was poorly protected, and the company didn’t have sufficient password standards. Documents weren’t encrypted and top execs, including CEO Michael Lynton, were using very simple passwords – all things that were well outside industry best practices, it’s been said. Meanwhile, news organizations like CNN tend to be better protected, given they’re often the target of hacks, state-sponsored and otherwise.


more...
No comment yet.
Scoop.it!

Google has delayed its Android encryption plans because they're crippling people's phones

Google has delayed its Android encryption plans because they're crippling people's phones | IT Support and Hardware for Clinics | Scoop.it

Google is delaying plans to encrypt all new Android phones by default, Ars Technica reports, because the technical demands of encryption are crippling people's devices.

Encryption slowed down some phones by 50% or more, speed tests show. 

In September 2014, Google — along with Apple — said that it planned to encrypt all new devices sold with its mobile OS by default. This means that unless a customer opted out, it would be impossible for anyone to gain access to their device without the passcode, including law enforcement (or Google itself).

This hardened stance on encryption from tech companies came after repeated revelations about the NSA, GCHQ and other government spy agencies snooping on ordinary citizens' data.

Default encryption has infuriated authorities. One US cop said that the iPhone would become "the phone of choice for the paedophile" because law enforcement wouldn't be able to access its contents. UK Prime Minister David Cameron has floated the idea of banning strong encryption altogether — though the proposal has been slammed by critics as technically unworkable.

Apple rolled out default-on encryption in iOS 8 back in September. Google's Android Lollipop system was first released in November — but because the phone manufacturers, rather than Google itself, are responsible for pushing out the update, it can take months for a new version of the OS to reach the majority of consumers.

But as Ars Technica reports, Lollipop smartphones are now finally coming to the market, and many do not have default-on encryption. So what's the reason? The devices couldn't actually handle it.

Speed tests show that even Google's flagship phone, the Google Nexus 6, suffers serious slowdown when encryption is turned on. A "random write" test measuring writing data to memory showed that the Nexus 6 performed more than twice as fast with encryption switched off — 2.85MB per second as compared with 1.41 per second with it on. The difference was even more striking in a "sequential read" test to measure memory reading speeds. An unecrypted device achieved 131.65MB/s; the encrypted version managed just 25.36MB/s. That's a third of even the Nexus 5, the previous model, which came in at 76.29MB/s.

As such, Google is now rowing back on its encryption stance. Its guidelines now say that full-disk encryption is "very strongly recommended" on devices, rather than the necessary requirement promised. Users can still encrypt their devices (even if it slows them down), but it won't happen by default.

Google says it still intends to force it in "future versions of Android".


more...
No comment yet.
Scoop.it!

Obama Imposes Sanctions on North Korea for Hack

Obama Imposes Sanctions on North Korea for Hack | IT Support and Hardware for Clinics | Scoop.it

Holding North Korea responsible for the cyber-attack on Sony Pictures Entertainment, President Obama imposed sanctions on 10 individuals and three entities associated with the North Korean government.

The president ordered on Jan. 2 the seizing of property held by the individuals and organizations in the United States, a mostly symbolic action because few, if any, assets of those designated in the order are likely located in the U.S.


The organizations facing sanctions include the Reconnaissance General Bureau, North Korea's primary intelligence agency; Korea Mining Development Training Corp., or KOMID, North Korea's primary arms dealer; and Korea Tangun Trading Corp., the North Korean agency primarily responsible for the procurement of commodities and technologies to support its defense research and development programs.

"Our response to North Korea's attack against Sony Pictures Entertainment will be proportional, and will take place at a time and in a manner of our choosing," a White House statement says. "Today's actions are the first aspect of our response."

Further Isolating North Korea

The executive order authorizes Treasury Secretary Jack Lew to impose the sanctions. Lew, in a statement, says the sanctions are driven by the government's commitment to hold North Korea accountable for its destructive and destabilizing conduct.

"Even as the FBI continues its investigation into the cyber-attack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States," Lew says. "The actions taken today ... will further isolate key North Korean entities and disrupt the activities of close to a dozen critical North Korean operatives. We will continue to use this broad and powerful tool to expose the activities of North Korean government officials and entities."

An administration official told The New York Times that these sanctions are a first step to punish the North Koreans for the Sony breach. "The administration felt that it had to do something to stay on point," the official said. "This is certainly not the end for them."


more...
No comment yet.