IT Support and Hardware for Clinics
38.4K views | +3 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

More than 1,200 popular Android apps still vulnerable to FREAK

More than 1,200 popular Android apps still vulnerable to FREAK | IT Support and Hardware for Clinics |

A total of 1,228 Android apps that have been downloaded 6.3 billion times from the Google Play store are still vulnerable to the FREAK bug, according to network security company FireEye.

Research published Tuesday by the company shows just how vulnerable both Android and iOS apps still are to a FREAK attack.

FREAK is a cryptographic weakness that permits attackers to force data traveling between a vulnerable website or operating system to servers to use weak encryption protocols. If combined with a so-called man-in-the-middle attack, the data could theoretically be intercepted and cracked as the user is unwittingly using a lower level of encryption than believed.

According to FireEye, as of March 4, both of the latest Android and iOS platforms are vulnerable to the security issue. As FREAK is both a platform vulnerability and an app vulnerability, even after Google and Apple issued patches, apps may still be vulnerable when connecting to servers that accept RSA_EXPORT cipher suites.

FireEye says this is why some iOS apps are vulnerable even after Apple patched the FREAK vulnerability in iOS earlier this month.

Researchers Yulong Zhang, Hui Xue, Tao Wei and Zhaofeng Chen crawled through the Google Play app store to determine how severe the FREAK vulnerability still could be. The team scanned a total of 10,985 popular apps with over one million downloads each -- and discovered that 11.2 percent of them, 1,228 apps in total, are still vulnerable to the bug because they "use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers."

In total, 664 of these apps use Android's bundled OpenSSL library and 554 rely on custom libraries.

When it comes to iOS apps, the security researchers claim that 771 out of 14,079 -- 5.5 percent -- of popular iOS apps connect to vulnerable services and, therefore, are vulnerable to FREAK attacks on iOS versions below 8.2, which has been patched. In addition, seven of these 771 apps have their own vulnerable versions of OpenSSL and they remain vulnerable on iOS 8.2.

"Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside," FireEye said.

For example, a FREAK attack on a shopping app could be used to steal login credentials and credit card information. In addition, "medical apps, productivity apps and finance apps" may also be vulnerable.

No comment yet.!

5G faces technical, political hurdles on the way to offering multigigabit speeds

5G faces technical, political hurdles on the way to offering multigigabit speeds | IT Support and Hardware for Clinics |

For 5G to be successful, the whole telecom industry has to re-evaluate how networks work and are developed. Multiple challenges, both political and technical, have to be overcome before the technology can become a reality.

“Availability of spectrum is obviously a big thing,” said Gerhard Fettweis, who heads a Vodafone-sponsored program at the Dresden University of Technology.

The amount of spectrum allocated to 5G will determine how fast networks based on the technology will eventually become. If they are to reach multiple gigabits per second, which proponents are already promising, operators are going to need a lot more bandwidth than they have today. A first step in securing that will hopefully be taken at the World Radiocommunication Conference in Geneva in November, according to Fettweis.

Network equipment makers and operators are hoping that the conference, organized by the International Telecommunications Union, will set aside at least 100MHz chunks of spectrum below 6GHz for 5G, Fettweis said.

That compares to the latest version of LTE, which offers download speeds at up to 450Mbps using 60MHz of spectrum. But the 100MHz chunks won’t be enough, and researchers are therefore looking at so-called millimeter waves, which use spectrum even higher than 6GHz.

The use of higher-frequency bands is something of a necessary evil the operators and equipment vendors. It’s the only way to get the spectrum they need, but also means the area each base station can cover becomes smaller.

Otherwise, getting spectrum and developing networks and devices that can take advantage of it aren’t the only potential stumbling blocks. For 5G to be a success, the specifications that drive how the technology works has to be developed in a way that’s more inclusive than how other protocols were established in the past, according to Eric Kuisch, technology director at Vodafone Germany.

LTE wasn’t developed to handle all the traffic types that networks carry today. For example, because of the growing popularity of connected wearables, smart meters and vehicles, the telecom industry has had to rethink LTE specifications to make them a better fit for related applications. The goal with 5G is to get more of that right from day one.

“We have to talk with industries, including the car industry and manufacturing, to really understand what their needs are. That’s new for us,” Kuisch said.

But what has Kuisch really worried is how 5G networks will be monitored and managed, which nobody is talking about at the moment. Getting this right will be extremely challenging, and it’s something mobile operators hasn’t done a good enough job steering the vendors, according to the Vodafone executive.

“You don’t want to be too late to understand that some part of the network is breaking down when all the cars in Germany are depending on it,” Kuisch said.

No comment yet.!

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications

More than half of Americans says it's 'unacceptable' for government to monitor citizens' communications | IT Support and Hardware for Clinics |

More than half of Americans now say it's unacceptable for the government to monitor the communications of US citizens, according to a new survey conducted by the Pew Research Center on Americans’ privacy strategies post-Snowden.

In 2013, NSA contractor Edward Snowden leaked documents detailing the explosion of government surveillance programs after 9/11.

Outrage ensued. Americans had no idea the spying had become so pervasive, and many were shocked to learn their phone and email communications may have been monitored.

But even after the Snowden revelations, Americans remain divided on the acceptability of government surveillance: 52% describe themselves as “very concerned” or “somewhat concerned” about government surveillance of Americans’ data and electronic communications, while 46% describe themselves as “not very concerned” or “not at all concerned” about the surveillance, according to the Pew survey. 

When it comes to government surveillance of suspected terrorists or foreign leaders, Americans are more than comfortable with government spying: 82% of Pew survey respondents said it's acceptable to monitor communications of suspected terrorists, while 60% believe it is acceptable to monitor the communications of American leaders.

Interestingly, Americans' attitudes towards surveillance have not changed much in the last decade. In 2006, roughly 51% of Americans surveyed responded that government surveillance, including wire-tapping, was acceptable, acording to a survey by the Washington Post and Pew Research Center. The same survey revealed that even after Snowden leaked NSA documents, revealing the extensive powers of the agency, 56% of Americans surveyed said such powers were warranted. 

Most Americans still believe the government should investigate terrorists even if it intrudes on their own privacy. When asked in 2013 whether they thought the government should be able to monitor everyone's email to protect against terorrism, 45% of respondents said yes. Two years later, more than half of survey respondents say they are not at all concerned about government surveillance of their own email messages. 

No comment yet.!

Time to Ban the 'Bloatware'

Time to Ban the 'Bloatware' | IT Support and Hardware for Clinics |

What will it take to make hardware manufacturers ditch "bloatware"?

That's one of the more charitable names for the software that so many manufacturers - Apple and Google being notable exceptions - preinstall on the devices they sell. Such software includes screensavers, toolbars, utilities or even Superfish Visual Discovery. That's the adware that Lenovo, the world's biggest PC manufacturer, was preinstalling on many of its consumer laptops until earlier this month, when security experts - including the U.S. Computer Emergency Response Team - began warning that the software poses an information security risk to users.

 Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled. 

The practice of adding bloatware - a.k.a. junkware or trialware - to PCs is common, Microsoft says, warning that such software may "slow down your computer and junk up your Start screen or desktop." That's why Microsoft in 2012 began selling "Signature" Windows systems that come with a vanilla version of Windows, with no such bloatware or trialware preinstalled, for the added price of just $99.

And therein lies the bloatware flaw: Too often, such software isn't designed to make life easier for paying customers, but rather operates at their expense. Indeed, some users reported that it took them days to track down odd behavior on their PC to the Superfish software, which was relatively hidden on their device, and which can be difficult to fully eradicate.

As the Superfish saga has unfolded, with Lenovo apologizing and saying it "messed up," you might think the company would distance itself from bloatware and offer customers the choice of a "clean" install of Windows. "Manufacturers should be obliged to offer the option of buying all PCs as a bare-metal option, i.e. with no operating system preinstalled," says Rik Ferguson, vice president of security research for security software vendor Trend Micro, and a cybersecurity adviser to Europol, which is the association of European police agencies.

"Not only would this reduce cost to the user, it would also increase freedom of choice of operating system and hand full control back to the owner of the device," he says.

Lenovo Promises Listening Sessions

But Lenovo's chief technology officer, Peter Hortensius, tells the The Wall Street Journal that "in general, we get pretty good feedback from users on what software we preinstall on computers."

Hortensius paints a picture of customers clamoring for more of these add-ons. "What we're going to do in the next few weeks is dig deeper, and work with users, industry experts and others to see how we can improve what we do around software that comes installed on consumers' computers," he says. "The outcome could be a clearer description of what software is on a user's machine, and why it's there."

Likewise, Lenovo spokeswoman Wendy Fung tells me Superfish was preinstalled "in our effort to enhance our user experience." But that's false logic. When Apple, for example, wants to improve its Mac OS X user-experience design, does it preinstall software that alters the images displayed in search results, even for supposedly secure HTTPS pages? That's what Superfish Visual Discovery was designed to do.

Fung also confirms that Lenovo received compensation from Superfish to preinstall its software, although it claims it wasn't a "financially significant" arrangement.

But following the bloatware money suggests a lot - including manufacturers taking advantage of consumers and small businesses who don't know better. One defense of PC manufacturers' bloatware practices could be that their profit margins are razor-thin, and that unless consumers want to pay more, they should expect to see privacy or even security tradeoffs. Consumers, however, aren't being clearly presented with that choice.

Can Bloatware Be Battled?

Unfortunately, it's not clear how we might rid the world of bloatware. In the U.S., the Federal Trade Commission could get involved and investigate bloatware-bundling practices, per its ability to police "unfair or deceptive acts." So far, one U.S. lawsuit has been filed that takes aim at Lenovo having preinstalled Superfish. In the United Kingdom, meanwhile, the Information Commissioner's Office, which enforces EU privacy protections, says it's planning to demand Superfish-related answers from Lenovo.

With luck, sharp questions from regulators and Lenovo's Superfish debacle will lead more manufacturers to rethink their business practices, and begin offering consumers a clean install. But too many will likely just default to offering the same old raw deal.

No comment yet.