August 31, 2015

These phones you’ve never heard of may be the next in your pocket

Have you ever heard of Xiaomi, OnePlus, or WileyFox? They might just make the next phone you buy.

These are all up-and-coming device manufacturers (some more up-and-coming than others) that use alternate forms of Android (read: versions of Android that are not controlled by Google), and they are quickly shaking up the mobile market.

Category:   Mobile Tips + Tricks
August 22, 2015

Security 101: What are “droppers” & what can they do to me?

Droppers — no, they’re not just the tool you use to administer eye-drops or medicine. They’re also a tool used by malicious actors to quietly install apps, of which some may be malicious, onto your device.

As it comes to mobile, droppers are apps that either have or pretend to have the functionality of popular apps, such as games and utilities, but they also install additional applications to a device that can be malicious, or steal your data.

Category:   Android  •  Security
August 19, 2015

Shadow BYOD: The mobility program you thought you didn’t have

Screen Shot 2015-08-18 at 2.13.14 PM

While the federal government might be under the impression that it doesn’t have a BYOD program, it is overlooking a key issue: Shadow BYOD.

Shadow BYOD is very similar to Shadow IT, in which employees use technologies — usually to enhance their productivity — that the IT department has not sanctioned or deployed. In Shadow BYOD’s case, it’s the issue of unmanaged personal devices connecting to the network and accessing government or corporate data.

Category:   #Data
August 12, 2015

How Non-Google experience devices are gaining traction, and posing risk to the enterprise

Xiaomi

The mobile ecosystem is moving toward economical smartphones. They are customizable and much more affordable than the $600 plus Android phones you might see on the market.

This poses a problem for enterprises which, to date, have relied on the app testing and vetting process applied to Google Experience devices, and the fact that app downloads on these devices are by default funneled through Google Play. Non-Google Experience devices introduce much more fragmentation.

Category:   Security
August 10, 2015

Six quick tips for protecting your mobile privacy

Ever wonder what you can do to make sure your personal data and information on your mobile device doesn’t end up in the wrong hands? Here are a few tips to help you quickly secure your phone and protect all your data.

Category:   Hidden
August 7, 2015

Hacking a Tesla Model S: What we found and what we learned

With connected automobiles, the stakes for getting security right have never been higher. “What’s the worst that could happen?” is a lot more serious when you’re talking about a computer that can travel 100+ MPH.

When an industry without experience in Internet security starts connecting things to the Internet, it typically makes a number of mistakes both in how it implements secure systems, and how it interacts with the security community.

My colleague Marc Rogers and I set out to audit the security of the Tesla Model S because we wanted to shine a light on a car that we hypothesized would have a strong security architecture, given the Tesla’s team’s deep software experience. Out of this research, we hoped to be start a conversation about simple and clear security best practices for the automotive industry.

That hypothesis turned out to be correct: The Tesla Model S has a very well designed security architecture, that we believe should serve as a template for others in the industry. We also found a number of vulnerabilities that allowed us to, with physical access to the vehicle, to gain root access to two of the infotainment systems: the instrument cluster (IC) above the steering wheel, and the 17-inch touchscreen center information display (CID) in the middle of the dash. This allowed us to perform a number of tasks, such as remotely opening and closing the trunk and frunk, locking and unlocking the doors, starting the car, and stopping the car.

However, this research focused on answering the question: how can we make cars more resilient to attack, assuming attackers can get into the infotainment systems. All of the exploitation performed was done with physical access and we did not demonstrate any remotely executable exploits. There is sufficient research already done that proves cars can be exploited remotely. Further, we believe it to be a relatively conservative assumption that any browser running WebKit will be exploitable to an attacker with sufficient skill or resources.

Category:   Security
August 6, 2015

The new assembly line: 3 best practices for building (secure) connected cars

IC-MITM

Connected cars are about to change the auto industry’s assembly line.

Vehicles are becoming computers on wheels and now have more in common with your laptop than they do the Model T. Just as smartphones have supplanted non-Internet-connected phones, connected cars will supplant non-Internet-connected cars. Auto manufacturers need to become software companies if they want to survive into the 21st century. To that end, the auto industry must now consider cybersecurity as an integral part to how cars are built, just as physical safety became a critical part of how cars were built in the late 20th century.

When an industry without experience from the front lines of Internet security begins connecting its products, one of two outcomes often occurs. If there are clear security best practices, then most companies will (hopefully) implement those best practices. If there are no clear best practices, companies will likely make a lot of security mistakes, resulting in major cybersecurity problems down the road. My research partner, Marc Rogers of CloudFlare, and I decided to help make sure those clear best practices were in place for the auto industry.

Category:   Security
August 5, 2015

Stagefright Detector: Lookout’s app tells you if your Android device is vulnerable

Last week, the world learned about critical vulnerabilities in Stagefright, an open source media player used by 95 percent of Android devices, or roughly one billion devices worldwide. In addition to the sheer number of people that are likely at risk, this vulnerability is especially scary because if it can be delivered via MMS (which is automatically downloaded to the device by default), the code can remotely execute on your device without you actually doing anything. It would then have unfettered access to the camera, microphone, contacts, and photos – very personal stuff.

Now the real kicker. You will need to wait for a pending security update from your carrier, device manufacturer or Google to ultimately patch this vulnerability and be completely safe. To check if a patch is available for most Android devices, go to Settings and click System Updates.

That’s why we’ve developed Stagefright Detector. This app arms you with information by telling you whether or not your Android device is vulnerable to Stagefright. If you are affected, we provide the run-down on how to mitigate your risk of being attacked. You’ll also be able to check back in when you receive your security patch to confirm it contained the fix for Stagefright.

Category:   Uncategorized