Category: Security

Smart Gadget Sleeper Cells

Smart Gadgets are Like Sleeper Cells in Your Kitchen: Most people don’t know their gadgets can already talk to one another, and even be controlled remotely by their utility company.”

GE has been shipping appliances for the past three years that are “smart.”  Smart meaning that they are equipped with ZigBee wireless capabilities so that your appliances can communicate with each other—and more ominously, with your utility company or anyone over the Internet.  Most of the ZigBee capable appliances aren’t even labeled as such.

This is potentially a huge privacy breech.  It seems that few of these appliances communicate back… yet.

(hat tip to the blogfather)


Mac Trojan Alert

No more security from obscurity. Now that the Mac OS X platform has become more prevalent, malware has followed.  In the last two weeks, two new trojan horse threats to security.  The first presents itself as a PDF file, “which displays a Chinese-language document on the screen in an attempt to hide its background activity.”

The second is a bit more clever, it presents itself as a flash installer.  If a user tries to install the software, it deactivates security software on the user’s machine.

Apple has updated its anti-malware tools, so the threat is low, but the threats are increasing in number and sophistication.

Security Hole in Apple Batteries

A security hole in the firmware of Apple Mac batteries may well allow for malware to be installed on vulnerable systems… even after a complete reformatting of the hard disk and reinstall of the system.

I wouldn’t be too worried about this, as there is no evidence of this hole being exploited yet, and I would hope a fix would come along shortly, but…

(via Boing Boing)

Malicious software on Facebook is an increasing problem.  (I’ve written about them here and here).  Recently, Facebook has come up with two different and complementary security measures to fight back against these viruses, worms, malware, and other scams.

First, Facebook has teamed up with Web of Trust to try to identify “risky” links.  By warning users of potentially malicious sites and applications, Facebook hopes to reduce the amount of malicious software running on its system.

Secondly, Facebook has implemented a text message login approval as an opt-in security measure.  If a user tries to login to Facebook from a new computer or device, the system sends a code via SMS to the user to verify the new computer or device. This should reduce the amount of unauthorized users accessing Facebook and legitimate users’ data and slow the propagating of viruses.

Password Security

Recently, there has been a fair amount of discussion on password security.  The question of what makes a good password, etc.  (See, this post, and this discussion thereof),

But it’s largely missing the point of the biggest problem in password protection.

Namely, the big problem is having too many logins.  To be secure, you want to have a different password for each site you log into.  That way if their server is compromised, like how Gawker was, hackers won’t get your password to every system.

One suggestion is to use pass phrases instead of passwords.  Real words in a phrase are more difficult to guess than a single word alone.  (Simply: increased length → increased security).  Also a phrase is easier to remember than a series of random letters, number, and characters.  Amazon has implemented a system, PayPhrase, to take advantage of this fact.  (See, this MIT Technology Review article on PayPhrase)

Even if the passwords are phrases that can be remembered, it is extremely difficult to remember a bunch of different phrases and which phrase goes with which site.  Ultimately, you end up with the same problem as before.

“Tricks” like incrementing a number at the end of a secure password are just as susceptible.  Firstly, you have to remember which number goes to which site.  Secondly, a hacker that gets access to one of the passwords has a template to go after your other passwords.

The best solution I found was to use a password system like 1Password or KeePass.  I use 1Password and it creates and stores different, strong passwords for each login.  Lifehacker has an excellent explanation of why this system is the best of the available options.

Facebook Virus Alert

It appears that my report of recent Facebook viruses is only part of an increasing trend.

The new Facebook viruses use Facebook applications to spread themselves, and spread using a victim’s friend list.  In addition to the photo tagging pretense I identified, these attacks use the pretense of surveys and “liking” a video or image.

As always, the best defense against these attacks is vigilance.

New Facebook Virus

There appears to be a new Facebook virus out there.

I’ve received e-mails from Facebook claiming that I have been tagged in a photo album.  The albums have been titled “Who Views Your Profile” and “Profile Stalkers”.  The links are to install a Facebook app, which presumably propagates itself by sending similar messages.

Some quick searching shows that it may be a new version of the “Koobface” virus that first sprouted in December 2008.  Don’t click on the links, don’t install the Facebook app, and don’t download any files from it.

Recently, at Ars Technica, there was an article on the data that the Pandora app for Android sends to Pandora and its advertisers.  It links to a WSJ article on a federal investigation about the privacy issues.

Collecting this information the whole point of many of these apps.  Many of these sites that put out apps for the mobile platforms don’t put out mobile compatible web sites.  (For example, IMDB has apps available for multiple platforms, but I don’t think it has a mobile site.)  As a counter example, WordPress automatically generates mobile versions of its blogs.  Many web sites have mobile versions of their sites in lieu of or in addition to apps.

So why don’t they just make mobile compatible web sties?  Then they wouldn’t be able to collect the data.

These apps try to get your exact GPS location for either advertising or location-based services.  The vast majority of these services could be accomplished with less intrusive methods, such as asking for a local city or zip code.

The privacy policies of many of these companies are often buried in their terms of service—which few users actually bother to read.  Policing adherence to these policies has been nonexistent up to this point.  This federal investigation and its results should be interesting.

I think we’re only at the tip of the iceberg of the privacy backlash against these mobile apps.

%d bloggers like this: