6 C
Monday, November 20, 2017
Home Tags Smartphone

Tag: Smartphone

Printed electronics makes the perfect fake fingerprint Boffins from Michigan State University have loaded up an inkjet printer with cartridges designed for printing electronic circuits, and used the output to fool smartphone fingerprint sensors. All that's needed is a scan of the victim's fingerprint (reversed so it presents the right way when printed), and a suitable inkjet printer loaded up with ink and paper from printed electronics specialist AGIC. In their paper (PDF) the researchers, Kai Cao and Anil Jain from the university's Department of Computer Science and Engineering cracked a Samsung Galaxy S6 and a Huawei Honor 7. It's a much simpler approach than the “gummy bear fake fingerprint”, which needs materials like latex milk or white wood glue. As the researchers note, in that kind of attack you have to wait 30 minutes for the imprint to set, and there's a fair amount of D-I-Y skill needed to turn a fingerprint into a spoof without spoiling it. Scanning and reversing a fingerprint, loading a printer with electronics cartridges (and one black cartridge), and printing the result on the appropriate paper is much simpler. While the Huawei phone was slightly harder to spoof than the Samsung, the paper says the researchers worked with several volunteers and they were ultimately successful on all attempts. Fake fingerprints fooling phones Although it won't work for all smartphones, the researchers reckon there's an “urgent need for antispoofing techniques for fingerprint recognition systems” since mobiles are being used for payment systems. ® Youtube Video Sponsored: 2016 global cybersecurity assurance report card
Software engineering senior veep Craig Federighi cranks up debate about that iPhone Apple's opened another front in its argument over FBI access to San Bernardino killer Syed Farook's iPhone, arguing in a Washington Post column that creating even a single possible point of attack threatens national and personal security. Apple's senior veep of software engineering Craig Federighi makes that argument here, correctly pointing out that compromising a device known to be used by an individual is a fine way to access data and facilities that individual accesses. “Our nation’s vital infrastructure — such as power grids and transportation hubs — becomes more vulnerable when individual devices get hacked,” he argues. “Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks through access to just one person’s smartphone.” Smartphones are therefore “part of the security perimeter that protects your family and co-workers.” Federighi goes on to say that Apple works mighty hard to ensure its products are secure and asserts “Doing anything to hamper that mission would be a serious mistake.” He then criticises the FBI's request for a special cut of iOS to probe Farook's phone, and others pertinent to other investigations, as “Once created, this software — which law enforcement has conceded it wants to apply to many iPhones — would become a weakness that hackers and criminals could use to wreak havoc on the privacy and personal safety of us all.” Which is where the op-ed gets a little bit hard to follow, because Federighi neglects to mention that in the Farook case the court order specifies the special cut of iOS work only on Farook's phone and that it be used only on government or Apple premises.
Is Federighi therefore saying Apple doesn't think it can prevent hackers from penetrating its defences, extracting the special cut of iOS and adapting it to work on multiple phones? Or that Apple would be careless enough to make access to an iOS-cracker easy? “We cannot afford to fall behind those who would exploit technology in order to cause chaos,” Federighi concludes. “To slow our pace, or reverse our progress, puts everyone at risk.” Might misrepresenting the facts of a critical case testing important frontiers of the digital age have the same effect? ® Sponsored: Definitive guide to continuous networking monitoring
Under-Fire web biz finds reverse gear after outcry from Fire and Kindle owners Amazon has U-turned on its decision to remove filesystem encryption from Fire OS, which powers its Fire and Kindle slabs. We've been told that a version due out within the next month or two will return support for encrypting documents stored on the devices.

This decision to restore the feature comes just days after it emerged that Amazon had axed the encryption from the latest build of its tablet operating system: Fire OS 5. Removing the crypto sparked outcry from furious Fire and Kindle owners as well as the wider tech world.

Amazon appears to have taken notice. "We will return the option for full disk encryption with a Fire OS update coming this spring,” a spokesman for the web bazaar told El Reg on Saturday. The decision to remove the encryption was at odds with Amazon's public support [PDF] for Apple in the iPhone giant's battle with the FBI.

Apple refused to comply with an order to help unlock a killer's encrypted smartphone, and has rallied the tech industry to back it against the Feds. Amazon's decision to axe the encryption feature from Fire OS 5 was made well before the Apple-FBI legal case blew up last month.

Amazon thought disk encryption wasn't being used by enough people to continue support for it.
Soon it will let people switch the mechanism back on – and, I guess, in a way, we have the FBI to thank for that. ® Sponsored: Agile For Dummies, 2nd Edition
The term "cyber pathogen," however, seems to exist only in Harry Potter fan fiction. Does the San Bernardino shooter's iPhone contain anything of value for investigators? They FBI doesn't know, but the San Bernardino District Attorney suggests the county-owned handset could have been used as a weapon of mass cyber destruction. "The iPhone…may have connected to the San Bernardino County computer network," DA Michael Ramos said in a court filing. "The seized iPhone may contain evidence that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino County's infrastructure." Local residents shouldn't be too quick to panic, though: iPhone forensics expert Jonathan Zdziarski debunked the DA's claims. "I quickly Googled the term 'cyber pathogen' to see if anyone had used it in computer science," Zdziarski wrote in a blog post.

The first result: Harry Potter fan fiction. "That's right, a Demigod from Gryffindor is the closest thing Google could find about cyber pathogens." Zdziarski said even CSI: Cyber is not bold enough to use "wildly non-existent terms" like "cyber pathogen" in its TV scripts. "There is absolutely nothing in the universe that knows what a cyber pathogen is," Zdziarski wrote. "Fagan's statements are not only misleading to the court, but amount to blatant fear mongering.

They are designed to manipulate the court into making a ruling for the FBI." The device in question—an iPhone 5c issued to Syed Rizwan Farook as part of his San Bernardino Health Department duties—is currently in the possession of the FBI, which wants Apple to disable a feature that wipes the gadget after 10 incorrect password guesses so that it may use an automated system to guess the phone's passcode and break in. According to Ramos, information contained on the smartphone could provide evidence to help the government identify co-conspirators "who would be prosecuted for murder and attempted murder." But to do that, Cupertino would need to create another mobile operating system that could open the encrypted device—a slippery slope, according to CEO Tim Cook, who is worried the workaround might end up in the wrong hands. Apple is even willing to take its fight against the FBI over iPhone backdoors all the way to the Supreme Court, where it would have the support of numerous industry heavyweights. Oral arguments are set for March 22 in federal court.

Amazon used as bait

In recent weeks, we have seen several mass-mailings in French, Italian and English, imitating messages from Amazon’s online shops.
In all the mailings, the recipients were offered a voucher, a gift certificate or some other prize. The enticing offers were mostly sent from Italy or France. However, the email addresses from which they were sent immediately raised suspicions: the culprits didn’t even try to imitate Amazon’s official email addresses, and merely used Amazon in the sender’s name. Each message contains links that supposedly lead to the Amazon website.

The recipients have to click the links to claim their “prize”.

Analysis of the links shows that users from different countries are redirected to different web pages.

For instance, users with a European IP address are asked to fill in a form in English, and are offered the chance to enter a draw for an iPhone 6S as a reward. The winner is promised a new smartphone for just 1 euro, but first has to enter their bank card details on the video streaming site myflixhd[.]com. The website offers a 5-day trial period, but requires the user’s bank card details, and then deducts a subscription fee of 50 euros per month if the user fails to cancel the subscription on time. Naturally, Amazon has nothing to do with this “draw” or any other similar scams, and the chances of winning an iPhone 6S are very slim, to say the least.

There is a good chance, however, that the bank card details entered on this advertising web page will be used by third parties for their own ends.
The director of the Federal Bureau of Investigation has conceded it was a mistake to ask San Bernardino County to reset the password of an iCloud account that had been used by gunman Syed Farook. Changing the password to the account prevented the phone from making a backup to an iCloud account, which Apple could have accessed without bypassing the encryption and security settings on the phone. "As I understand it from the experts, there was a mistake made in that 24 hours after the attack where the county, at the FBI’s request, took steps that made it impossible later to cause the phone to backup again to the iCloud," James Comey told the House Committee on the Judiciary in Washington, D.C., on Tuesday. But, Comey said the issue would still have ended where it is today because the iCloud backup would not have provided the bureau with all of the information from the smartphone. Watch the exchange here:
From ransomware to adware, mobile devices are seeing more attacks, even though far fewer users are affected than on typical personal computer platforms. Security researchers have long predicted that malware will arrive on mobile platforms, threatening the owner's sensitive information and using the devices to carry out a variety of scams, from stealing bank funds to racking up premium texting charges.In some regions, where third-party application stores are numerous and not well secured, malware rates have soared.
In North America, however, where applications are usually downloaded from Google's Play store or Apple's App Store, the security checks conducted by those companies have kept mobile devices mainly free of malware.In 2014, for example, only about 0.15 percent of devices that only installed applications from Google Play had a potentially harmful app installed, according to Google.Yet, that may start to change in 2016, according to researchers. One technique, known as overlays, may allow criminals to steal information in real time and foil the use of smartphones as a second security key used to augment Website login security ranging from Gmail to bank accounts, Limor Kessem, security researcher for IBM's X-Force research group, told eWEEK.
Such techniques may result in much higher infection rates on mobile devices, she said. "Mobile malware is finally doing what everyone thought it was going to do," Kessem said. IBM is not alone in its predictions.Security firm Webroot found that 52 percent of the 20 million apps that it scanned from app stores worldwide were either potentially unwanted or outright malicious. "When we look at those environments, the stores have a lot of malicious mobile apps—in some cases, upwards of 30 percent," Grayson Milbourne, Webroot's security intelligence director, told eWEEK.And 70 percent of enterprises believe that the company had lost data because of an insecure mobile device, according to a survey conducted by the Ponemon Institute for mobile-security firm Lookout.

Fifty-four percent of companies believed that malware had infected a corporate mobile device in theFrom several recently released reports, a fresh picture emerges of the current mobile malware threat.The relative danger of mobile malware infection, for the most part, continues to be overstated. PCs continue to account for the majority of malicious traffic seen on residential networks, according to data from Nokia's Application and Analytics group, which released a report on March 1 summarizing the threats the company saw on both mobile and residential networks in 2015.About 11 percent of computer systems were infected with malware or potentially unwanted software, such as adware, in the second half of 2015, down from 14 percent in the first half, the company found.
Smartphones, meanwhile, only had a 0.3 percent infection rate, the company found, which is in line with Google's data.However, the rate of PC infections is falling, while the rate of smartphone infections has begun to climb, according to Nokia.
Smartphones now account for the majority of malicious traffic seen on mobile networks, according to Nokia's Applications and Analytics group.In the past, a great deal of malware seen on mobile networks could be tracked back to Windows PCs or laptops tethered to mobile phones, but in 2015 that changed with smartphones accounting for about 60 percent of malicious traffic.
The U.S.

Congress should allow an expert commission to recommend ways to resolve the contentious debate over police access to encrypted communications before passing "knee-jerk" legislation, one lawmaker said. Even as Apple and the FBI fight in court o...
Struggling smartphone vendor BlackBerry is looking to diversify its business by launching a cyber security consulting service, focusing in part on the Internet of Things, and providing related tools to customers. The Ontario smartphone vendor, an early standard bearer for multifunction mobile phones, announced Wednesday it has acquired U.K. cyber security consulting firm Encription.

The company did not disclose the terms of the deal, which was completed last week. BlackBerry's move into cyber security consulting isn't a huge leap, as the company has long positioned itself as a security-minded smartphone vendor. Late last year, the company launched the Priv, a security- and privacy-focused smartphone running a modified version of Android. The company has significant cyber security expertise in house, and the new cyber security consulting practice will build on those assets, a spokeswoman said. The company noted the global cyber security consulting industry generates US$16.5 billion in business a year, with huge growth predicted. BlackBerry posted a net loss of $89 million for its third quarter, which ended Nov. 28. Still, for the previous nine months ending on that date, it posted a net profit of $30 million, compared to a net loss of $332 million over the same period in 2014. BlackBerry's cyber security services will focus on helping customers with security strategies and providing technical assistance, the company said.

The company will specialize in automotive and Internet of Things security and in detection, testing and analysis. The growing move into cyber security is a "smart move for Blackberry, especially as security is in the headlines" with a recent fight over smartphone encryption between Apple and the FBI, said Jeff Kagan, a mobile analyst. Still, it's unclear if cyber security consulting will be a long-term winning strategy for the company, he said by email. "BlackBerry is having a tough time finding growth areas," Kagan added. "Before we get too excited, we’ll just have to see whether this moves the needle at BlackBerry."
The ENCRYPT Act comes after New York and California moved to weaken smartphone encryption. Two members of Congress are trying to stop states from weakening encryption. Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Tex.) introduced a bill on Wednesday that would stop states from mandating that a company intentionally weaken its smartphone encryption to facilitate law enforcement action. The bill, known as the ENCRYPT Act, is surprisingly short, saying simply that no state or local muncipality can place restrictions or rules upon device manufacturers, app developers, or product sellers. More specifically, it targets the idea of forcing companies to more easily allow those local governments to "have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered unintelligible using its product or service." The bill was presented to Congress just weeks after New York and California lawmakers introduced their own bills that would ban the sale of encrypted smartphones. Since Apple and Google encrypt their most recent operating systems by default, though, that would make it difficult to sell iPhones or Android-based devices in those two states. Neither bill has seen activity since being introduced, however. "Different rules in different states create a myriad of issues and will actually make it more difficult for law enforcement officials. We need a unified approach to this issue that both protects security and privacy while enabling law enforcement to keep us safe," Rep. Farenthold said in a statement. "The California and New York proposals do not solve the problem. We need to keep free market and trade between the several states robust, not promote a false sense of security and require things like backdoors and golden keys that can be exploited by hackers." "The ENCRYPT Act makes sure that this conversation happens in a place that does not disrupt interstate commerce," Rep. Lieu said. Regardless of what happens on Capitol Hill, all these bills again bring up the issue of encryption. Law enforcement officials have criticized Apple and Google for hardening their communication platforms. Indeed, if an iMessage user were to communicate with another, it would be impossible for Apple, as well as law enforcement, to intercept that communication. Law enforcement agencies say such features put the public at risk. Apple and Google, among others, say they're protecting individual rights to privacy and security, and have no plans to alter their OSes.
Bipartisan legislation likely to be thorn in law enforcement's "Going Dark" side.
Every year there are more studies revealing that the most-popular passwords are plain awful. Obvious passwords like "123456" and "password" always top the lists. Worse, many people use the same lame password everywhere. It doesn't take a hacker to break into an account that uses one of these terrible passwords, just a good guesser. The problem is, avoiding same passwords and lame passwords is hard—too hard for most people to manage without help. Fortunately, help is available in the form of password management software. For your own sanity and security, install a password manager and change all of your passwords so every single one is different, and every single one is long and hard to crack. Until our Internet culture evolves into some post-password Nirvana, everybody needs a password manager, even our own John Dvorak. There are plenty of good choices. All the commercial password managers listed here earned 3.5 stars or better. Strapped for cash? We've rounded up free password managers separately. The BasicsThe typical password manager installs as a browser plug-in to handle password capture and replay. When you log in to a secure site, it offers to save your credentials. When you return to that site, it offers to automatically fill in those credentials. And, if you've saved multiple logins for the same site, the password manager offers you multiple account login options. Most also offer a browser-toolbar menu of saved logins, so you can go straight to a saved site and log in automatically. Some products detect password-change events and offer to update the existing record. Some even record your credentials during the process of signing up for a new secure website. On the flip side, a password manager that doesn't include password capture and replay automation needs to offset that lack with significant other assets. Getting all of your existing passwords into the password manager is a good first step. Next, you need to identify the weak and duplicate passwords and replace them with tough ones. Many password managers flag weak and duplicate passwords, and some offer help with the update process. The very best ones can automate the password-change process for you. When you create a new secure account or update a weak password, you don't want to strain your brain trying to come up with something strong and unique. Why bother? You don't have to remember it. All but one of our top-rated products include a built-in password generator. Make sure your generated passwords are at least 12 characters long; some products default to a shorter length. Entering a password like ^@V3B.u'j@Z}c?sAE on your smartphone's tiny keyboard can be tough. Fortunately, almost all of our top password managers can sync across all of your Windows, Mac, Android, and iOS devices. A few even let you authenticate on iOS or Android with your fingerprint rather than typing the master password. Most include some form of two-factor authentication, be it biometric, SMS-based, Google Authenticator, or something else entirely. Fill Those FormsSince most password managers can auto-fill stored credentials, it's just a small step for them to automatically fill in personal data on Web forms—first and last name, email address, phone number, and so on. Most of the top-rated products include Web form-filling. The breadth and flexibility of their personal data collections vary, as does their accuracy when matching Web-form fields with their stored items. Even if they miss a field or two, the ones they do fill are ones you don't have to type. Think about how many sites you go to that want all the same information; this feature is a huge time-saver. Different products handle form-filling in their own ways. Some immediately fill all recognized fields, some wait for you to click in a field, some pop up and ask what you'd prefer. You'll even find products that offer your choice of credit cards using realistic images with the correct color and bank logo! Advanced FeaturesGiven that all these products take care of basic password management tasks, how can one product stand out from the pack? One handy advanced feature is managing passwords for applications, not just websites. Another is provision of a secure browser, designed to protect sensitive transactions and invoked automatically when you visit a financial site. And of course automating the password change process is a big plus. As noted, these top products let you sync your passwords across all of your devices. Some of them also include a built-in mechanism for securely sharing passwords with other users. Some let you share a login without making the password visible, some let you revoke sharing, and with some the sharing goes both ways—that is, if the recipient makes a change it will change the original. On a grimmer note, what happens to your secure accounts after you've died? A few products include some provision for a digital legacy, a method to transfer your logins to a trusted individual in the event of your death or incapacity. The Very BestVeteran password manager LastPass 3.0 Premium offers an impressively comprehensive set of features. Slick and polished Dashlane 3 also boasts a ton of features, even some that LastPass lacks. Sticky Password Premium handles essential tasks better than most, and a portion of every purchase goes to help an endangered species. But even the products not named as Editors' Choice have their merits; you may prefer one of them. Read our reviews to decide which will serve you best. FEATURED IN THIS ROUNDUP