Wednesday, 25 March 2015

Android Security: A Big Concern go Unnoticed by Smartphone Users

As we all know, we are in the world of Internet. Whoever don't have access to Internet or WWW is looked up as orphan in this digitized world. With kids growing up with high-end tech, the penetration of Smartphones is inevitable. The vast majority of smartphone comes loaded with most popular Open Source Operating System, Android, owned and developed by Google. A desktop Operating System tweaked to fit hand-held device. Good and sweet to carry a PC power in pockets. But any tech will come with its own cost.

Rooting your Android Device:

Well! The huge buzz about the Android OS is level of customization. When Android raced with IOS, the Android won users with option to customize the Android experience ( I don't wish to start war of word with which is best?). Android OS customization and tweaking to adapt to users requirements has earned its market share.

One of most popular method to unlock the potential of Android OS is to Root your Device to get Admin privileges as we do in Linux system. It would help to hibernate apps, uninstall bloatwares which comes loaded with your phone, to create swap partition, and etc. Many loved to root the Android Devices. Yet it had its own disadvantage.

Once rooted, any app which request for root permission could sniff out confidential data. Even sensitive information could be compromised. Yet, advocates of Android would state that the app need permissions from the users. So it is user who must act responsibly. But the talk does not end with apps which we grant SuperUser privilege. The Apps which we download from Google Play Store might deduct rooted devices and sniff out data as most users grant permission to those apps. The situation is users can't miss a particular app from his Smartphone. So the permissions are forced upon the users by Software Vendors.

And the apps which we use to root our device might compromise our data. Who knows whats been taken out of  your device, the application got its right to work with your device! So beware, whenever you install an app that too not from Google Play Store, know that you risk your device and sensitive data.

Whatsapp Calling:

People who use popular messaging application Whatsapp would have received links from friends and unknown person to install a software to their Smartphones to enable "Whatsapp Calling feature". I wonder some tried it without realizing that such feature could be added by Facebook with an update from Play Store. It was too late. Most of them lost sensitive information from their smartphones. It stole sensitive information from users to be stored in third party server.

Remember, not only Whatsapp, all such apps are vulnerable to such hacking attempts. With Android users added exponentially, the hackers have found pasture in this field. From PC attack, the mode has be switched to mobile attacks.

Malicious App from Play Store:

The recent revelation that Facebook private pictures could be sniffed out of your Smartphone has raised alarm among Security Researcher who work on Smartphone security.  With unlimited privileges any of your favorite app could gain access to your Smartphone temple. One such example was the Facebook private picture leak.

But not all app would be stealing data. In Play Store, we found many responsible developers who explains the need of such permission when posed with a question. Some open comments could draw developers voice in to Play Store Market. Yet, few grey developers try to sniff out data from app users.

Beware of the purpose of Smartphone:

Last but not the least, make yourself sure about the purpose of your Smartphone. Limit the number of Apps. It might have a potential of PC, yet it is phone. With access to mic, sdcard storage, call information, any app could record your voice calls and upload them when ever you get connected to Internet. Judicious use would fetch more benefits. Beware of what you use and how you use. 

Sunday, 22 March 2015

Google Stops Security Support For Android 4.3 and Earlier!

Google has stopped security support for Android devices which run 4.3 or earlier version. The default internet browser vulnerability unearthed recently could bug almost more than half of the Android devices. The move signals that the Google is planning to concentrate on the current software and focus more on future products than hogging its mind on outdated issues and problems.

Google which is well known for it security as well as encryption of email has recently took cognizance of the security flaw reported in the old default web browsers of the Android which was fixed by September, 2014. Later another bug was discovered which was reported for patch to Google. But Google turned down the bug stating that "we generally do not develop patches ourselves for web browser in Android 4.3 or earlier". However, it did not rule out the possibility of patches by other developers.

Google's decision to abandon older versions of Android has left many devices at lurch. It will increase the risk for exploitation by hackers. Since most people use old devices, the reported bug will increase the security risk of smartphone users.

Android need to move for Long Term Support (LTS)

Android which has created huge buzz when it comes to mobile computing has brought wide sweep to the mobile market culture. The one who doesn't own a smartphone is considered as serious identity crisis. But these developments has brought inherit security risk which each Operating system pose to its users.

With Android release on the way, the new devices are brought down to the category of old devices in the market. With more and more new releases, it would be stuck in recursive loop of development rather than providing support to the users. 

Time has arrived for Google to reconsider the Android Strategy. Instead of short new releases, Google must provide a Long Term Support for new Android releases. Any new development will come with its own bugs and so the security risks. In order to avoid exposing users to such risk, Google might chart out a strategic plan for the next release of android with Long Term Support to patch security risk and flaw which would help in improving Android User experience and also will help to create next version Android free of bugs. The present strategy to abandon older version will make dent on Android.

Mobile Security: Hackers Steal Mobile Payment data In China

China, one of largest market in the world, home to 649 million Internet users with millions of users being added every month. With high Smartphone penetration into the life of people, the money transactions through mobile payment services are inevitable. Comparing the internet payments, mobile payments may surpass in next 2 years. It was evident from the growth of Smartphone market.

While any benefit technology brings home will not come free of its own shortcomings. The days when the computers were target by hackers to steal confidential information were the past. With advent of mobile Operating Systems (OS), most of the human internet life is spent on Smartphone than on the PC. The convenience, portability and accessibility has lured users to adapt Smartphone while neglecting the risk associated with them. Here are few ways the hackers try to steal mobile payment data from your Smartphone.

Fraudulent Wifi


The most common trick the hackers tend to employ is setting up a free Wifi network. Chinese Internet users tend to make payments and bank transfers on-the-go via public Wifi networks. The reason is obvious. The Wifi is free to use and available when ever needed. Hackers started placing Fraudulent Wifi connection in the Shopping malls, multiplex entertainment centers.

When any person connects to such fraudulent Wifi network, all personal information from the Smartphone are sniffed out. The worst is when user make any purchase, hackers can steal the account data. Any Sniffers with promiscuous mode would suit the job to extract personal information that are travelling through Wifi network.

QR Codes with Virus


It is wildly used in Chinese Internet users to find friends, make payments, exchange information, redeem coupons. Hackers have started embed a virus to QR codes so that anyone scanning them will automatically download a virus to their smartphones. Personal information from phone numbers, contacts, mailing addresses to banking details and passwords would be stolen in seconds once the virus sits on the Smartphones. Any message or email stating to scan a QR code must be done with caution. The source of such message must be known before scanning them.

Phishing Website Attack


Most popular method among hackers, employed to steal confidential information from the users. The fake website which would appear as if the original website, will be presented to the end-user either through an email or a link. The user will be lured to enter confidential information to find oneself that the hackers have tricked them to disclose sensitive data. These fraud is commonly used against Internet banking users. Though, security agencies have beefed up security measures to counter the phishing threat, it still pose a serious threat. The customer who are unaware of the internet security usually end-up with phishing websites.

Firefox, Chrome, Safari, IE exploited


Firefox, Safari, Chrome and Internet Explorer all fell within than a second

Security Vulnerabilities in every one of the four big browsers were exploited in a Hacking Contest to remotely execute arbitrary code on Windows PC.

But the vulnerabilities were never made public. It was disclosed privately to the concerned parties mostly the software makers to release patches as soon as possible. In the interest of public at large, the details were not disclosed.

South Korean Security Researcher Jung Hoon Lee, who ised the handle "lokihardt" won a hooping $225,000 who left Vancouver with huge bank balance.

The time-of-check to time-of-use (TOCTOU) vulnerability and a sandbox escape through privileged Javascript injection to get past Windows Security Software and pull of medium-integrity remote code execution with the same privileges as logged-in user. 

Further, the buffer overflow bug of stable and beta versions of Google Chrome were used to execute full system level remote code execution.

Later, the finale Apple's Safari was pawned. With use-after-free(UAF) vulnerability using a uninitialized stack pointer to perform remote code execution on OS X won him the contest.

The Mozilla Firefox was compromised with in a second. The out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser.

The contest was a win-win situation for the hackers and the software vendors. The people who cracked earned a decent cash while the software vendors gained by knowing the vulnerability so they can release patches for the end-user.

Saturday, 21 March 2015

Text that Crash Google Chrome browser in Mac

If you are using Mac, then beware that Google Chrome Web browser will crash the moment it try to render special character. Here is the link for the error, open bug ticket on the Chromium product which details the issue.

The issue rose up when Google Chrome on Mac crashed trying to render obscure language. Hence, if you open any blog post, twitter or email with those obscure characters, you end up crashing the Chrome. But this bug is limited to Chrome on Mac. The users has reported that such obscure character didn't bother when rendered through Apple Safari. Instead of those special characters, boxes ([]) were displayed for the page title and text.

The windows version of Google Chrome were fine with the obscure characters. Those who use Chrome on Mac reported the issue. Hope, it is fixed soon.

GitLab acquires Gitorious

GitLab, rival of GitHub, acquires Gitorious

GitLab has acquired Gitorious, a repository management system which would leverage GitLab to compete against other commerical and propriety repository management system. The acquisition has knocked the strong hold of GitHub which is the most popular among the collaborative code repositories.

The acquisition not only leveraged the GitLab resourced but also added the huge user base. Now, GitLab has close to one million users. Those users include open source projects such as Opensuse and AT&T and Expedia, etc.

The exact figures for which the deal was done is yet to be known. So the existing Gitorious will shut down by June and its customers can migrate to GitLab. As well the staff currently working on Gitorious won't be joining GitLab, although GitLab expects to collaborate with them.

Cyanogen Teams with Qualcomm and Alcatel

Cyanogen partners Qualcomm and Alcatel


Earlier this year, Cyanogen, developers of Cyanogen OS, a free smartphone operating system based on Android, broke up with handset maker OnePlus. While many believed that this was a blow to the Cyanogen, to our surprise, it recovered by inking a good deal with popular chip maker Qualcomm, the famous smartphone device chip maker.

The deal will pave way for select features and UI elements from Cyanogen OS to be installed on Qualcomm's upcoming reference designs powered by QualComm's Snap Dragon 200, 400 and 600 processors. The reference designs are a way for smaller companies to pick up smartphone templates and release then under their own brand.

Further, Cyanogen teamed up with handset maker Alcatel to install Cyanogen OS on Hero 2+ smartphones that will be made available in the U.S market this spring. The trend of Cyanogen OS getting moment with various handset manufacturers experimenting them at production level. If such trend continue, the prominence of Android will take a deep dent in the smartphone market. The local smartphone makers are keen on improvising smartphone user experience which lead to installation of Cyanogen OS at production level. The level of customization has attracted Android users towards Cyanogen smartphones.

Friday, 20 March 2015

4 Amazing Open Source Alternative Browsers For Linux Users

Here is the list of browsers which can be highly useful alternatives to the major ones.

For all of us, the internet world starts with Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Apple Safari or the famous Opera. Yet there are lot of interesting alternative browsers exist in the PC world which require attention now. It would be good practice to use different browser for personal, work, social media or networking. While it comes to open source web browsers, the level of excitement would surpass next level. Here are some ideal open source web browsers.

1.Fifth:

Fifth is an open source web browser. The beauty is in its compatibility. It is exclusive to Linux operating system filled with vast features from Opera web browser. The most prominent feature is in its exclusivity when it comes to features. For people who don't need heavy tax on system memory could opt for Fifth browser. Highly customize able thus user have full control over the browser. Hat off to the privacy. It will not leak information. Only drawback is it lack native video playback feature.

2.Dooscape:
An open source web browser based on WebKit engine and Qt framework. When it comes to exclusivity it provide unique features, appearance, interface. Unique feature of high customization and simple layout make it stand out the crowd. It can also take screenshots and provide a lock mode too.

3.GNU Emacs:
It is an extensible text editor which is highly customizable and self documented. It is an advanced text editor which could be customized to act as complete development environment. The editing commands in this browser are applied as characters, words, lines & sentences, paragraphs and pages. The w3m.el interface is complete Emac web browser. It supports graphics, frames and w3 support.

4. Breach:
A web browser entirely written in Javascript and offers interchangeable modules. The internal functions are yet to be revealed. API can be added for developers which allows building modules which can be added, removed and interchanged too. The navigation is also built upon javascript and HTML5.

Facebook found leaking private photos

Creepy iOS, Android apps could gain access to the pictures.



Bug Hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications.

The hacker received US $10,000 from Menlo Park for reporting the bug in Facebook Photo sync and an API that allows third party apps to gain access to private pictures.

The "user_photos" permission could gain access to your private pictures prior to the patch.

"A Malicious app which you are using can read all of your private photos in few seconds", Muthiyah says. "After few minutes of testing, I realised that vaultimages endpoint is vulnerable".

The Facebook covered up the bug in 30 minutes by whitelisting official applications. It is unknown how many non-whitelisted apps now sport broken photo synchronisation features.

It is the second vulnerability that Muthiayah has reported to Facebook this year. Last month the hacker took US $12,500 for disclosing a method to delete photo albums from the site using Facebook Graph API and a mobile token.

Thursday, 19 March 2015

LightEater Attack: Popular Bios Security flaw

The security researchers have found that most popular Bios of hardware vendors are vulnerable to attacks. Considering the stealth, privilege and persistence most attacker prefer a low level attack. The most popular of them is Basic Input output System been one of them. The LightEater attack targets world most popular bios vendors.

"Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected, Kopvah, LegbaCore researcher stated.

"The high amount of code reuse across UEFI BIOSes means that BIOS infection can be automatic and reliable."

"The point is less about how vendors don't fix the problems and more how the vendors' fixes are going un-applied by users, corporations and governments."

The security researchers stress on the responsibility of the system administrators to apply vendor patches, something which is not being done. And further they warned about how simple to launch attack on victims whose BIOS are vulnerable to such attacks.

The security experts have conveyed the concern that most of the BIOS are insecure and provide undue advantage to the attackers. Even a person who don't possess special skill or knowledge about security and hacking would be able to launch attack against victims. All the attacker need is a few minutes of access to the victims computer to implant the bug.

The security researchers stated that they would soon release a automated script to BIOS vendors to test for vulnerability against reading and writing to all system memory. Almost 80% of the world computer is vulnerable to BIOS attack as most vendors use almost same code when it comes to BIOS except for few modifications depending upon the vendors.

The BIOS implant surfaced recently to the research community on the cue of Snowden documents which state that National Security Agency (NSA) which exploited this vector to spy on targets.

To patch up BIOS, it is recommended to install vendor patches to the respective BIOS. It would be better than to feel sorry tomorrow.

The Security experts who exposed the vulnerability are advocating for patch as early as possible. As the revelation has made the implant public which could be used against victims by anybody even they are not savvy about working of computer or how to launch an cyber attack on victims.

There is a huge buzz over the Snowden reports on how NSA spied over others. The report not only expose the vulnerability but also the extend through which NSA implanted spying bugs on targets. More to follow....

Now Google Drive support ODF (Open Document format)

It is good news to hear that Google Drive support .odt (open document file format) format. Previously, the users have to convert the documents into the most popular .docx file format that take advantages of other services comes with Google Drive. Now, the google has announced that Google Drive will support the .odt format which was in high demand among the cloud service community.

As the reach of open source get bigger day by day, Google has responded positively by adding the .odt among the supported file formats of Google Drive. Thanks for the move that dependence on the premium software get reduced to nil. With Google opening its doors to the .odt, any open source word processor such as abi word, open office, libre office user could take full advantage of the Google Drive cloud storage service.

"We've been listening to your feedback, and we're happy to say that we now offer support for importing all three major ODF file formats: .odt for documents, .ods for spreadsheets, and .odp for presentation." - Google. Google added the support since yesterday. Yet the support for mobile apps need some wait.

The reason behind such move was cited as UK Government policy to use ODF as default file format for government related works. And other European nations exhibit great zeal for the adaptation of open source document format as default file format in government related activities.

Not only the governments but also the open source community and people who prefer such tools over commercial office suites benefit at large.