Tag Archives: Samsung

Security News for the Week Ending Friday August 10, 2018

Lack of Vendor Cyber Risk Management Hurts over 750 Banks

TCM Bank, a company that helps hundreds of small banks issue credit cards had a problem with their third party vendor – the bank’s fourth party vendor risk.

The small bank wants to issue credit cards so they hire TCM and TCM hires someone else and that company leaked the bank’s customer data.

TCM said less than 25% of applicants had their data compromised – fewer than 10,000 consumers.  That, I gather, is supposed to make us feel better, but somehow, it doesn’t.

The small community bank, who has the least security expertise is liable for the fourth party breach.  The Feds – the FFIEC or the OCC or the FDIC plus the state regulators will be asking lots of embarrassing questions.  Those banks, who likely do not have a good vendor cyber risk management program, will be left holding the bag.

Many companies have a fourth party vendor cyber risk management problem.  Most are completely unaware.  Source: Krebs on Security

It is Amazing What a Potential 20 Million Euro Fine Will Do

In the UK alone, there were about 400 breaches reported to the ICO (information commissioner’s office) in March and another 400 in April.  In May, the month that GDPR came into effect at the end of the month, there were 750 breaches reported.  In June, the first full month that GDPR was in effect, there were 1,750 breaches reported.

It is unlikely that hackers decided to become more active in alignment with GDPR, so what is likely is that the threat of a massive fine is causing people to report breaches.  We shall have to see what the trend looks like and what happens in other countries.  Source: Bankinfo Security

The Pentagon is Creating a “Do Not Buy” List

The Pentagon’s Acquisition Chief admitted last week that the Pentagon is creating a secret Do Not Buy list of companies known to use Russian and Chinese software in their products.

The Pentagon plans to work with defense industry trade associations to effectively blacklist those companies.

The new Defense Authorization bill also requires companies to tell if they have less the Ruskies or Chinese look at their source code.  Source: Bleeping Computer.

 

Some Samsung Phones Sending Random Pictures To Random Contacts

Reports started surfacing last month about some Samsung phones sending one or more pictures to contacts in the user’s contact list without the user even being involved.  In one reported case the user’s entire gallery was sent.

Given that many people have at least some adult pictures on their phone, if this is really happening, the results could be dicey to say the least.

In addition, if you have any pictures with business proprietary information – say a snap of a white board from a meeting – that could be a problem too.

Samsung said they are aware of it.

T-Mobile, the carrier in at least some of the cases, in a perfect example of taking care of their customers said “It’s not a T-Mobile issue” and told people to talk to Samsung.  Note to self – even though T-Mobile may be less expensive, a great customer focused attitude like that goes a long way to kill that value.

Luckily it seems to be happening on new phones which, if Samsung can figure out what is happening, they may be able to develop a patch and those patches would likely be available to the users of the new phones.  If this is happening on older phones, users may just be out of luck, since most vendors don’t provide any patches for phones older than about 2 years. This assumes that the users bother to install the patches that are available, which is probably less than a 50/50 bet.  Source: Gizmodo.

More Problems for Huawei

While US Gov Tries to Ban Huawei Devices, the UK Gov only said it was “disappointed” at the lack of progress Huawei has made in improving security.  Curiously, this is the fourth report over the last 8 years that the UK government has issued and the first three said that any risks had been mitigated.  The reason for the change of heart is unknown.

In the meantime, Australia is considering banning Huawei gear, like the U.S. is doing.

One of Britain’s concerns is that Huawei is using third party software – in this case the operating system the gear runs on – that will no longer be supported in two years.  Given the normal lifespan of telecom equipment, that is a major problem.

Hauwei said that there were “some areas for improvement”.

Given the concerns over Chinese government influence and possible backdooring of Hauwei equipment, it seems like it would just be a better idea to find another vendor.  Source: BBC .

 

Facebooktwitterredditlinkedinmailby feather

Researchers Find 20 Bugs in Samsung IoT Controller

In the ongoing saga of IoT security (The score is bad guys: a whole bunch, good guys: not very many), the bad guys continue to win.

Researchers analyzed Samsung’s house management hub called SmartThings and found 20 problems.

The researchers, part of Cisco, said that the attacks are complex and require the attackers to chain different bugs together, but that doesn’t lessen the severity.

The Samsung SmartThings hub supports a variety of protocols allowing it to control a wide range of devices.  Some of the devices it can control include lightbulbs, doorbells, smart locks, smart plugs and many others.

But that ability is also the problem.

If you can hack the SmartThings hub, then you could turn off alarm sensors, unlock the door to the house or spy on the homeowner by taking over the security cameras.

Given that possibility, what could go wrong?

So what should an IoT early adopter do?

The first thing is for you to understand that as an early adopter you are blazing new paths and some of those paths will be dead ends.  Personally, I have bought and replaced many different IoT devices.

Second, you should consider the risk prior to purchasing and using any IoT devices.  For example, it is far less risky to control your lightbulbs than your front door lock,  If you are risk tolerant you may be okay with the risk from the smart door lock, but  if you are less risk tolerent, you may not be.

Next, ONLY purchase IoT devices from vendors that have an active cyber security program.  All IoT devices will need patches.  If the vendor doesn’t actively create patches, then the bad guys will win.  You also want devices that automatically download and install the patches when released.  Samsung says that they have already patched every device operational in the field.  That is what you want.

Finally, stay tuned to the security news in the IoT arena.  If you are going to be an early adopter, you need to be informed.  When things are stable and mature you can be less concerned.  When there is a new attack every day – you have to be proactive.

Be smart.  Be informed.  Then make decisions.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Smart TVs And Your Privacy

 

Samsung made some news last week.   As we know, some smart TVs are always listening to the talking in the room.  The way the software works is that it captures all voice and looks for the trigger words.  Samsung, in it’s privacy policy, said

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

So if you talk about your health, marital situation, a terrorist plot or anything else, that will be sent to Samsung and to the third parties that they use.

After the freak out ended, Samsung attempted to clarify what happens by saying this:

“If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.”

It is not clear that this “clarification” made anyone feel any better.

So who does Samsung share your information with?

  • Affiliates – Samsung owned companies
  • Business partners
  • Service Providers
  • Law Enforcement

We don’t know what other TV makers do with your voice, but it is likely similar.

In addition, that data may be kept forever.  Their policy doesn’t say how long they keep it.

If we shift the conversation to the fight between Apple and the Department of Justice, maybe we need to ask if the San Bernadino shooter had a smart TV.

Likely, as in other Patriot Act warrants, the TV makers would not be allowed to tell you that the Feds want your conversations.  In very general terms, they could tell everyone about the range of the number of warrants they have received, after the fact.

There is a simple solution of course – don’t buy a smart TV or don’t enable the voice feature on it.

 

Information for this post came from SecureWorldExpo.

Facebooktwitterredditlinkedinmailby feather

Android Security Is Improving – But Not As Good As iPhone

The Android community is slowly beginning to understand that they are going to have to step up to the plate and deal with security like Apple has done from the beginning.  The challenge is that unlike Apple, where there is one master in control, the Android community is fractured.  The only one who has any hope of pulling off a solution is Google.  They have the size (money) and the motivation to fix the problem.

Two examples popped up today.

First, Google has stepped up and is issuing monthly security updates – like Microsoft has done for a long time.  Some vendors, such as Oracle, choose to announce patches quarterly.  The advantage of that is that you only have to make 4 updates a year.  The disadvantage is that the patch releases are monstrous – with hundreds of patches  in each one – so many companies just ignore them.  Typically, Microsoft’s monthly patch release is in the low teens for number of patches and often those are bundled so users have to deal with less details.  Also, the bugs are fixed sooner with monthly releases.  I vote for monthly.

In this month’s Google patch release, there are two patches which can be exploited remotely with specially crafted media files (Argh!, again) – this is a continuing effort to clean up the fright fest which is Android’s media handling (called Stagefright – you may remember that there were two earlier patches to fix problems in Stagefright.  This is number 3.  Expect more – they are announcing them as they fix them).  There are also 3 other patches in this month’s collection.

Owner’s of Google Nexus phones will get these patches quickly.  Owners of phones from other manufacturers will need to wait until the manufacturers decide to release the patches.

I am an Android user and am seriously considering making a Nexus phone my next phone since Google seems to have gotten the security message.

The other article is about Android Bloatware or Crapware.  Those are the terms for all of the garbage that phone manufacturers think that you want and they need to add to differentiate their phones from their competitors.  In most cases, they are so sure that you want this garbage that they do not give you a way to remove it.  In fact, in many cases, they are being paid by the manufacturers of the software to install it on your phone, which is why they do not let you remove it.  This is another advantage that Apple has.  They control the phones.  Since there is no competition, they control the price and don’t have to install Crapware to subsidize the price of the phone.  This is one reason why Apple phones are more expensive than Android phones.

Google has a research team that hunts for bugs.  Besides hunting for bugs in Windows, Mac OSx and Linux, they are now looking inside Android phones.  This month, they announced, they found 11 bugs inside the Samsung Galaxy S6 Edge Crapware.  These bugs likely won’t be on a Galaxy S5 or on a LG phone as the crapware, for the most part is tailored to the phone.  Who did Samsung make a deal with for this particular phone.

The biggest risk is in software drivers – that software that talks to the hardware and has the most permissions.  That is where these bugs, for the most part, were found.

The good news is that Samsung has fixed these.  The bad news is that there are hundreds of phones and Google’s researchers do not the resources to review that many phones.

The manufacturers – like Samsung – need to realize that this is an impediment to sales and deal with it.

One more point.  The patches that Google released ONLY patch Lollipop (5.x) and Marshmallow (6.x).  Almost no one is running 6.x – it is brand new – and less than 15% are running 5.x according to a statistic that I just found.  Almost 75% of the Android users are running 4.x and the patches just released DO NOT protect those users.

In their defense, Apple does the same thing.  They patch the current release and one release back typically.

For Android users, they need to understand that if they are saving money by not upgrading their phones, they are at greater risk for being attacked because these old phones are not being patched.

As Google ramps up their security efforts and releases more patches, they are giving the hackers a road map for how to attack these old phones, making them more vulnerable every month.

Just food for thought.

Information for this post came from two articles in Network World – here and here.

Facebooktwitterredditlinkedinmailby feather

600 Million Samsung Phones At Risk Of Being Hacked

Well, that headline should get your attention.  The good news is the risk is relatively low.  The bad news is that the patch process in the Android ecosystem is very broken.  So what is a researcher to do – announce the vulnerability at Blackhat London.  And, unfortunately, there is nothing for a user to do other than wait for the carriers to get off their rear ends and release the patch that Samsung delivered to them months ago.

Short version of the problem:  Samsung integrated a third party product called Swiftkey into all Galaxy phones since the S3 and all Note phones since the Note 3 in the keyboard driver.  Swiftkey does predictive guesses on the words you are typing.  Samsung made two very serious security mistakes in how they implemented it that make it susceptible to hacking.  They released a fix to the carriers, but as of Blackhat London, using test phones bought last week, the vulnerability is still there.

And, you cannot disable it, uninstall it or mitigate it.

You don’t hear me say this very often, but this is one place were Apple has it right and Android has it totally wrong.  Since Apple OWNS the software and the phones, they control the updates for software.  They have not allowed the carriers to get in the way and mess things up.  Good for Apple.  In the Android world, the carriers had to get in the middle of things – because the could – and pee on the fire hydrant, so to speak.  Since Android is at least partly open source, each carrier does this tweak and that tweak.  What that means is when a phone manufacturer or the Android community releases a patch, it could take months to fix it.  This bug was disclosed in November 2014 and is still not fixed.

Samsung, as the 800 pound gorilla in the phone space next to Apple, could force carriers to push updates quickly, but they don’t want to risk annoying the carriers and have them push a competitor’s phone, so they sit back and let the carriers screw things up.  Maybe this will get fixed, but I am not optimistic.

Now the long version.  First, here are 4 articles on this bug (CNN, Forbes,  TechCrunch and NowSecure).

Here is the problem as best I can understand.  The SwiftKey software that Samsung licenses is integrated into all the Galaxy and Note phones and cannot be disabled or uninstalled.  It “phones home” occasionally to look for updates. The way Samsung chose to implement it is insecure.  The updates are not encrypted and not signed, so as long as an attacker can get in the middle of the data stream (say at a public Wifi), they can replace that code.

To make things worse, the keyboard runs as a highly privileged system process, so, if you do compromise it, it pretty much has control of the universe.  NowSecure announced the bug after being annoyed with the carriers glacial pace to fix it.  Worse yet, depending on how it is exploited, even a factory reset won’t remove the malicious code.  Only running it over in the parking lot will.

I have been doing some reading on this and there are two comments that have been made by people that are wrong and I would like to clear up.

First, people say that they do not use the default keyboard so they are safe.  This is wrong.  The keyboard, even if it is not “active” still checks for updates in this secure manner.  One user said that you can force stop the keyboard if you are using another one and then as long as the phone does not get rebooted, then you are safe – assuming you have not already been attacked.  Not very practical.

Second, people say that they don’t use alternate languages (say Spanish or German), so they are safe.  This is wrong also.  The English language checks for updates.

The biggest risk is from sketchy WiFi.  This is yet another reason why you should avoid them.

However, if we look at attacks like the Duqu2 attack that I wrote about last week, it would be trivial for a nation state or other sophisticated attacker to get in the middle of your cellular communications as well, so even that is not perfect.

Another good news point – there is no way for a hacker – at least none that has been announced – to force this bug, so they would have to be there when the phone is rebooted or at some other time when the keyboard is checking for updates.

Swiftkey has been careful to point out that the apps that they distribute on the Apple and Google stores do not suffer from these weaknesses – this is a Samsung problem.

Maybe this will move the carriers a little bit towards fixing the broken update process.

Anyone got a flip phone?

 

Facebooktwitterredditlinkedinmailby feather

Are You Watching Your TV? It May Be Listening To You!

Samsung’s Smart TV voice recognition works just like the voice recognition on your Android or iPhone – with one big difference and CNN is reporting on this today.

On all of these devices, the device captures your voice, sends it over the internet and gets the text back the same way.

It is not clear whether any of these vendors encrypt the traffic, but if I were taking bets, I would bet that it is not.

Samsung uses a third party – whom they have not named – to do the conversion.  It is unknown whether Apple and Google outsource it or do it internally.

Here is the difference.  On your phone, you tell it when you want it to perform speech to text conversion – you press the microphone icon or ask Siri.

Because the television never knows when you are going to ask it to change the channel or find a new program, it is always listening.

So, if you are plotting to rob a bank, maybe you should not do it in front of your smart TV.

What is not clear is whether something occurred to bring this to the forefront today.

Samsung claims they neither sell the data nor keep it.  They did not answer the question as to whether the third party keeps the data.

Your first inclination after reading this is to turn off the voice recognition feature.  Go ahead.  Of course, if you do that then you can’t yell at your TV to change the channel – you will have to do it the old fashioned way and use the remote.  If you do turn it off,  the TV listens anyway because there are some features that work even if general voice recognition is off and it sends that data, but not your voice, to Samsung for statistical analysis in addition.

We already know, courtesy of Edward Snowden, that the NSA looks at any data that the hackers hack that they can get their hands on.  Why do all that work.  Just steal it from the thieves.

I wonder if the NSA is listening to your smart TV?  If they weren’t before, I bet the are now.

A wire cutters to the microphone wire likely will work, however.

 

Mitch

 

Facebooktwitterredditlinkedinmailby feather