Tuesday, July 28, 2015

A serious failure allows the kidnapping of 95% of Androids with a simple message

It affects 950 million phones and it doesn't require any action by the victims, not even open the message which will take the control of your phone. The discoverers, Zimperium, consider it the most serious vulnerability discovered so far in the Android operating system and the experts say that they are right. We'll talk about it, as well as other research that has achieved to offload every data from a completely isolated computer, also about web browsing of British parliamentarians and how to educate unaware people in security.

The scenario could be as it follows: at night, we go to sleep and we leave the phone turned on. The attacker only has to know our number, send us a multimedia message (MMS) which has not necessary to be opened. It contains a malicious code that will surreptitiously take control of our equipment. Afterwards, the attacker simply delete the report of receipt of the MMS and the victim will wake up the next day without realizing that somethingh happened. Zimperium will unveil more details at the upcoming Black Hat lecture. The big problem will be how to access the patch if our system is not pure Android, given the little interest shown by the manufacturers to have our Androids updated.

There's no safe computer if it's on

Meanwhile, in Israel, several researchers have achieved to get data from one computer completely isolated, as are many of them in critical systems: no wifi, ethernet or anything that allows them to communicate with the outside... except the electromagnetic waves sent by the computer because of its own functioning. An old mobile phone, the only ones allowed in these facilities could receive these waves which not transmit a lot of information but enough to get passwords or encryption keys. The invention requires malicious code to be installed in the target computer.

Porn in the Chamber

Many kilometers away, in Great Britain, statistics provided by the Palace of Westminster have surprised the country because they show that in 2014 parliamentarians used the computers enabled to enter, or try to, parliament, an average of 200,000 times per month to pornographic sites. Some of these visits are the result of pop-ups that may occur during navigation, but it is clear that the number is still very high.

Change the slides

We finish with a fun, and at the same time, accurate Decalogue, created by the risk management expert Kris French Junior, to help security teams of companies and institutions to inform employees about cybersecurity forms in a less boring way. Some tips include: "You do not care much for the safety but expect that other users will pay attention" or "Your presentations are ridiculous," or "You do not speak their language."

We suspect he is right: security is boring and a real pain, if we may say so, for almost everyone, whether expert or novice users. Why not accept and redefine it from a more human vision? We have all summer to think :)


Post a Comment