This article mainly outlines security flaws and options for Android based smartphones. As for all you iPhone users starting to feel smug, please keep reading. It’s one of those posts where there is something for everyone.

In their blog post earlier this month, Avast published some very interesting and somewhat worrying information. According to the blog, they bought 20 used Android phones from eBay and using easily available standard forensic tools, were able to extract personal data of previous owners. They apparently found around 40,000 stored photos including, and as expected, hundreds of naked selfies of women and men. They also found emails, text messages, phone logs, contacts and even google searches.

They claim they found all that data despite a ‘Factory Reset’ done on those phones by their previous owners. While there were no specific details as to which of those phones were reset, they did bring to light some important facts about how data is stored and deleted on most data storage devices.

So essentially when you delete anything on your phone, what you are really deleting is the link to that piece of information on the storage drive. The information remains there until new data is written on top of that. So when you do a factory reset you’re only deleting the index of links to all your data and not the data itself. Therefore using basic data retrieval techniques one can retrieve pretty much most of the information on that phone just before the factory reset.

Before we start worrying though, do note that the phones were all old and Android based. When asked, Google responded by point out that Android version 4.0 and above, used by 85% of the users, did not have the security flaws of the previous versions.

The new versions have an option to encrypt all data on the phone with a cryptographic key that is generated based on the passcode provided by the user. But this option is not turned on by default therefore making new users as vulnerable.

Depending on the exact version and make of your smartphone, the steps to turn on the encryption feature will slightly vary but the following should be a good guide.

Charge Your Phone
Depending on the amount of data on your phone, encryption process can take at least an hour. So make sure your phone is fully charged and for complete peace of mind leave it plugged in. Losing power midway will most likely result in catastrophic data loss.

Backup
It is the golden rule of all IT. Before you do anything and often when you do nothing it is imperative that you always back up all your data. In this case, a backup of all your photos, messages, contacts, emails etc. will save you a lot of time and heartache if thing do hit that fan.

Encrypt
This is where things could be different based on versions, makes and models. Generally speaking on your phone,

1. Go to Settings
   
2. If there are tabs on top, go to either ‘More’ or ‘General’ and find Security
   
3. If there are no tabs scroll down and find Security
   
4. Tap Security
   
5. Tap ‘Encrypt Phone’ or ‘Encrypt Device’
   
6. From here on carefully read and follow on-screen prompts
   

Once the process is complete, you can rest assured all your data and photos no matter what kind are all safely encrypted.

Caveats
The preceding steps will certainly keep your data safe but encryption in Android has its own drawbacks.

1. Slower Performance – Encryption will reduce the performance of your phone. Depending on the version, model and make this effect will vary.
   
2. Irreversible – Once encrypted, the device cannot be reversed back to unencrypted state. The only way back is factory reset.
   
3. Time consuming – This one’s a one-time issue. It does take a long time to encrypt, especially if you have a lot of data.
   

We recommend, if you have the latest whiz bang mobile, a tendency to take photos in front of your mirror, about an hour to kill or simply want everything super secure, certainly go ahead and encrypt you phone. On the other hand if your phone is a bit old or performance is important, encryption is not advisable. In any case before you decide to discard your device for a new one be sure to first encrypt it and then perform a full factory reset before you let that phone go.

iPhone
Apple iPhone and iPad run on iOS which uses AES 256 algorithm with a software key generated by the information users provide. This is a default setting and is always on and cannot be turned off. When an ‘erase all content and settings’ is done on the phone, the data index and the encryption key is deleted and without the key all the encrypted data is effectively rendered unrecoverable.

Now before all you Apple users start to feel smug and relax, a forensic scientist Jonathan Zdziarski presented a very revealing paper at a conference earlier this month. He indicated Apple devices ran up to 44 undisclosed services in the background which cannot be turned off. While previously denied, Apple did later acknowledge their existence and insisted they exist for diagnostic purposes alone. True as that may be, these services which can be broadly classified as backdoors can pose potential threats.

In conclusion, smartphones in general are amazing at what they do but there are always pitfalls. Growing use of technology does come with its own set of risks. The right way to mitigate these risks is not shunning the technologies themselves but by better understanding the way they work.

We invite you to share with us any experience you have had relating to encrypting your Android device or your opinions on Apple security. If you liked this article please share it with your network. You can also subscribe to our monthly newsletter by emailing us at hello@vocatys.com.

References:
https://blog.avast.com/2014/07/09/android-foreniscs-pt-2-how-we-recovered-erased-data/
https://source.android.com/devices/tech/security/index.html#filesystem-encryption
http://www.zdziarski.com/blog/?cat=11
http://www.theguardian.com/technology/2014/jul/11/factory-wipe-on-android-phones-left-naked-selfie-photos-and-worse-researchers-find

So there is a new malware in town called GameOver Zeus or GOZ. On 2 June 2014, FBI announced it had teamed up with its counterparts from around the globe, including the Australian Federal Police, to bring down a botnet that is believed to be responsible for stealing over a $100 million from businesses and consumers.

What is it?
GameOver Zeus is essentially a malware. It is reported to be one of the most sophisticated of its kind. Specifically designed to steal baking details, it not just takes over the computer but turns the computer into a zombie that becomes a part of a much larger network of other infected computers. Thus forming a botnet spread across the world used to harvest banking and other critical information.

During the operation they also uncovered network of computers and servers infected with CryptoLocker, a ransomware that encrypts and locks you out of important files on your PC and demands a fee in return for unlocking them.

Both of these allow creators full access to your server or computer, often with minimal detection.

Modus Operandi
The main distribution vehicles for these have been, like most, emails and phishing.

Carefully worded emails with attachments are sent to all the contacts on the infected PC unbeknownst to the owner. Friends, family and colleagues are easily caught off guard.

What you need to do?
As of writing this, the botnet has been taken down. Having said that GameOver Zeus is no ordinary malware. It does not have one specific control centre. It has a peer-to-peer command structure thereby making it very tricky to pin it. The authorities have issued a fortnight’s warning to businesses and users to protect their servers and PCs. Apple Macs are not affected by these malwares. But here are a few urgent things all, and I mean ALL, users of any devices connected to the internet must do as best practice;

• Always ensure to update your computers and devices with the latest available updates.
  
• Especially for old Windows PCs, make sure you have an always updated antivirus software.
  
• Use strong passwords and change them at least every 2 to 3 months.
  
• Avoid visiting unknown random sites.
• And last but the most important one is remain hyper vigilant with emails even from people you know. If they seem even slightly out of the ordinary do not open them. All attachment must be treated with some level of suspicion.

Remember every glitch is a bug, not all are dangerous but you never know which one is. So in the big bad world we call Internet be very aware!

References

• http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/gameover-zeus-botnet-disrupted
  
• http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted/documents/gameover-zeus-and-cryptolocker-poster-pdf
  
• https://www.us-cert.gov/ncas/alerts/TA14-150A
  
• http://www.us-cert.gov/ncas/alerts/TA13-309A
  
• http://www.news.com.au/technology/online/gameover-zeus-virus-link-to-australia-as-fbi-moves-to-shut-down-the-global-banksiphoning-operation/story-fnjwnfzw-1226941496956
  

What is it?
Heartbleed Bug is a major and I do mean seriously “MAJOR” security flaw in widely used OpenSSL cryptographic software library. This bug allows anyone on the Internet to read the memory of the systems that are protected by OpenSSL. This bug was introduced in December 2011 and has been lurking out there since the version 1.0.1 release of OpenSSL on 14th March 2012.

For the technically inclined, there’s plenty more information at www.heartbleed.com

What does that meant to me?
A vast majority of systems online i.e. emails, websites, IMs, banking and pretty much most services online that are protected by OpenSSL are at serious risk. So essentially anything you do online that requires you to login including most apps on your mobile phones are potentially unsafe. By using any of these services you could be putting your details out in the open for anyone to see, steal and use.

Due to the nature of the access one can gain because of this bug, it is very hard if not impossible to detect the breach. If it has happened we wouldn’t really know it.

Should I panic?
Despite the scary sounding prognosis above, the short answer is, No. There are currently 2 kinds of people out there working very hard, day and night; people that are trying to fix this bug and people that are trying to exploit this bug.

• People trying to fix it (good guys) only need to update their systems with OpenSSL 1.0.1g released on 7th April 2014. Trust me it’s far easier said than done but not as slow as it is for the bad guys.
  
• People trying to exploit it (bad guys) can’t just do so in one go and steal all the information. They can only do this in chunks of 64kb in one attempt. This means they have to keep repeating the attack many thousands of times to make it worthwhile. That takes time. A lot of time!
  
• Also Attackers are often not interested in the stolen data itself, they seek to try and sell this data. They have to find buyers and that again takes time.
  
  

So while the race is on, good guys have an advantage and most importantly panicking, as we know, will not solve anything.

What do I do?
To what extent the damage has already been done we will not know, for quite a while. However, there are a few things you can do at this point in time to mitigate or at least minimise the damage.

• While changing your passwords immediately sounds like the obvious step to take, I would recommend holding off for just a few more days. With most systems still being patched (it’s a painfully long process), changing your password on a vulnerable system will not really help. So give it a few days and then go change every password, pin and login details of every service you use online.
  
• For now (I know this is not going to be easy) avoid as best as you can using online services especially ones that require credit card details and other banking details.
  
• And finally, if they haven’t already started, get your IT department, IT support providers and/or system administrators to immediately update your networks and servers with the latest version of OpenSSL 1.0.1g.
  
  

As I mentioned earlier, there is no reason to panic but every user online right now needs to be hyper vigilant and avoid secure activities on the Internet.

For more information and/or help feel free to contact us on heartbleed @ vocatys . com. Also pass this information along to other peeps in your network that could benefit from this.

"If a picture is worth a thousand words a video is worth a million."

While we can't in all honesty say this one is worth a million but it absolutely says a LOT in just over a minute.

Enjoy and feel free to share it.

In April 2013, at the Hack in the Box conference in Amsterdam, a security researcher Hugo Teso presented a worryingly simple demo. He was able to exploit flaws in the Aircraft Communications Addressing and Reporting System (ACARS) and hack into Flight Management Systems (FMS) using a mobile phone.

In an interview with the Sunday Express UK, Dr Sally Leivesley, a former scientific advisor to the UK government department Home Office, suggests that a mobile phone could have been used to hijack the missing Malaysian Airways Boeing 777. She says, “It is looking more and more likely that the control of some systems was taken over in a deceptive manner, either manually, so someone sitting in a seat overriding the autopilot, or via a remote device turning off or overwhelming the systems.

“A mobile phone could have been used to do so or a USB stick.”

Until the ill-fated flight MH370 is actually found and thorough investigations are made, everything said and suggested are mere speculations.

Dr Leivesley’s suggestion was largely based on the demo presented by Mr Teso. It is important to note that Mr Teso’s hack was conducted on a publicly available PC simulated FMS which are normally sold with no encryption or redundancies. When FMS is actually installed on flights they are uniquely encrypted to the aircraft’s hardware. This does not make it hack proof but it certainly isn’t going to be a walk in the park.

Somewhere in the very near future when almost all computing would be done via mobile and wearable devices, mobile hijacking would not just be a possibility but most likely. On this particular occasion though, we do not believe that the missing flight MH370 was mobile-hijacked.