3.2.18

Smart, Smarter… Dumbest…


Technological evolution: who hasn’t heard of this yet? It brings happiness into our lives, more convenience and less cumbersome usage, more and more possibilities for the user… Why make life (more) difficult when it can be made so (much more) convenient?
Just look at a communication device that you cannot ignore anymore, even if you wanted to: the smart phone. For the younger generation, it’s as if a cybernetic system is prosthetically attached to their arms; resisting it is futile! And they want their phones to become smarter and smarter, taking over more and more functions of their daily life.
Now this is, of course, heaven for manufacturers: they can all battle to find new unique money-making features to add… or to make one that already exists much better. Likewise for the developers of dedicated apps (think, for example mobile banking). Innovation to make our daily lives “easier and easier”, basically a one-click life.
With the technology evolving at an ever faster pace, and an increasing focus on being the first to have the latest selling point, thoughts of security tend to be secondary, at best. This creates more possibilities for hackers, those that want to steal information, eavesdrop, etc. As these new features are introduced more and more often, and with more and more haste, in the smarter phones, so the probability of zero-day exploits becomes higher.
It seems that with the speed of technological evolution, the “urge” of people to use new features as soon as possible – even though they may not even exist right now and while these tasks can already be done in ‘the old way’ – is unstoppable. And at the same time we complain about data leakage, data loss, lack of privacy and insecure operating systems.
Maybe it is time to press pause and make it all secure, or more secure, dial back on the technological potential technological possibilities – making devices more controllable. There is definitely a demand for that, too. Just last week the Dutch Government announced that officials must switch to dumb(er) phones, deliberately equipped with low-tech specifications, making it harder for hackers to intercept them. The new phones only can be used for calls or SMS; they lack the ability to install apps or connect to the internet (I still remember those (brick) phones from the late 90’s!). While the prime-minister and some ministers already use such a device, others will have to “abandon” their current mobile phones when travelling to specific countries or regions and will be issued with such a low-tech phone and urged to leave their regular phone at home. This should make communication secure, or at least less insecure’, since the replacement mobile phone has been prepared, checked and certified by the Dutch Secret Service. A great step back, getting rid of security by obscurity, and prioritizing safety over features.
The example of the Dutch Government is not an isolated incident, it seems to become a trend. Earlier this year, the White House banned personal cell phones from the West Wing, citing security concerns. Staff will be able to continue to carry out their business on government-issued devices.
But of course it is not only the device that needs to be more secure. You, the user of the device have to be aware of security issues too, such as not taking a personal phone with you on business trips, but also making and receiving calls with your secure phone in a secure environment, making sure that there are no cameras or listening devices, and no windows conveniently nearby so that lip-readers can do their job. And then making sure you whisper as the walls in the hotel may be thin, and… Oh wait… Remote laser vibration sensors can decode the audio! Best to go into the hotel room bathroom, close the door (they tend to have some soundproofing), turn on the shower and stand quite close to it while calling… Am I getting paranoid?
By all means, let’s not get too James Bond-ishly paranoid. For politicians, top managers of large multinationals dealing with sensitive information that could affect stock markets, those who deal with (trade) secrets and intellectual property: this may be an issue and they should take the necessary precautions. But revert completely to using only a dumb phone, even for normal calls asking for example how grandmother is doing?
Just remember that in the past, listening in on calls made on the analogue telephone system with no encryption was really easy. Technology brought us a long way ahead, but perhaps a bit too fast. A small step back, made by securing the current “standard”, is more feasible than complete eradication of what has been created and accepted as a normal part of our daily life. Such a complete reversion would not even be considered acceptable anymore if we were to disallow commonly-used devices.
Are you going to tell your teenage and pre-teenage children that a hot-off-the-press-release model smartphone with the newest features is now prohibited, and an old phone that can only call/text is all that’s available? They will be angry, feel ashamed of their old-fashioned parents, and will not go out anymore as they refuse to have their friends see them with such a simplistic, dumb phone. As they will not be able to interact with their friends anymore, because social media apps do not exist for their dumb phone (and since they won’t leave the house anymore), they will have to talk to you again.
Wait a minute??? Kids that start to talk to their parents again… But that’s a good thing! Where can I get one of these phones?!

1.2.18

Google smashed over 700,000 bad Android apps last year


Google says that it is getting better than ever at protecting Android users against bad apps and malicious developers.
In fact, in a recent post on the Android Developers blog, the company boasts that it removed a record number of malicious apps from the official Google Play store during 2017.
How many apps did Google remove from its app marketplace after finding they violated Google Play store policies? More than 700,000. That’s an impressive 2000 or so every day, and 70% more than the number of apps removed in 2016.
Furthermore, Google says it is getting better at proactively protecting Android users from the growing menace of mobile malware:
“Not only did we remove more bad apps, we were able to identify and action against them earlier. In fact, 99% of apps with abusive contents were identified and rejected before anyone could install them. This was possible through significant improvements in our ability to detect abuse – such as impersonation, inappropriate content, or malware – through new machine learning models and techniques.”
Furthermore, Google claims it banned more than 100,000 developer accounts controlled by “bad actors” who had attempted to create new accounts and publish yet more malicious apps.
The most common trick used by the malicious apps is impersonation, where they intentionally present themselves as well-known popular legitimate apps in an attempt to achieve a large number of downloads. Google says that it removed more than 250,000 impersonating apps during 2017.
Impersonating apps can’t necessarily be considered as unpleasant as malware, but they are clearly an attempt to generate money by duping users into downloading and installing bogus versions of an app – thereby potentially stealing revenue from the genuine developer, and damaging reputations.
The term that Google uses for what we would most likely call malware is “Potentially Harmful Applications”, or PHA for short.
“PHAs are a type of malware that can harm people or their devices — e.g., apps that conduct SMS fraud, act as trojans, or phishing user’s information. While small in volume, PHAs pose a threat to Android users and we invest heavily in keeping them out of the Play Store.”
Google doesn’t share in its blog post specific figures for how much malware it is preventing from entering the Play Store, and admits that detection is complex. However, the company does say that install rates of PHAs have halved in the last year:
“Finding these bad apps is non-trivial as the malicious developers go the extra mile to make their app look as legitimate as possible, but with the launch of Google Play Protect in 2017, the annual PHA installs rates on Google Play was reduced by 50 percent year over year.”
In media interviews, Google Play product manager Andrew Ahn says that “you have a lower probability of being infected by malware from Play than being hit by lightning.”
That’s a great soundbite. Curiously, Google’s Android security team seems fixated with lightning. In March 2017, Jason Woloz, senior program manager of Android security, claimed that the chances of Android users being hit by ransomware were less than the chances of being “struck by lightning twice in your lifetime.”
Of course, we all know that things aren’t perfect. And Google concludes its article acknowledging that despite its successes, it knows some malicious apps “still manage to evade and trick our layers of defense.”
That’s why I continue to recommend that users take some responsibility for their smartphone security, taking care over the apps they install, and – yes – running an anti-virus solution to reduce the risks.
Despite the reports from Google’s Android security team of impressive improvements, the truth is that bad apps have often been found on the Google Play store, and barely a week goes by without reports of malicious Android apps being discovered and sometimes downloaded thousands of times.
Google has some way to go before it can convincingly claim that it has achieved its aim, to be “the most trusted and safe app store in the world.”


31.1.18

.Privacy of fitness tracking apps in the spotlight after soldiers’ exercise routes shared online


In November, fitness tracking app firm Strava released what it described as a “most beautiful” dataset – a heatmap of more than more than 3 trillion individual GPS data points, as their users run, cycle, and hike across the globe.
And I agree it’s very beautiful and can certainly see how it might be useful to other fitness fans, who want to see the most popular exercise routes in their city. But this weekend concerns were raised that the level of detail contained within the data visualisation app might actually have an ugly side.
The alarm was first raised by Nathan Ruser, a 20-year-old Australian student and analyst at the Institute for United Conflict Analysts, who in a series of Twitter posts demonstrated that Strava’s heatmap appeared to reveal the movement patterns of security forces at remotely-located military bases.
“It looks very pretty, but not amazing for Op-Sec. US Bases are clearly identifiable and mappable”
As Ruser pointed out, it wasn’t just US military bases which were potentially drawing attention to themselves as soldiers jogged and patrolled.
All of this data comes through Strava, an app that works with smartphones and fitness trackers to form a “social network for athletes.”
But just as soldiers would be wise about what they share on social networks, so they should take care about the information they might be sharing with the internet through their Fitbit.
One would hope that soldiers on military options are ordered to take off fitness trackers which might be leaking their location, and disable potentially risky apps on their smartphone, but it’s easy to imagine how such things could sometimes be overlooked. And from the evidence produced by Ruser, many have not considered that their fitness tracking when off duty could also be considered a potential problem.
A separate issue to consider is whether identities are also being put at risk. As security researcher Steve Loughran explains in a blog post, although many might believe that the data has been totally anonymised, it’s not as simple as that.
Loughran describes how – after he uploaded faked data of a run around the UK’s Faslane Nuclear Submarine Base – you can get Strava to cough up details of the area’s top runners:
“Once Strava has gone through its records, you’ll be able to see the overall top 10 runners per gender/age group, when they ran, it who they ran with. And, if their profile isn’t locked down enough: which other military bases they’ve been for runs on.”
Makes you think again about the wisdom of using your real name when you registered an account with Strava doesn’t it?
If you use Strava, take a minute to read Rosie Spinks’ article at QZ where she details the privacy options available to you (by default your workout activity, name, and photos are visible to everyone).
Strava, for its part, has said in response to the headlines that is “committed to helping people better understand our settings to give them control over what they share.”
Meanwhile, users of fitness collecting apps like the Fitbit, Garmin, and Runkeeper, would be wise to check out the tips ZDNet has shared
And remember, fitness trackers aren’t the only devices mapping your every move. Virtually all of us are carrying a powerful computer in our pocket which has the ability to monitor our movements with staggering and unblinking accuracy if we allow it. And unless you have taken care to block apps from scooping up your location, you may be in for some shocks.
For instance, as The Guardian describes, Google Maps has over one billion users. And, if you haven’t told it not to, Google is keeping a track of where you go, every single day, in a timeline that stretches back much further than your memory.
Be mindful of the information you are allowing to be shared with internet companies. You have a choice. Use it.


30.1.18

Trusted Data Solutions tekent overeenkomst met Attingo Datarecovery B.V


Trusted Data Solutions, LLC (TDS), versterkt zijn positie op de Benelux-markt door een partnerovereenkomst te ondertekenen met ATTINGO, specialist in datarecovery. Door de samenwerking met Attingo is TDS in staat om professionele tape-reparatie- en restauratiediensten aan te bieden in de Benelux.

"Het was de logische volgende stap om gezamenlijk in deze voortdurend evoluerende markt van tapeherstel en taperestauratie een professionaliseringsslag te maken", zegt  Robbert Brans, Managing Director van Attingo Datarecovery B.V. "Door onze krachten te bundelen kunnen we onze tape-restauratieservice uitbreiden in de Benelux-markt."

Chris Clark, President & CEO bij TDS zegt: "TDS is trots op onze samenwerking met Attingo. Robbert en zijn team hebben een enorme reputatie opgebouwd ten aanzien van vertrouwen en technische uitmuntendheid in Nederland. We zijn erg verheugd om deze samenwerking te integreren in ons wereldwijde leveringsstrategie.

TDS
TDS is een toonaangevende leverancier van back-uptape restauratie, strategische tape-discovery, migratie van e-mailarchieven en het herstellen van audiobanden

Attingo Datarecovery

Attingo Data recovery is al meer dan 20 jaar gespecialiseerd in dataherstel. Attingo redt data van zowel complexe RAID-systemen of servers als van harde schijven, tapes of USB-sticks. De onderneming heeft drie eigen hypermoderne ISO 9001:2015 gecertificeerde cleanroomlaboratoria.


ESET identifié par Gartner comme le seul ‘Challenger’ dans son Quadrant Magique 2018, catégorie Endpoint Protection Platforms


ESET – acteur mondial dans le domaine de la sécurité de l’information – a été identifié comme Challenger dans le Quadrant Magique 2018, catégorie Endpoint Protection Platforms* de Gartner. La société est le seul Challenger à avoir été désigné comme tel dans le Quadrant magique. ESET a été évaluée sur base de sa Capacité d’exécution et de sa Complétude de vision. ESET estime que ce positionnement est le reflet de l’aptitude, en constante amélioration, qu’a la société de proposer une protection maximale aux entreprises.

« La protection des points d’accès (“endpoint protection”) évolue et couvre désormais un plus large éventail de tâches liés à une architecture de sécurité adaptative telle que la définit Garner, par exemple renforcement, investigation, détection d’incident et réponse sur incidents », peut-on lire dans son rapport Quadrant magique pour Plates-formes de protection de points d’accès. « Les sociétés qui s’inscrivent en pointe en matière de sécurité et de gestion des risques devraient veiller à ce que leur fournisseur EPP (EndPoint Protection) évolue suffisamment vite pour faire face aux menaces actuelles. »

« Nous estimons que notre positionnement comme Challenger reflète les progrès constants que nous réalisons afin de procurer la meilleure protection de points d’accès aux entreprises, sans impacter leurs systèmes et sans créer de surcharges inutiles », commente Ignacio Sbampato, Chief Business Officer chez ESET. « Les entreprises peuvent s’appuyer sur l’expertise et la connaissance poussée d’ESET pour protéger leur organisation. Nous considérons notre positionnement dans le Quadrant magique pour les Plates-formes de protection de points d’accès de Gartner comme une authentique reconnaissance de notre ascension comme acteur mondial dans le domaine de la sécurité de l’information. »

Dans le vocabulaire de Gartner, « les Quadrants magiques procurent des instantanés visuels, des analyses approfondies et des conseils exploitables qui apportent un éclairage sur l’orientation, la maturité et les acteurs d’un marché. Les Quadrants magiques comparent des fournisseurs sur base de critères et d’une méthodologie standard définis par Gartner. Chaque rapport s’accompagne d’un graphique de Quadrant magique qui décrit un marché selon une matrice bi-dimensionnelle évaluant les fournisseurs sur base de leur Complétude de vision et leur Capacité d’exécution ».**

Demandez votre exemplaire gratuit du rapport de Gartner et visualisez le positionnement d’ESET dans le Quadrant magique
https://www.eset.com/int/business/gartner-epp-mq-2018/.

*Source: Gartner, Magic Quadrant for Endpoint Protection Platforms,” Ian McShane, Avivah Litan, Eric Ouellet, Prateek Bhajanka, 24 janvier 2018.
** Source: Gartner IT Glossary, https://www.gartner.com/it-glossary/magic-quadrant

Avertissement Gartner

Gartner ne cautionne aucun fournisseur, produit ou service décrit dans ses publications de recherche. Les publications de recherche de Gartner reprennent les opinions du bureau de recherche de Gartner et ne devraient pas être interprétées comme étant des énoncés de faits. Gartner décline toute garantie, explicite ou implicite, au sujet de la présente recherche, en ce compris toute garantie de valeur marchande ou d’adéquation à une fin spécifique.