Connect with us

Tech News

Why the term “zero day” needs to be in your brand’s cybersecurity vocabulary

(TECH NEWS) What’s at risk? Identity theft, botnet spam, corporate espionage, and loss of privacy. Better get to know the term “zero day.”

Published

on

Mobile trust and security

The other day I wandered into Best Buy at the mall. Nobody’s around and I’m alone with the sales guy. “Umm, what’s the most secure device you have here?” He takes a step back.

bar
Paraphrasing our brief conversation, Apple and Samsung make up 95% of his sales and he thinks Apple is safer. “Is Apple safer because they screen apps better?” Head nods.

“I heard Blackberry is working to secure Android for business users.” Sales guy had nothing to say about that.

Why do people trust Apple?

I wouldn’t take security advice from a Best Buy sales guy, but it does seem that people trust Apple more. Maybe because Apple stood up to the FBI in a very public way. Great marketing, Apple.

Most likely, Apple does care about the slippery slope of security, in terms of unlocking devices. (The same way Google cared about user data intercepted under the ocean.) But I don’t know Tim Cook personally. Even if I did, I wouldn’t feel more or less confident using Apple products because Tim’s not omniscient – he can’t see or control everything going on within Apple.

What’s different about Android?

I think people can generally trust me, but they can trust me exactly because they know they don’t have to.” –Linus Torvalds

What does that even mean? Well, Linus created the core “kernel” of the Android operating system, a customized version of Linux.

In other words, Linus Torvalds is the core genius inside every Samsung-Android smartphone at Best Buy.

Linux is “open source” which means anyone can look at the code and point out flaws. In that sense, I’d say Linus Torvalds doesn’t have to be as omniscient as Tim Cook. Linux source code isn’t hidden behind closed doors. My understanding is, all the Linux code is out there for anyone to see, naked for anyone to scrutinize, which is why certain countries feel safer using it–there’s no hidden agenda or secret “back door” lurking in the shadows. Does that mean Android phones are safer? That’s up for debate.

How security has changed

For a long time, Apple had the “security through obscurity” thing going for it. In simple terms, that means the bad guys go for low-hanging fruit first, the easy score. Is Apple hanging lower? Windows was the low-hanging fruit. But now that Apple is more popular, it has a bigger target on its back.

As we depend more and more on smartphones, and there’s more people, more money and more at risk, consequently there’s more incentive for hackers to penetrate deep into our devices.

If you read the book “Hackers” by Steven Levy, you know the original hackers were all about the “Hacker Ethic” which boils down to “Information wants to be free.” Sounds harmless enough. For whatever reason, the original hackers found secrets offensive, or they just saw “locked doors” as a technical challenge. Maybe they were idealists, but somewhere along the way, other interests crept in.

That leads us to the zero-day Apple exploit that has people concerned about their iPhones.

The origins of “zero day”

First, what does “zero day” even mean?

Back in the early 90s, a couple of my classmates were into downloading “0 day warez” which was nerd speak for “the latest video games released today.” Games had copy protection. So you couldn’t just buy a game and copy it for your friends, you had to buy your own copy. Hackers figured out how to break the copy protection and called themselves “crackers.” Crackers were competitive, in terms of who could crack a new game first.

For bragging rights, their goal was to crack a game within 24 hours, and that was the “zero day” game, as a full day had not gone by yet.

Fast-forward 20 years. Now you can watch the “Zero Day” movie on Netflix and the original meaning has morphed to mean “software that’s still secret.” Potentially harmful code could lurk undetected in your computer for years. But if your anti-virus scanner hasn’t detected anything suspicious yet, pop culture would consider that a “zero day exploit.” As far as the actual terminology used among hackers, who knows?

Should you be concerned? Almost by definition, most people aren’t targeted by zero-day exploits. Once an exploit is released into the wild and exposed, it’s no longer as useful to attackers, because then it can be studied and whatever hole it used (to penetrate your phone) can be “patched” to block future intrusions. Then again, older unpatched phones could remain vulnerable and ordinary people could be affected.

Patches for Apple vs. Android

In Apple’s case, they’re able to patch these holes within days. For Google, it might not be as fast, depending on the problem. It might take months to get a patch pushed out to everybody, or the fix might never come. For example, it sounds like Samsung is mostly concerned about security updates for its flagship phones.

Why the difference? My understanding is, Google can fix apps and push out patches at the “app level” as fast as Apple, if the problem is specific to a certain app. The main difference is that the Android market is larger and has more devices, and each Android phone manufacturer has a slightly different, tweaked version of the core Android operating system. Different Android manufacturers will push out updates on their own timeline.

Your best bet

If you want the latest (hopefully safest) operating system straight from Google as soon as possible, you’ll want an official Google phone, probably a “Nexus” branded device. According to something I read last night, I believe Android 7 directly addresses this shortcoming to some degree with a new auto-update feature. But for now, the Android ecosystem remains fragmented.

For the average person, what’s at risk? Identity theft, botnet spam, corporate espionage, and loss of privacy.

#ZeroDay

PJ Brunet is a writer, full stack developer, and abstract artist. His first computer was a Texas Instruments TI-99. As a teen, he interned at IBM in Boca where the first PC was born. Graduating with a BFA, he gave California and New York a shot, but fell in love with Texas in 2004, the same year he started blogging about technology.

Tech News

Want to know how your passwords could get hacked?

(TECH NEWS) While we all know that passwords can be hacked, it is rare that we know how they’re hacked.

Published

on

passwords dark web Chinese hacker blackmail apple

Ever wonder how passwords get stolen? I like to imagine a team of hackers like The Lone Gunmen from The X-Files, all crowded in some hideout conducting illegal computer business based on tips from rogue FBI Agents.

Turns out there’s a little more to hacking than waiting for Fox Mulder to show up with hints.

Most of the common tactics involve guessing passwords utilizing online and offline techniques to acquire entry. One of the main methods is a dictionary attack.

This method automatically tries everything listed in a small file, the “dictionary,” which is populated with common passwords, like 123456 or qwerty. If your password is something tragically simple, you’re out of luck in a dictionary attack.

To protect yourself, use strong single-use passwords for each individual account. You can keep track of these with a password manager, because no one is expecting you to remember a string of nonsensical numbers, letters, and characters that make up a strong password.

Of course, there are still ways for hackers to figure out even complex passwords.

In a brute force attack, every possible character combination is tried. For example, if the password is required to have at least one uppercase letter and one number, a brute force attack will meet these specifications when generating potential passwords.

Brute force attacks also include the most commonly used alphanumeric combinations, like a dictionary attack. Your best bet against this type of attack is using extra symbols like & or $ if the password allows, or including a variety of variables whenever possible.

Spidering is another online method similar to a dictionary attack. Hackers may target a specific business, and try a series of passwords related to the company. This usually involves using a search “spider” to collate a series of related terms into a custom word list.

While spidering can be devastating if successful, this kind of attack is diverted with strong network security and single-use passwords that don’t tie in easily searchable personal information.

Malware opens up some more fun options for hackers, especially if it features a keylogger, which monitors and records everything you type. With a keylogger, all your accounts could potentially be hacked, leaving you SOL. There are thousands of malware variants, and they can go undetected for a while.

Fortunately, malware is relatively easy to avoid by regularly updating your antivirus and antimalware software. Oh, and don’t click on sketchy links or installation packages containing bundleware. You can also use script blocking tools.

The delightfully named (but in actuality awful) rainbow table method is typically an offline attack where hackers acquire an encrypted list of passwords. The passwords will be hashed, meaning it looks completely different from what you would type to log in.

However, attackers can run plaintext passwords through a hashtag algorithm and compare the results to their file with encrypted passwords. To save time, hackers can use or purchase a “rainbow table”, which is a set of precomputed algorithms with specific values and potential combinations.

The downside here is rainbow tables take up a lot of space, and hackers are limited to the values listed in the table. Although rainbow tables open up a nightmare storm of hacking potential, you can protect yourself by avoiding sites that limit you to very short passwords, or use SHA1 or MD5 as their password algorithms.

There’s also phishing, which isn’t technically hacking, but is one of the more common ways passwords are stolen. In a phishing attempt, a spoof email requiring immediate attention links to a fake login landing page, where users are prompted to input their login credentials.

The credentials are then stolen, sold, used for shady purposes, or an unfortunate combination of all the above. Although spam distribution has greatly increased over the past year, you can protect yourself with spam filters, link checkers, and generally not trusting anything requesting a ton of personal information tied to a threat of your account being shut down.

Last but certainly not least, there’s social engineering. This is a masterpiece of human manipulation, and involves an attacker posing as someone who needs login, or password, building access information. For example, posing as a plumbing company needing access to a secure building, or a tech support team requiring passwords.

This con is avoidable with education and awareness of security protocol company wide. And also you know, not providing sensitive information to anyone who asks. Even if they seem like a very trustworthy electrician, or promise they definitely aren’t Count Olaf.

Moral of the story? Your passwords will never be completely safe, but you can take steps to prevent some avoidable hacking methods.

Always have a single-use password for each account, use a password manager to store complex passwords, update malware, keep your eye out for phishing attempts, and don’t you dare make your password “passoword.”

Continue Reading

Tech News

Should social networks fear Jumbo, the new privacy app?

(TECHNOLOGY) Although iOS only (for now), Jumbo has launched and could put a dent in some of the nefariousness of social media networks…

Published

on

jumbo privacy app screenshot

Like virtually every other online outlet, we’ve both talked about web and app privacy and complained bitterly about the invariable fall of online rights. However, while we’ve been talking the talk, a company called Jumbo has been cyber-walking the cybersecurity walk.

Jumbo – an iPhone app focused on keeping your online trails as private as possible – has a simple premise: allowing social media users to manage their online privacy with a few taps rather than having to navigate each individual service’s infuriatingly complex labyrinth of privacy settings. Instead of having to visit each individual app you want to clean up, you can simply open Jumbo, select your preferences, and wait for the magic to happen.

Jumbo’s features range from cleaning up social media timelines and old posts to erasing entire searches or resetting privacy information; while it currently varies depending on the social media service in question, Jumbo’s one commonality is its simplicity.

The star of Jumbo’s presentation is its aptly-named Cleaning Mode—a feature which allows users to wipe anything from tweets to old Google searches. Jumbo’s developers also assure users that the ability to remove things like Facebook photos is in the works, making Jumbo’s efforts to clean up your digital life that much more ubiquitous.

It is worth noting that some users have encountered limitations on the number of tweets they can delete, so you may have to batch-remove information until this bug is resolved.

When using Jumbo, you’ll also find an encrypted back-up feature that allows you to download—or use cloud storage for—old photos and files. It isn’t as dramatic as Jumbo’s primary functions, but anyone looking to make a dent in purging their online footprints will surely benefit from being able to encrypt and save their information for a rainy day through one interface.

At the time of this writing, Jumbo is prepared to assist with privacy options related to Facebook, Twitter, Google, and Amazon Alexa, but the app’s developers intend to incorporate support for platforms such as Tinder and Instagram in the future.

While Jumbo is currently restricted to iPhones, Jumbo’s maker Pierre Valade has mentioned that an Android version is “on [their] list”. In the meantime, iPhone users should strongly consider taking Jumbo for a spin.

Continue Reading

Tech News

How to opt out of Google’s robots calling your business phone

(TECH) Google’s robots now call businesses to set appointments, but not all companies are okay with talking to an artificial intelligence tool like a person. Here’s how to opt out.

Published

on

google duplex android

You know what’s not hard? Calling a restaurant and making a reservation. You know what’s even easier? Making that reservation though OpenTable. You know what we really don’t need, but it’s here so we have to deal with it? Google Duplex.

Falling under “just because we can do it, doesn’t mean we should do it,” Duplex, Google’s eerily human-sounding AI chat agent that can arrange appointments for Pixel users via Google Assistant has rolled out in several cities including New York, Atlanta, Phoenix, and San Francisco which now means you can have a robot do menial tasks for you.

There’s even a demo video of someone using Google Duplex to find an area restaurant and make a reservation and in the time it took him to tell the robot what to do, he could’ve called and booked a reservation himself.

Aside from booking the reservation for you, Duplex can also offer you updates on your reservation or even cancel it. Big whoop. What’s difficult to understand is the need or even demand for Duplex. If you’re already asking Google Assistant to make the reservation, what’s stopping you from making it yourself? And the most unsettling thing about Duplex? It’s too human.

It’s unethical to imply human interaction. We should feel squeamish about a robo-middleman making our calls and setting our appointments when we’re perfectly capable of doing these things.

However, there is hope. Google Duplex is here, but you don’t have to get used to it.

Your company can opt out of accepting calls by changing the setting in your Google My Business accounts. If robots are already calling restaurants and businesses in your city, give your staff a heads-up. While they may receive reservations via Duplex, at least they’ll be prepared to talk to a robot.

And if you plan on not opting out, at least train your staff on what to do when the Google robots call.

Continue Reading
Advertisement

Our Great Partners

The
American Genius
news neatly in your inbox

Subscribe to our mailing list for news sent straight to your email inbox.

Emerging Stories

Get The American Genius
neatly in your inbox

Subscribe to get business and tech updates, breaking stories, and more!