TIME Security

Hackers Release Data From Cheating Website Ashley Madison Online

The published data includes names, addresses and even credit card transactions

The group of hackers that previously stole massive amounts of user data from popular cheating website Ashley Madison appear to have carried out their threat to publish that data on the Internet, releasing almost 10 gigabytes containing numerous details about the site’s customers on Tuesday.

A total of 9.7 gigabytes of data stolen from the controversial website — which boasts the slogan “Life is short. Have an affair” — was published to the dark web (an encrypted section of the Internet that requires special software to use) and is only accessible through a Tor browser, Wired magazine reported.

The data dump reportedly includes the login details of about 32 million users — all seeking extramarital or illicit affairs — and also provides a staggering amount of information such as their names, email and street addresses, how much they have spent on the site and even what they are looking for in a potential cheating partner.

The hackers, who call themselves Impact Team, had threatened in July that they would release user data from Ashley Madison and Established Men — a sister site that connects wealthy men to “young, beautiful women” — unless Avid Life Media (ALM), the Toronto-based company that owns both sites, did not take them down immediately. While the hackers’ main objective is to expose the site’s customers for their questionable morals, they also targeted what they say are ALM’s fraudulent business practices.

While they had earlier said that the $19 fee Ashley Madison charges customers to wipe their user data clean does not actually get rid of the information completely, the post announcing Tuesday’s dump contained additional allegations.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles,” the post — titled “Time’s Up!” — reads. “90-95% of the actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”

“We have explained the fraud, deceit and stupidity of ALM and their members,” an earlier paragraph of the Impact Team statement says. “Now everyone gets to see their data.”

Avid Life Media released a statement of its own late Tuesday, condemning the cyberattack and saying they are “actively monitoring and investigating this situation” while cooperating with law-enforcement authorities in the U.S. and Canada, where the company is headquartered.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

Read next: A Creepy Amount of Tinder Users Aren’t Even Single

Listen to the most important stories of the day

MONEY IRS

IRS Cyberattack Was 3 Times Worse Than Previously Revealed

US-ECONOMY-IRS
KAREN BLEIER—AFP/Getty Images A sign outside the Internal Revenue Service is seen August 8, 2015 in Washington, DC.

Hackers stole tax return information from 334,000 taxpayers, according to a new review.

The U.S. Internal Revenue Service (IRS) said Monday a hacking attack into one of its computer databases revealed in May was much more extensive than previously thought, with nearly three times as many taxpayers hit by data theft.

The IRS said in late May the tax return information of about 114,000 U.S. taxpayers had been illegally accessed by cyber criminals over the preceding four months, with another 111,000 unsuccessful attempts made.

A new review has identified 220,000 additional incidents where data was breached, the tax collection agency said. It identified another 170,000 suspected failed attempts by third parties to gain access to taxpayer data.

The attackers sought to gain access to personal tax information through the agency’s “Get Transcript” online application, which allowed taxpayers to call up information from previous returns. The system was shut down after the May attacks.

“The IRS believes some of this information may have been gathered for potentially filing fraudulent tax returns during the upcoming 2016 filing season,” the agency said in a statement.

What Should I Do If I Have Been a Victim of a Data Breach?

It added that it will soon begin mailing letters in the next few days to the taxpayers whose accounts may have been accessed, offering them free credit monitoring and a new personal identification number to verify the authenticity of next year’s tax returns.

In May, the agency said that as a result of the breach, some 15,000 fraudulent returns were processed in the 2015 tax filing season, likely resulting in refunds of less than $50 million.

An IRS official said the agency was reviewing whether the number of fraudulent returns had grown due to the more extensive data breaches, but that requires a manual review of the individual returns.

Read next: What Should I Do If I Have Been the Victim of Identity Theft?

TIME You Asked

You Asked: What Is Ransomware?

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

How to avoid paying hackers to give your computer back

There you are, surfing the web — maybe you’re catching up with Facebook friends, or perhaps you’re reading the news — and seemingly out of nowhere, a window pops up, stopping your computer in its tracks. And there’s only one way to make it go away — pay up.

It’s an absurd scenario, the kind you might find in a movie, right? Tell that to the thousands of people who have been hit with these so-called “ransomware” attacks to date.

“It actually is a phenomenon,” says Candid Wueest, Symantec’s principal threat researcher. Wueest investigates all sorts of bugs that attack computers and mobile devices via the Internet. The first known cases of ransomware date back to 2005, says Wueest, but infections have increased every year since. And last year, ransomware incidents exploded 113% compared to the year before.

“At the moment we’re probably around 30,000 infections per day around the globe,” says Wueest.

There are many different ransomware viruses floating around the web. But in general, they work like Trojan horses, infecting your computer without you knowing. But in this case, the bugs aren’t corrupting your files, they’re locking them down. Ransomware can encrypt everything from your documents to your photos, and without the correct password to unlock them, you may never be able to open these files again. To get that password, you have one option: follow the ransomware’s instructions, which usually involves making a payment to hackers in the amount of — get this — $300.

Technically, the sums vary, but $300 is the average. “We’ve seen some which ask for $500 or even $700, but that seems to be over the top,” says Wueest, who notes that some ransomware even has dynamic pricing depending on the country you’re in. For instance, a virus in the U.S. might ask for $700, but that same bug in India will only require for $500 for the password.

In other words, the key for the hackers behind this scheme is asking for enough money to make the hustle worthwhile, but not so much that the victim can’t afford to pay. And even though the payouts are just hundreds of dollars at a time, quick math shows ransomware is a multi-million dollar industry.

The savviest ransomware not only capitalizes on users’ precious data — like irreplaceable family photos or the only draft of an in-progress novel — but it can also prey on their deepest fears. For example, one virus displays a screen warning users the FBI is on to all those movies they’ve downloaded illegally. And sure enough, lots of people who get that fake warning pay a fine to avoid prosecution. “Many people may have something in their closet that they think maybe was illegal,” says Wueest. “A lot of them started to pay.”

What can you do if you fall victim to ransomware? Sometimes it’s not much, as hackers’ methods are getting more advanced all the time. “The newest versions [of ransomware viruses] have strong, state-of-the-art cryptography which is used all over the Internet, like online banking and e-commerce,” says Wueest. And every victimized computer has its own distinct decryption key — so there’s no secret password that will magically open these locks.

That’s not to say that computers are completely defenseless. According to the FBI, the government is taking proactive steps to shut down these viruses before they reach your computer. And authorities worldwide are working with digital security companies like Symantec to find the digital kidnappers and bring them to justice. But these hackers can be hard to catch because work they in small, anonymous groups located in far-flung countries with largely ineffectual law enforcement.

“We track a few different groups,” says Wueest. “One group made $34,000 in its first month — that’s a pretty good income for a small group.”

But there are ways to protect yourself from these schemes. First, back up your data regularly. Keep your information in a safe place offline, because under the right circumstances ransomware can infect networked storage or even cloud-connected drives. Secondly, use anti-virus software. Ransomware can infect computers in different ways, like launching through email attachments or via malicious code embedded on a website — but anti-virus software is designed to catch these bugs before they take hold. And finally, keep your software and operating system up-to-date. Many viruses exploit weaknesses in older computer programs, which is one reason software developers are constantly issuing patches and bugging you to install them.

Failing these three measures, if you’re infected, you may just have to pay up to free your data. But there’s a catch: Should you actually trust these thieves to provide the decryption key? “We have seen instances where that actually is true and people did get data back, but we don’t recommend it,” says Wueest. That’s because even if you do manage to wring your files from hackers’ grasp, the money you pay them will further fuel their nefarious efforts. And by making you admit defeat, they’ll become emboldened and continue to shake down other Internet users. In other words, the best defense is avoiding ransomware before it takes hold of your computer in the first place.

MONEY privacy

5 Ways to Keep Hackers Away From Your Money

546840639
Irakli Abashidze / EyeEm—Getty Images

Start by rethinking your password strategy.

JPMorgan Chase, Domino’s, Home Depot, P.F. Chang’s, eBay — the list of targets continues to grow.

Information breaches that would have been difficult to fathom years ago are now common. And people are rightfully worried. After all, if the federal government can get hacked and its employees’ data stolen, how vulnerable is a personal account held at a bank or brokerage?

My friend Jack Vonder Heide, president of Technology Briefing Centers and one of America’s leading authorities on technology-related risks, says the image of cyberattackers as hipster kids in a basement hacking into websites for fun is a dangerous misconception. Cybercriminals, he says, are highly educated operatives of well-funded overseas groups, mostly based in China and Russia.

So what actions can you take to protect yourself in what feels like an endless battle to keep your data secure? Here are five steps to consider:

1. Diversify your passwords — and change them

For convenience’s sake, people often use the same password across multiple websites. Big mistake. It’s like giving an intruder a key that opens every lock. You want to make it extremely tough for a hacker to access your sensitive information. So create a different password for every financial website — brokerage, bank, credit card, mortgage account and so on. Create unique password combinations that include letters, numbers and, if possible, symbols. Establish a biannual schedule to change them. Security must be an ongoing endeavor.

2. Use an online password manager

All those hard-to-crack passwords can be a nightmare to try to store, recall and keep secure, so use a reputable password manager. The best managers include password generators that create strong, unique choices. Most password managers allow you to sync your passwords across all electronic devices, making it easy to maintain multiple passwords. Select one that includes two-layer authentication for additional protection. Check out PC Mag’s best password manager selections for 2015. Many come with an annual fee — but they’re affordable and worthy protection against hackers.

3. Make life hard for crooks

Cross-shredding confidential documents, avoiding simplistic passwords and keeping sensitive information off of unsecured channels like email are modest but effective actions. Thoroughly checking credit statements for suspicious activity and being aware of your surroundings when using ATMs are basic security measures that remain effective. Don’t let your guard down.

4. Check your credit reports at least annually

Periodically checking your credit report is a smart way to stay ahead of the bad guys — but many people don’t because of common misconceptions, such as the belief that you have to pay a fee to see your report, or you must subscribe to a service.

The fact is, federal law entitles you to a free copy of your credit report once a year from each of the three consumer credit reporting bureaus — TransUnion, Equifax and Experian. You can get these reports at AnnualCreditReport.com. If you want to be especially vigilant, spread out your requests, so that you are looking at a different report every four months instead of all three at once every year. Increasing the frequency will help you catch suspicious inquiries earlier since credit activity customarily gets reported to all three bureaus.

The goal is to check for discrepancies, inconsistencies and inaccuracies that might suggest identity theft. It’s not difficult to correct errors. The credit bureaus have improved their service and request response times. The Federal Trade Commission provides easy-to-follow instructions to dispute errors.

5. Keep your guard up when it comes to e-mails

Be wary of any email that requires you to click on a hyperlink to update a password or confirm confidential material. Such e-mails are often “phishing” expeditions seeking to scam you. They appear to come from your bank or brokerage firm, an online retailer — even the IRS.

The best rule to follow is that regardless of how real an e-mail looks, never click on such links. Contact the alleged sender’s customer service or fraud department directly to check the legitimacy of the email. Don’t use the phone numbers provided in the suspect email. Always use the contact information provided on your monthly statement or listed on the company’s website. It’s also advisable to forward the email to an organization’s fraud department.

What about inquiries from the IRS? That’s easy. The IRS does not initiate taxpayer communication through email or other electronic channels, period.

It’s understandable to feel helpless in an age of smart criminals who conduct endless assaults on privacy. But simply putting the threat out of mind is no solution. Nor is deciding that it can’t happen to you.

More From NerdWallet:

TIME cybersecurity

Microsoft Is Giving More Money To Bug Hunters

GERMANY-IT-CEBIT
TOBIAS SCHWARZ—AFP/Getty Images

The rewards for some initiatives have been doubled

With Windows 10 recently unveiled, Microsoft says it’s boosting the amount of money it gives to bug hunters.

Those that can prove the ability to bolster the tech giant’s defenses as part of a “Bounty for Defense” initiative will receive $100,000, up from $50,000 previously, according to ZDNet.

“Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would,” the company said.

There appears to be more money to be had for other security achievements for bug hunters, too. Those who tackle authentication security issues will receive doubled rewards from Aug. 5 to Oct. 5, a bonus period, according to ZDNet.

Here’s the full list of ongoing bug-hunting programs, and the amount fixes pay, taken from a Microsoft blog post:

1. Online Services Bug Bounty
Start Date: 23 September 2014

Microsoft Azure services additions: 22 April 2015
Microsoft Account services additions: 5 August 2015
Timeframe: Ongoing

The Online Services Bug Bounty program gives individuals across the globe the opportunity to submit vulnerability reports on eligible Online Services (O365 and Microsoft Azure) provided by Microsoft. Being ahead of the game by identifying the exploit techniques in our widely used services helps make our customer’s environment more secure. Qualified submissions are eligible for payment from a minimum of $500 USD up to $15,000 USD.

2. Mitigation Bypass Bounty

Start Date: 26 June 2013
Timeframe: Ongoing

Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system. Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would.

3. Bounty for Defense

Start Date: 26 June 2013
Timeframe: Ongoing

Additionally, Microsoft will pay up to $100,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass submission. Doing so highlights our continued support of defensive technologies and provides a way for the research community to help protect more than a billion computer systems worldwide (in conjunction with the Mitigation Bypass Bounty).

TIME hackers

Here’s the Scary New Target Hackers Are Going After

Solar Terrestrial Relations Observatory Satellites
Encyclopaedia Britannica—UIG via Getty Images

Hack the planet, indeed

Familiar with the refrain “Hack the Planet”? Well, security researchers have made that phrase more literal.

Colby Moore, a researcher at the hacker-for-hire startup Synack, has uncovered a way to crack the global positioning system (GPS) satellite network of Globalstar, a multibillion dollar satellite communications company based in Covington, La.

Globalstar sells devices connected to its satellite network that track the locations of shipments and other goods. Since the company’s technology does not, according to Moore, encrypt data transmitted between such devices and its satellite network, a “man-in-the-middle” attacker can easily spoof the system.

In other words, a hacker can intercept communications beamed over the company’s Simplex data network, and then modify, fake, or jam them. The vulnerability could be exploited by intelligence agents, criminals, or enemy combatants to eavesdrop, steal cargo, or follow troop and supplies movements.

Moore described such systems as “kind of fundamentally broken from the get-go” in an interview with Reuters. Worse, the flaws are not easily addressable; they are architectural in nature, he said, and software patches would not fix them.

“We rely on these systems that were architected long ago with no security in mind, and these bugs persist for years and years,” Moore told Wired. “We need to be very mindful in designing satellite systems and critical infrastructure, otherwise we’re going to be stuck with these broken systems for years to come.”

Moore added that he suspects similar satellite communications systems, beyond Globalstar’s own, could be vulnerable, too.

Though Moore said he alerted Globalstar of the problems six months ago, the company has yet to take action in way of a solution.

Globalstar—which counts many companies in many critical industries among its customers, including oil and gas, shipping, military, and more—replied evasively to Fortune’s request for comment, sidestepping questions about a possible remediation plan and not confirming whether its data in transit are unencrypted:

Globalstar monitors the technical landscape and its systems to protect our customers. Our engineers would know quickly if any person or entity was hacking our system in a material way, and this type of situation has never been an issue to date.

Fortune recently wrote about how freight thieves are turning to cybercrime. This new research represents a chilling development in that trade. The research heralds a world in which products no longer “fall off the truck,” but rather entire trucks, planes, and cargo shipments can “fall off the map.”

Hack the planet, indeed.

TIME

Hackers Could Go After Medical Devices Next

Patient Receiveing Chemotherapy Treatment
Richard Lautens—Toronto Star via Getty Images A nurse programs an infusion pump.

They could break in via a hospital’s network, authorities warn

Nothing, it seems, is safe from hackers — not Yahoo’s ad network, the federal government, or even electronic skateboards. Another item to add to the list: medical devices.

The U.S. Food and Drug Administration and Department of Homeland Security have both issued advisories warning hospitals not to use the Hospira infusion system Symbiq because of cyber vulnerabilities. No known attack has occurred, but by accessing a hospital’s network, hackers could theoretically fiddle with the intravenous infusion pump.

“This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over- or under-infusion of critical patient therapies,” the FDA wrote in a statement.

But it’s not just the Symbiq pump that has security problems. According to a WIRED report last year, security experts who studied on Midwestern medical facility chain over the course of two years found a host of security vulnerabilities. Just a few issues they founded included “Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care.”

The retirement of the Symbiq pump may only be the beginning of a landslide of recalls and added security features in the medical field.

TIME China

This Map Shows China’s Cyber Invasion Of The U.S. Is Well Underway

140239317
Grant Faint—Getty Images

There have reportedly been more than 600 successful attacks in the past five years

The Chinese government’s ongoing cyber assault on American companies and government entities is a bit of an open secret, but the extent of the alleged campaign has been little understood because victims are reluctant to admit their computer systems have been compromised.

On Thursday, NBC News published a map, obtained by the National Security Administration, that should help further the public’s understanding of the scope of the Chinese cyber invasion of U.S. public and private entities.

The map, which was prepared by the NSA in February 2014, reportedly shows more than 600 successful attempts “to steal corporate and military secrets and data about America’s critical infrastructure, particularly the electrical power and telecommunications and internet backbone.” Each dot represents and individual attack.

According to NBC News:

The prizes that China pilfered during its “intrusions” included everything from specifications for hybrid cars to formulas for pharmaceutical products to details about U.S. military and civilian air traffic control systems, according to intelligence sources.

 

Screen Shot 2015-07-31 at 8.59.01 AM

 

 

 

 

TIME cybersecurity

Hackers Can Change This Sniper Rifle’s Target

Hackers can gain access when the gun's computer is connected to Wi-Fi.

Sniper rifles have gotten pretty fancy these days, but it’s those high-end gadgets that help expertly guide shots that could also be their biggest weakness.

TrackingPoint self-aiming rifles work by using a computer connected to wi-fi, which helps the shooter to more accurately aim and hit its target. However, two security researchers found that the $13,000 rifle can be compromised, allowing a hacker to recalibrate the scope’s calculation so the shots land away from the intended target. A cyber attacker could even disable the gun altogether.

The researchers, married couple Run Sandvik and Michael Auger, plan to present the results at the Black Hat hacker conference in two weeks, but gave Wired magazine a demonstration ahead of time. In the video, you can see the two dial in changes to the scope’s targeting system that sends a bullet straight to their own bullseye instead of the original target.

“You can make it lie constantly to the user so they’ll always miss their shot,” Sandvik told Wired.

TrackingPoint has sold more than a thousand of its rifles since it launched in 2011. Founder John McHale said the company would release a software update to patch the vulnerability.

Read more at Wired.com.

TIME Android

Stagefright: Everything You Need To Know About Google’s Android Megabug

The Latest Mobile Apps At The App World Multi-Platform Developer Show
Bloomberg—Bloomberg via Getty Images A logo for Google Inc.'s Android operating system is displayed on an advertising sign during the Apps World Multi-Platform Developer Show in London, U.K., on Wednesday, Oct. 23, 2013. Retail sales of Internet-connected wearable devices, including watches and eyeglasses, will reach $19 billion by 2018, compared with $1.4 billion this year, Juniper Research said in an Oct. 15 report. Photographer: Chris Ratcliffe/Bloomberg via Getty Images

Here's a friendly Q&A to help you understand what happened, why it is a problem that still needs fixing, and what you can do about it.

Stagefright? What? Huh? That’s what you’ve been asking yourself ever since the Internet erupted yesterday over the announcement of a big computer bug in Google’s Android operating system.

In fact, you might still be wondering: Is my phone safe? Wait, the Internet erupted? Did it actually explode? (Is that even possible?)

Thankfully, no. I mean maybe, but as long as you’re still able to read this then I think we’re doing okay. Anyway, for those who still have questions about all the hullabaloo, Fortune has drafted a friendly Q&A to help you understand what happened, and why it is a problem that still needs fixing.

What is stage fright?

Stage fright is the nervous sensation a presenter feels before appearing publicly. (Say, for example, at a major security conference next month.)

Stagefright, on the other hand, is the nickname of a terrible Android flaw found in the open source code of Google’s Android operating system. The vulnerability, disclosed on Monday, may be the worst one to date. It puts 95% of Android devices—950 million gadgets—at risk of being hacked.

Where does the name come from?

“Stagefright” is the name of the media library—a portion of Android’s open source code—in which the bugs were found. It’s obviously a great bug name, too.

No lie. What does that media library do?

Stagefright—the library, not the bug—helps phones unpack multimedia messages. It enables Android phones to interpret MMS content (multimedia message service content), which can contain videos, photos, audio, text, as opposed to, say, SMS content (short message service content), which can contain only 160 characters. The bugs are in that library.

Wait, I thought you said Stagefright is a bug, not bugs?

Okay, okay. So Stagefright is a collection of bugs, if you want to be technical. Seven to be exact. If you want to get real technical, their designations are:

  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828, and
  • CVE-2015-3829

But for our purposes, I’ll just refer to them collectively as Stagefright. A singular bug set; one vulnerability.

Fine, that seems easier. Why should I care about it?

Well, if you’re an Android user then your device is probably vulnerable.

Is that bad?

That means an attacker can infect your device simply by sending you a malicious MMS message. (Remember that acronym? Multimedia message service.) In fact, a victim doesn’t even have to open a booby-trapped message for the attack to spring. Once the message received, your phone is toast.

Er…that doesn’t sound good.

Right. Once inside, an attacker can access your phone’s data, photos, camera, microphone. What’s worse is that a clever baddie can delete the booby-trapped message from your phone before you even realize that your device has been compromised. So basically, yeah it’s bad.

That does sound bad.

Yup. And it gets worse! Imagine this scenario: Someone attacks your phone, steals your contact list, automatically targets those devices—rinse, repeat. Now everyone’s infected.

That’s what we like to call a computer worm.

How long has this been the case?

About five years.

What?? You mean my phone has been open to attack this whole time???

Yes.

Surely, Google must have patched it by now!

You’re right! Google patched the bugs right away. The company learned about one set of vulnerabilities in April and another set in May. The person who discovered the problems—Joshua Drake, a researcher at the mobile security company Zimperium zLabs—says he provided patches, and Google adopted them within two days. (The company reportedly paid him $1,337 for his work.)

Woohoo! So I’m safe?

Nope. The problem isn’t fixed.

What? Huh? Why?

That’s because Google’s Android ecosystem relies on its partnering phone-makers to push out software upgrades. That means Samsung, HTC, LG, Lenovo, Motorola, Sony, among others, are responsible for delivering the patches to customers.

Have they done so yet?

CyanogenMod, Mozilla, and Silent Circle’s Blackphone have.

I don’t use those…

Then you’ll have to wait. The other companies have issued statements that basically say, “We’re working on it.” You can read them here.

Is there a way to test whether I’m vulnerable?

If you’re using a phone that runs on Android version 2.2 or above, you may as well assume you’re at risk. The most vulnerable phones predate Jelly Bean (version 4.1), and that accounts for about 11% of Android phones on the market.

(We’ll add a link to a test when one comes to our attention but, unfortunately, there’s nothing available yet—at least that we know of. Though it would be pretty cool if someone came up with one. Nudge nudge, wink wink.)

Why are post-Ice Cream Android phones better off?

As Google Android’s lead security engineer explains here, that’s about the time that Google put in place some strong exploit mitigation technologies, like one called Address Space Layout Randomization. “This technology makes it more difficult for an attacker to guess the location of code, which is required for them to build a successful exploit,” Adrian Ludwig writes. He goes on: “(For the layperson — ASLR makes writing an exploit like trying to get across a foreign city without access to Google Maps, any previous knowledge of the city, any knowledge of local landmarks, or even the local language. Depending on what city you are in and where you’re trying to go, it might be possible but it’s certainly much more difficult.)”

You can find a list of similar security technologies implemented since Ice Cream (version 4.0) here.

So I get that I should pressure my phone-maker to push out the fixes. What about my wireless carrier?

Well, if your wireless carrier was real cool, it could create a signature for Stagefright-based attacks, and block those threats on its network. Fiat Chrysler recently worked with Sprint to make its cars much less hackable that way. Your carrier could also help make sure the fix works for older versions of Android, too, rather than just making sure the latest version is protected. The security researcher Nicholas Weaver recently made this point on Twitter.

He suggested something similar for Google, too.

Can I do anything else to be safer?

First, ask your device manufacturer for an update: When will a patch be available and will you be covered? You might also consider changing the settings on your Android apps that use MMS, like Messaging and Hangouts. Un-click “automatically retrieve MMS messages.” In the meantime, consider using Snapchat or WhatsApp to swap clips, GIFs, and whatnot.

Other than that, keep your phone number private, I guess? Drake, the guy who found the flaw, plans to present more details at the Black Hat conference next month.

Okay, thanks for the tips. If I have any other questions, can I call you?

No, sorry. My phone number is private information.

Just testing you!

Ah I see what you did there, you jokester!

Your browser is out of date. Please update your browser at http://update.microsoft.com