TIME Android

Nearly 1 Billion Phones Can Be Hacked With 1 Text

The Latest Mobile Apps At The App World Multi-Platform Developer Show
Chris Ratcliffe—Bloomberg / Getty Images Google's Android platform is vulnerable to the attack.

"Stagefright" is one of the worst Android vulnerabilities to date.

So listen: Can I have your number?

Can I have it? Can I? Have it?

Um…maybe not. Actually, you should think twice before giving away your cell phone number—especially if you happen to own a phone that runs on Google’s Android operating system.

That’s the only thing a hacker needs to compromise a handset.

A mobile security researcher has uncovered a flaw that leaves as many as 95% of Android devices—that’s 950 million gadgets—exposed to attack. The computer bug, nicknamed “Stagefright” after a vulnerable media library in the operating system’s open source code, may be one of the worst Android security holes discovered to date. It affects Android versions 2.2 and on.

Should a hacker learn someone’s cell phone number, all it takes is for that person to send a malware-laced Stagefright multimedia message to an affected phone in order to steal its data and photos or to hijack its microphone and camera, among other nefarious actions. Worse yet, a user might have no idea that his or her device has been compromised.

Joshua Drake, vice president of research and exploitation at the mobile security firm Zimperium zLabs, says an attacker can delete the message before a victim has any idea.

“These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” he writes on his company’s blog. “Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.”

When Drake reported the severe vulnerabilities along with potential fixes to Google in April (as well as another set May), the company, he writes, “acted promptly and applied the patches to internal code branches within 48 hours.” That doesn’t mean the problem is resolved, however.

As Forbes reporter Thomas Fox-Brewster writes, device manufacturers will still need to push the updates out in order to safeguard their customers. Google’s major Android partners, which include phone-makers like LG, Lenovo, Motorola, Samsung, and Sony were not immediately available to comment. (Fortune will update this when we hear back.)

An HTC spokesperson responded: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”

Drake praises the security firm Silent Circle, based in Geneva, Switz., which makes the Blackphone handset, for its quick response protecting users since it released PrivatOS version 1.1.7. He also praises Mozilla, maker of the Firefox web browser, for including fixes since version 38. “We applaud these vendors for prioritizing security and releasing patches for these issues quickly.”

“This is Heartbleed for mobile,” said Chris Wysopal, chief tech and information security officer at the application security firm Veracode. These vulnerabilities “are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS.”

Drake plans to present his research at the Black Hat and Def Con security conferences in Las Vegas next month.

So, um, can I have your number?

TIME Fiat Chrysler

Jeep Hack: Fiat Recalls 1.4 Million Vehicles For Software Fix

A 2005 Jeep Grand Cherokee rolls down the assembly line Wedn
John F. Martin—Bloomberg/Getty Images

Hackers had proved a vulnerability in the popular car's software

Fiat Chrysler automotive will recall roughly 1.4 million vehicles after it was discovered that hackers were able to remotely take control of a Jeep Cherokee SUV through vulnerabilities in its built-in software.

According to a a report in USA Today, Fiat announced the recall under government pressure and will include a software update that will prevent hackers from controlling any of the cars’ functions remotely. Only U.S. vehicles will be affected by the recall.

The vulnerability in the Cherokee’s software was first reported in Wired magazine, which detailed how two software experts were able to manipulate many of the cars functions from miles away. According to Wired, the hacker’s code is
“an automaker’s nightmare . . . that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

Fiat says that there have been no injuries, as far as it is aware, as a result of the software vulnerability. The recall, according to USA Today, will affect the following models:

  • 2013-2015 Dodge Vipers
  • 2013-2015 Ram 1500, 2500 and 3500 pickups
  • 2013-2015 Ram 3500, 4500, 5500 Chassis Cabs
  • 2014-2015 Jeep Grand Cherokee and Cherokee SUVs
  • 2014-2015 Dodge Durango SUVs
  • 2015 MY Chrysler 200, Chrysler 300 and Dodge Charger sedans
  • 2015 Dodge Challenger sports coupes

 

TIME cybersecurity

Arrests Made in Connection With JPMorgan Hack, Report Says

JPMorgan Chase & Co. Headquarters Ahead of Earnings
Bloomberg—Bloomberg via Getty Images

Law enforcement officials have apprehended four out of five suspects tied to the bank's massive hack last summer

Law enforcement authorities have arrested four people in connection with last summer’s hacking of JPMorgan Chase, Bloomberg reports.

Law enforcement officials have apprehended four people—including two college friends who are graduates of Florida State University—involved in “a complex securities fraud scheme” that has been connected to the data breach, Bloomberg said. A fifth person remains at large.

Two Israeli men, Gery Shalon and Ziv Orenstein, as well as a U.S. citizen Joshua S. Aaron are among those charged with participating in a pump-and-dump plot, the report said. They allegedly used bulk emails and pre-planned trading to boost certain stock prices to their benefit.

The grand jury indictment, unsealed in Manhattan on Tuesday, according to Bloomberg, revealed that at least five stocks were manipulated in years past.

The JPMorgan data breach last summer compromised the personal information of 83 million individuals and small businesses. Following the breach, JPMorgan’s CEO Jamie Dimon said he would increase the bank’s investment in cybersecurity. A March New York Times story had hinted that investigators were getting close to making arrests.

For more information, read the developing story on Bloomberg.

TIME car hacking

Your Car Isn’t Safe From Hackers. Here’s Why

Jeep Cherokee Runs into Trouble
Darren McCollester—Getty Images A Jeep Cherokee.

Hacker carjackers are able to break into hundreds of thousands of vehicles on the road right now

The next time you’re buckled in behind the wheel, you may want to ask yourself: Am I really in control?

Two computer hackers have spent the past year cracking the digital defenses of Internet-connected vehicles. And what they’ve discovered is disturbing.

Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of vehicle safety research at the cybersecurity firm IOActive, can take over certain vulnerable automobiles with ease. The pair recently demonstrated their abilities on a Jeep Cherokee, remotely hacking into the highway-cruising vehicle from miles away, as Wired reported.

“Their code is an automaker’s nightmare,” wrote Wired reporter Andy Greenberg, who intrepidly volunteered to serve as a crash test dummy for the hacker duo. “Software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.”

The remote attack could be used to compromise as many as 471,000 vehicles on the road today, the team estimates.

In 2013, the team similarly hacked into other cars, such as a Ford Escape and Toyota Prius. However, in those cases the two used computers that were plugged directly into the car’s dashboard.

Miller and Valasek plan to reveal more information about how they pulled off the Jeep stunt at the Black Hat conference next month. In the meantime, all they’ve said is that the trick involves using a cellular connection to break into the car’s entertainment system through a feature called UConnect. From there, they’re able to move laterally into other electronic parts of the vehicle, such as the air conditioning, transmission, and even the car’s steering controls.

Despite the security risks, automakers are more determined than ever to win the connected car race, and to turn their vehicles into computers. (And the reverse: Apple trying to turn its computers into cars.) Recently, a dozen of the top companies such as Ford and General Motors joined a coalition to share security data to protect their latest innovations from compromise.

In these early days, though, it seems the hackers have an edge. Watch the hackers’ antics in Wired’s video here.

TIME Ashley Madison

Data Breach Aside, Your Ashley Madison Affair Was Never a Secret

A flaw in the site's 'password reset' form could be the culprit

Worried you might be outed as a cheater in the data breach at Ashley Madison?

Turns out the extramarital affairs site, which bills itself as the “world’s leading married dating service for discreet encounters,” had leaky lips anyway. Information about who had an account wasn’t exactly hidden. Or rather, not hidden well.

Troy Hunt, a developer who specializes in security and who runs the site “Have I Been Pwned?”, revealed a flaw affecting the site in a blog post on Monday. The weakness, easily exploited, gave away whether an email address was contained in the site’s database or not; from there, one could infer who may have registered an account on the site.

The flaw affected Ashley Madison’s “password reset” form, a common Achilles heel in web security. Here’s how it worked: If you had submitted the email address of a registered account through that form, the request would trigger a certain message. Submit an email address not associated with an account, and that message would change.

So, invalid email address returned a certain screen. Valid email addresses returned a different screen. The difference? The invalid email address message contains a text box and a “send” button:

Ashley Madison - invalid password reset

The valid email address message excludes those details:

Ashley Madison - valid password reset

What this means is that anyone who knows your email address could easily check whether you had registered an account on the site.

There is, of course, an easy way to avoid detection: Create a bogus email address and use that to register an account on the site.

“[H]ere’s the the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable,” said Hunt. Putting aside the morality of the site in question for a moment, Hunt writes: “If you want a presence on sites that you don’t want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether.”

I would take that truism one step further: always assume anything you do on the Web is discoverable—unless you’re taking some serious operational security measures to remain hidden, such as anonymizing Internet routing services, encryption, aliases, etc.

By the time Fortune tested out the flaw to verify its authenticity, the issue appeared to have been resolved.

A spokesperson for Avid Life Media, the company that owns Ashley Madison, declined to comment.

TIME technology

Federal Agency Announces Temporary Shutdown of Hacked Database

Katherine Archuleta
Susan Walsh — AP Office of Personnel Management (OPM) Director Katherine Archuleta testifies on Capitol Hill in Washington. The federal personnel agency whose records were plundered by hackers linked to China says it has temporarily shut down a massive database used to update and store background investigation records.

Hackers linked to China are believed to have stolen records for as many as 18 million current and former employees

(WASHINGTON) — The federal personnel agency whose records were plundered by hackers linked to China announced on Monday the temporary shutdown of a massive database used to update and store background investigation records after newly discovering a flaw that left the system vulnerable to additional breaches.

There is no evidence the vulnerability has been exploited by hackers, agency spokesman Samuel Schumach said in a statement, adding that the Office of Personnel Management took the step protectively. He said the system could be shut down for four to six weeks.

Hackers suspected of working for the Chinese government are believed to have stolen records for as many as 18 million current and former federal employees and contractors last year. Detailed background investigations for security clearances of military and intelligence agency employees were among the documents taken.

The shutdown announced Monday is expected to hamper agencies’ ability to initiate investigations for new employees and contractors, as well as renewal investigations for security clearances, Schumach said.

But, he added, the federal government will still be able to hire, and in some cases grant clearances on an interim basis.

The database is known as e-QIP, short for Electronic Questionnaires for Investigations Processing.

TIME Security

Samsung Galaxy Keyboard Bug Exposes Users to Hackers

Samsung Galaxy S6 Phone Goes On Sale
Spencer Platt—Getty Images Samsung's latest flagship smartphones, the Galaxy S6 and the S6 Edge, are viewed at a Samsung store on the day of their release in New York City on April 10, 2015

Hundreds of millions of users of Samsung Galaxy smartphone models S4 through S6 are potentially vulnerable to a computer bug that researchers disclosed at the Black Hat Conference in London on Tuesday.

The flaw, discovered by a Ryan Welton, a researcher at the cybersecurity firm NowSecure, lets attackers wreak havoc on Samsung mobile device models. It can give a hacker covert control over a phone’s microphone and camera, access to text messages, and the ability to download malicious apps, among other things.

The issue arises from a defect in the software updater for Samsung’s default virtual keyboard, a customized version of the word-prediction technology developed by SwiftKey. When a device downloads a language pack update, any man-in-the-middle attacker—a bad actor positioned on the same network as the user—can swap out the real file with malware, thus compromising the device.

The default keyboard program checks for updates automatically, so even people who use other keyboard apps are vulnerable.

Two problems with the phones’ updater process contribute to the severity of the vulnerability. On the one hand, SwiftKey does not encrypt those keyboard update files, a weakness that hackers can exploit to install malicious files on a person’s device (as described above). On the other, Samsung grants those updates elevated permissions, allowing attackers to circumvent the phone’s security controls and meddle with all sorts of data and code running on a device.

“Because Samsung phones grant extraordinarily elevated privileges to the updates,” writes Ars Technica security editor Dan Goodin, “the malicious payload is able to bypass protections built into Google’s Android operating system that normally limit the access third-party apps have over the device.”

Andrew Hoog, the CEO of NowSecure, told the Wall Street Journal that his company alerted Samsung to the flaw in November. Two months later, Samsung requested another year to patch the problem. Three months after that, the company claimed to push a software fix out to wireless carriers, like Sprint and Verizon, and said the firm could take its findings public in another three months, reports WSJ’s Danny Yadron.

Realizing that the phones weren’t patched, but believing too much time had elapsed already, the NowSecure team decided to go ahead and present its discovery at the hacker conference, according to WSJ.

SwiftKey pointed out in a statement that its other apps are unaffected by the exploit, and that the current vulnerability—labeled CVE-2015-2865 in the industry’s taxonomical parlance—takes a bit of skill and a lot of good timing to pull off: “a user must be connected to a compromised network (such as a spoofed public Wi-Fi network), where a hacker with the right tools has specifically intended to gain access to their device. This access is then only possible if the user’s keyboard is conducting a language update at that specific time, while connected to the compromised network.”

Samsung, too, released a statement addressing the bug: “We are aware of the recent issue reported by several media outlets and are committed to providing the latest in mobile security,” the company said. “Samsung KNOX,” the company’s mobile security solution, “has the capability to update the security policy of the phones, over-the-air, to invalidate any potential vulnerabilities caused by this issue. The security policy will begin rolling out in a few days.”

“In addition to the security policy update, we are also working with SwiftKey to address potential risks going forward.”

For now, NowSecure recommends that users of Samsung Galaxy smartphones affected by the bug (a list of the vulnerable models can be found here) should:

  • Avoid insecure Wi-Fi networks
  • Use a different mobile device
  • Contact carriers for patch information and timing

This article originally appeared on Fortune.com

TIME Security

Why Using an ATM Is More Dangerous Than Ever

Breaches have risen dramatically very recently

In a time when major data hacks are on the rise—think Target, Home Depot, Sony—it’s no surprise breaches on individuals are also up. According to FICO, debit-card compromises at ATMs rose 174% from January to April of this year, compared to the same period last year.

And that’s just breaches of ATMs located on official bank property. Successful breaches at non-bank ATMs rose 317% in that period.

In other words, withdrawing money from an ATM is more dangerous than it’s been in a long time—specifically, the worst it has been in two decades, according to the Wall Street Journal, which cites a prediction from consulting firm Tremont Capital Group that criminals will make more than 1.5 million successful ATM cash withdrawals this year.

As Fortune reported earlier this year, a majority of American corporations believe they will be hacked in 2015. The questions they are all dealing with is how to prepare for them and how to deal with them when they happen, because preventing these compromises has become increasingly difficult.

Banking institutions, as well as the payment companies that connect banks to consumers, like Visa and MasterCard, have beefed up their technology more aggressively than ever in order to both innovate and securitize. But for a private consumer who simply wants to take money from an ATM, stats like these are nonetheless sobering.

Read next: 5 Easy Ways to Avoid Getting Hacked at ATMs

Listen to the most important stories of the day.

TIME Innovation

Are “Micro-Schools” the Future of Education?

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. Are personalized “micro-schools” the future of education?

By Anya Kamenetz at NPR

2. Millions of Americans get tests, drugs, and operations that won’t make them better.

By Atul Gawande in the New Yorker

3. Can bacteria help us fight the ravages of climate change?

By Esther Ngumbi in Scientific American

4. Here’s a drone you can fly with your phone, from the designer of the Roomba.

By Jessica Leber in Fast Co.Exist

5. What’s killing the growth of mobile banking?

By Herb Weisbaum in NBC News

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

MONEY privacy

It Took Just One Email to Compromise the Leaders of the Free World

G20 Summit Leaders
Reuters

Many of the world leaders who attended last year’s G20 summit in Brisbane had their personal data compromised. The cause? Human error.

Whether an autofill mishap or a “What in the name of God were you thinking?” move, somebody’s shrimp is on the barbie at Australia’s immigration department after an officer there emailed President Obama’s passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year’s G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China’s President Xi Jinping, India’s Prime Minister Narendra Modi, Japan’s Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia’s privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

“The personal information which has been breached,” an email notifying the privacy commissioner stated, “is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit.”

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the “deleted items” folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn’t properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target’s own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great — at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, “What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them.”

Wilson went on to hypothesize: “If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.”

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is “most likely safe” an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as “human error” as well. (If anyone should know better, one would assume it might be the “privacy” commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you’re not aware of the fact that you are in harm’s way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it’s a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

“But that desk,” the casino owner says, “was priceless.”

So now anyone wanting to get their hands on that PII knows where it isn’t, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there’s the question of the privacy commissioner’s handling of the situation, which none of this explains. Sigh…

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link … and that humans are almost always the weakest link. So the beat goes on.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More from Credit.com

This article originally appeared on Credit.com.

Your browser is out of date. Please update your browser at http://update.microsoft.com