Security

Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes (wired.com) 21

Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
Android

Android Can Now Tell You How Fast Wi-Fi Networks Are Before You Join Them (theverge.com) 39

Today, Google announced that Android 8.1 Oreo will now display the speed of nearby open Wi-Fi networks to help you decide whether they're even worth the effort of connecting to. The Wi-Fi settings menu will now display one of four speed labels: Very Fast, Fast, OK, or Slow. The Verge reports: The difference between Very Fast and Fast, according to Google, is that you can stream "very high-quality videos" on the former and "most videos" on the latter. Most coffee shop dwellers should be fine with the OK level, as that's enough for web browsing, social media, and Spotify streaming. Private Wi-Fi networks that require passwords don't display any speed data since it's really none of your business and Google can't randomly test them, but they do continue to indicate signal strength. Google says network administrators can also opt out of Android's Wi-Fi Assistant showing speed info by using a "canary URL."
Android

Yale Privacy Lab and Exodus Privacy's F-Droid Android App Store is a Replacement for Google Play That Features Only FOSS Apps That Don't Do Any Tracking (wired.com) 58

Google Play, the marquee Android apps store, is filled with apps that are riddled with hidden trackers that siphon a smorgasbord of data from all sensors, in all directions, unknown to the Android user. Not content with the strides Google has made to curtail the issue, Yale Privacy Lab has collaborated with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. From a report on Wired: F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. F-Droid doesn't offer the millions of apps available in Google Play, so some people will not want to use it exclusively. It's true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick -- too quick to detect Android malware before it's published, as we've seen. Installing F-Droid isn't a silver bullet, but it's the first step in protecting yourself from malware.
Electronic Frontier Foundation

EFF: Thousands of People Have Secure Messaging Clients Infected By Spyware (eff.org) 35

An anonymous reader quotes the EFF: The Electronic Frontier Foundation (EFF) and mobile security company Lookout have uncovered a new malware espionage campaign infecting thousands of people in more than 20 countries. Hundreds of gigabytes of data has been stolen, primarily through mobile devices compromised by fake secure messaging clients. The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.

The threat, called Dark Caracal by EFF and Lookout researchers, may be a nation-state actor and appears to employ shared infrastructure which has been linked to other nation-state actors. In a new report, EFF and Lookout trace Dark Caracal to a building belonging to the Lebanese General Security Directorate in Beirut. "People in the U.S., Canada, Germany, Lebanon, and France have been hit by Dark Caracal. Targets include military personnel, activists, journalists, and lawyers, and the types of stolen data range from call records and audio recordings to documents and photos," said EFF Director of Cybersecurity Eva Galperin. "This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person's day-to-day life."

Dark Caracal apparently gets installed through carefully-targeted spearphishing attacks, accoridng to the EFF. "Several types of phishing emails directed people -- including military personnel, activists, journalists, and lawyers -- to go to a fake app store-like page, where fake Android apps waited. There is even evidence that, in some cases, Dark Caracal used physical access to people's phones to install the fake apps."
Wireless Networking

Google Releases Fix For Chromecast Wi-Fi Crashes (zdnet.com) 32

An anonymous reader quotes a report from ZDNet: Google on Wednesday said it will release an update Jan. 18 to fix a bug in Cast software on Android phones that dramatically slows down WiFi networks. Reports have been circulating this week that the Google Home Max speaker can knock the TP-Link Archer C7 router offline. In a support page, Google explains a bug caused the Cast software that connects with Chromecast devices to send a large amount of network traffic routers can't handle. Google said the update will roll out via a Google Play services update. Until the update is released, Google advises users to try rebooting their Android phone, and check that their WiFi router is updated with the latest firmware. Google didn't list specific routers impacted by the bug, but reports have indicated routers from Linksys and Synology are seeing network crashes as well.
Operating Systems

Google's Fuchsia OS On the Pixelbook (arstechnica.com) 72

An anonymous reader quotes a report from 9to5Google: Our early look at Fuchsia OS last May provided a glimpse into a number of new interface paradigms. Several months later, we now have an updated hands-on with Google's future operating system that can span various form factors. This look at the in-development OS eight months later comes courtesy of Ars Technica who managed to get Fuchsia installed on the Pixelbook. The Made by Google Chromebook is only the third officially supported "target device" for Fuchsia development. As our last dive into the non-Linux kernel OS was through an Android APK, we did not encounter a lockscreen. The Ars hands-on shows a basic one that displays the time at center and Fuchsia logo in the top-left corner to switch between phone and desktop/tablet mode, while a FAB (of sorts) in the opposite corner lets users bring up WiFi controls, Login, and Guest.

Only Guest is fully functioning at this stage -- at least for non-Google employees. Once in this mode, we encounter an interface similar to the one we spotted last year. The big difference is how Google has filled in demo information and tweaked some elements. On phones and tablets, Fuchsia essentially has three zones. Recent apps are above, at center are controls, and below is a mixture of the Google Feed and Search. The controls swap out the always-displayed profile icon for a Fuchsia button. Tapping still surfaces Quick Settings which actually reflect current device battery levels and IP address. Impressively, Ars found a working web browser that can actually surf the internet. Google.com is the default homepage, with users able to visit other sites through that search bar. Other examples of applications, which are just static images, include a (non-working) phone dialer, video player, and Google Docs. The Google Calendar is notable for having subtle differences to any known version, including the tablet or web app.

Wine

Wine 3.0 Released (softpedia.com) 151

prisoninmate shares a report from Softpedia: The Wine (Wine Is Not an Emulator) project has been updated today to version 3.0, a major release that ends 2017 in style for the open-source compatibility layer capable of running Windows apps and games on Linux-based and UNIX-like operating systems. Almost a year in the works, Wine 3.0 comes with amazing new features like an Android driver that lets users run Windows apps and games on Android-powered machines, Direct3D 11 support enabled by default for AMD Radeon and Intel GPUs, AES encryption support on macOS, Progman DDE support, and a task scheduler. In addition, Wine 3.0 introduces the ability to export registry entries with the reg.exe tool, adds various enhancements to the relay debugging and OLE data cache, as well as an extra layer of event support in MSHTML, Microsoft's proprietary HTML layout engine for the Windows version of the Internet Explorer web browser. You can read the full list of features and download Wine 3.0 from WineHQ's website.
Security

Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities (arstechnica.com) 102

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
Google

Google's Museum App Finds Your Fine Art Doppelganger (engadget.com) 66

The latest update to the Google Arts & Culture app now lets you take a selfie, and using image recognition, finds someone in its vast art collection that most resembles you. It will then present you and your fine art twin side-by-side, along with a percentage match, and let you share the results on social media. Engadget reports: The app, which appears to be unfortunately geo-restricted to the United States, is like an automated version of an article that circulated recently showing folks standing in front of portraits at museums. In many cases, the old-timey people in the paintings resemble them uncannily, but, other than in rare cases, that's not the case at all with Google's app. Google matched me with someone who doesn't look like me in the slightest, a certain Sir Peter Francois Bourgeois, based on a painting hanging in Dulwich Picture Gallery. Taking a buzz around the internet, other folks were satisfied with their matches, some took them as a personal insult, and many were just plain baffled, in that order.
The Almighty Buck

OnePlus Customers Report Credit Card Fraud After Buying From the Company's Website (androidpolice.com) 63

If you purchased a OnePlus smartphone recently from the official OnePlus website, you might want to check your transactions to make sure there aren't any you don't recognize. "A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site," reports Android Police. "More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months." From the report: A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. [...] OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.

According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
Here's OnePlus' official statement on the matter: "At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
Google

Why Uber Can Find You but 911 Can't (wsj.com) 199

Accurate location data is on smartphones, so why don't more wireless carriers use it to locate emergency callers? From a report, shared by a reader: Software on Apple's iPhones and Google's Android smartphones help mobile apps like Uber and Facebook to pinpoint a user's location, making it possible to order a car, check in at a local restaurant or receive targeted advertising. But 911, with a far more pressing purpose, is stuck in the past. U.S. regulators estimate as many as 10,000 lives could be saved each year if the 911 emergency dispatching system were able to get to callers one minute faster. Better technology would be especially helpful, regulators say, when a caller can't speak or identify his or her location. After years of pressure, wireless carriers and Silicon Valley companies are finally starting to work together to solve the problem. But progress has been slow. Roughly 80% of the 240 million calls to 911 each year are made using cellphones, according to a trade group that represents first responders. For landlines, the system shows a telephone's exact address. But it can register only an estimated location, sometimes hundreds of yards wide, from a cellphone call. That frustration is now a frequent source of tension during 911 calls, said Colleen Eyman, who oversees 911 services in Arvada, Colo., just outside Denver.
Android

Google Pulls 60 Apps From Play Store After Malware Exposes Kids To Porn (gizmodo.com) 49

Cyberthreat intelligence firm Check Point on Friday disclosed the existence of malicious code buried inside dozens of apps that displays pornographic images to users. Many of the apps are games reportedly geared toward young children. As a result, Google quickly removed the roughly 60 apps said to be affected from its Play Store. Gizmodo reports: While they appeared as such, the pornographic images displayed were not actually Google ads. Google supposedly maintains tight controls on all ads that appear in what it calls "Designed for Family" apps. The company also maintains a white-list of advertisers deemed safe for children under the ages of 13. None of the affected apps were part of Google's "Family Link" program, which is the category of recognized kid-friendly apps available across Google's platforms. The malware, dubbed AdultSwine, is said to have displayed the highly inappropriate images while also attempting to trick users into installing a fake-security app, or "scareware." After the fake "ads" were delivered, users would've received a "Remove Virus Now" notification, or something similar, designed to provoke users into downloading the scareware. The affected gaming apps included at least one which may have had up to 5,000,000 downloads -- Five Nights Survival Craft -- as well as many others which had between 50,000 and 500,000 downloads.
Cellphones

Future Samsung Phones Will Have a Working FM Radio Chip (androidpolice.com) 215

A few months ago, LG announced a partnership with NextRadio to unlock the FM chip in its smartphones. Now, Samsung is doing the same. Android Police reports: NextRadio made the announcement, rightly explaining that FM radio is essential in areas with low connectivity and in emergency and disaster situations where a connection might be difficult to obtain or maintain and where access to information could be a matter of life and death. With the chip unlocked, users will be able to listen to local radio on their phone using the NextRadio Android app. The press release mentions that "upcoming [Samsung] smartphone models in the U.S. and Canada" will have the FM chip unlocked, however I did find several existing Samsung devices with their FM chip enabled on NextRadio's site.
Cellphones

Samsung Will Unveil the Galaxy S9 Next Month At Mobile World Congress (theverge.com) 55

Samsung will unveil its next flagship handset, the Galaxy S9, next month at Mobile World Congress (MWC). DJ Koh, the company's smartphone chief, confirmed the launch to ZDNet at CES yesterday without offering a specific date. The Verge reports: The S9 (and, presumably, an S9 Plus) will be the successors to the S8 and S8 Plus, which launched at a Samsung event in New York last March before going on sale in April. The S8 and its bigger brother were a hit with critics, who praised the phones' gorgeous design and brilliant cameras. The phones were even good enough to make consumers forget about the disaster of the Galaxy Note 7 and its exploding batteries. Not much is known about the Galaxy S9 at this point, though we're not expecting any radical departures from the S8. A handful of leaked renders suggest it will look near-identical to its predecessor, with a slight tweak moving the rear fingerprint sensor to below the camera (rather than its current, awkward position of off to one side).
Cellphones

'I Tried the First Phone With An In-Display Fingerprint Sensor' (theverge.com) 70

Vlad Savov from The Verge reports of his experience using the first smartphone with a fingerprint scanner built into the display: After an entire year of speculation about whether Apple or Samsung might integrate the fingerprint sensor under the display of their flagship phones, it is actually China's Vivo that has gotten there first. At CES 2018, I got to grips with the first smartphone to have this futuristic tech built in, and I was left a little bewildered by the experience. The mechanics of setting up your fingerprint on the phone and then using it to unlock the device and do things like authenticate payments are the same as with a traditional fingerprint sensor. The only difference I experienced was that the Vivo handset was slower -- both to learn the contours of my fingerprint and to unlock once I put my thumb on the on-screen fingerprint prompt -- but not so much as to be problematic. Basically, every other fingerprint sensor these days is ridiculously fast and accurate, so with this being newer tech, its slight lag feels more palpable. Vivo is using a Synaptics optical sensor called Clear ID that works by peering through the gaps between the pixels in an OLED display (LCDs wouldn't work because of their need for a backlight) and scanning your uniquely patterned epidermis. The sensor is already in mass production and should be incorporated in several flagship devices later this year.
Software

Dell's Mobile Connect Application Will Allow Users To Easily Mirror Their Smartphone on PC; To Come Pre-installed On Company's Future PCs (venturebeat.com) 60

From a report on VentureBeat: Smartphones and computers were designed in different eras, and they don't really work well together, forcing us to split our time between them. But Dell is trying to change that with Dell Mobile Connect software, which makes the two devices more interoperable. [...] You can now make and receive phone calls directly from your computer, and you can also send and receive text messages on your PC screen. This allows you to stay connected on your PC without worrying that you're missing phone notifications or calls. And you can use any Android app on your PC. That allows you to bring your small-screen apps like games to a bigger screen. If your computer doesn't have a touchscreen, you can control the mirrored phone game with a keyboard and mouse. [...] Dell will preload the software on new Dell consumer and business PCs, and it has a free smartphone app that works on either Android or iOS. Dell Mobile Connect will be available on all new Dell Inspiron, XPS, Vostro, or Alienware purchased worldwide in January 2018 or later.
Google

Google Rebrands All Its Payment Solutions As 'Google Pay' (arstechnica.com) 69

An anonymous reader quotes a report from Ars Technica: Google just announced that it is merging all of its various payment programs into a single brand, called "Google Pay." Google Pay will be a one-stop shop for all your Google Payment needs: NFC smartphone payments, P2P transfers, and Web payments. Google's payment solution site has already clicked over to the new branding, and we'd guess a rebrand of the Android Pay app won't be far behind. The branding should start popping up on store credit card machines, too. So "Google Pay" is the new brand for every kind of payment Google offers -- all without the platform-specific branding problems of Android Pay. Google says this is "just the first step for Google Pay" and it "can't wait to share more."
Google

Google Says Almost All CPUs Since 1995 Vulnerable To 'Meltdown' And 'Spectre' Flaws (bleepingcomputer.com) 269

Catalin Cimpanu, reporting for BleepingComputer: Google has just published details on two vulnerabilities named Meltdown and Spectre that in the company's assessment affect "every processor [released] since 1995." Google says the two bugs can be exploited to "to steal data which is currently processed on the computer," which includes "your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents." Furthermore, Google says that tests on virtual machines used in cloud computing environments extracted data from other customers using the same server. The bugs were discovered by Jann Horn, a security researcher with Google Project Zero, Google's elite security team. These are the same bugs that have been reported earlier this week as affecting Intel CPUs. Google was planning to release details about Meltdown and Spectre next week but decided to publish the reports today "because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Desktops (Apple)

The 'App' You Can't Trash: How SIP is Broken in Apple's High Sierra OS (eclecticlight.co) 164

A reader shares a blog post that talks about why Mac running High Sierra 10.13.2 (and other versions near it) refuses to let users uninstall some third-party applications easily. For instance, when users attempt to uninstall BlueStacks, an Android emulator, the Finder shows this warning: "The operation can't be completed because you don't have the necessary permission." The blog post looks into the subject: The moment that we see the word permission, all becomes clear: it's a permissions problem. So the next step is to select the offending item in the Finder, press Command-I to bring up the Get Info dialog, and change the permissions. It does, though, leave the slight puzzle as to why the Finder didn't simply prompt for authentication instead of cussedly refusing. Sure enough, after trying that, the app still won't go and the error message is unchanged. Another strange thing about this 'app' is that it's not an app at all. Tucked away in a mysterious folder, new to High Sierra, in /Library/StagedExtensions/Applications, its icon is defaced to indicate that the user can't even run it. Neither did the user install it there. Trying to remove it using a conventional Terminal command sudo rm -rf /Library/StagedExtensions/Applications/BlueStacks.app also fails, with the report Operation not permitted.


Google

Google's Mysterious Fuchsia OS Can Now Run On the Pixelbook (theverge.com) 60

Google's mysterious operating system, dubbed Fuchsia, has been in the works for more than a year now with very few details about the OS made public. According to a new report from Chrome Unboxed, we have learned that Google has released documentation to allow developers to load Fuchsia onto the company's Pixelbook. The Verge reports: This isn't your typical developer operating system, and you'll need two machines to host and target a Pixelbook to load the OS. It's very much a work in progress, with early hints at a user interface and functions. It's still interesting that Google has chosen its own Pixelbook to experiment with, though. Fuchsia has mostly been linked to embedded systems like wearables and Internet of Things devices in the past, but testing was expanded to Intel's NUC and Acer's Switch Alpha 12 Chromebooks. Fuchsia has been created from the Google-built Zircon microkernel, and not the typical Linux kernels that hold Android and Chrome OS together. It's not immediately clear exactly why Google is building a new operating system, nor what devices it will run on. As testing spreads to more Chromebooks, some are now speculating this could be a successor to the "Andromeda" project that never materialized.

Slashdot Top Deals