’s Friday Security Roundup – May 29, 2015


SSL_com_logoHappy birthday Peter Higgs and the Rite of Spring! This weeks’ Friday Security Roundup salutes the theoretical physicist who won the Nobel prize for working out a well-regarded mechanism for how the universe works (and lent his name to “the most sought-after particle in modern physics”) and also Igor Stravinsky’s ballet, which famously caused quite the brouhaha upon its first performance 112 years ago today. is happy to support the arts and the sciences with secure digital certificates and world class support – and pleased to present this rundown of security issues we’ve been following this week.

Comment Intéressant!

Reported, by Canadian publication La Presse: Remote access and encryption of laptops, smart phones and tablets during a raid on the offices of Uber Montreal. (Links in French, because Quebec – link to a Google translation to English here.) Québecois tax authorities visiting two separate locations on May 14 of this year found that the devices they were attempting to access and copy were being remotely rebooted even as the raid took place, and rendered unreadable though encryption. As the article notes, “Technically, data that have been encrypted are not altered, but modified to make it unreadable without a password.” So there, Monsieur Taxman!

Status: What’s Canadian for chutzpah? Uber arouses strong feelings both for and against (their upcoming plans to have their app track riders by default are raising eyebrows) but you have to admit they took advantage of available technology in a rapidly unfolding environment – disruptive indeed!

Android Issues, Part One: Fun With Your Accelerometer Data

Tracked, by researchers from Nanjing University: Travellers on commuter trains, using only motion sensor data swiped from their Android phones. Since Android doesn’t protect accelerometer data, this allowed the team to uniquely identify and trace the movements of up to 92 percent of the test subjects, and could be used as a malware attack vector which would be especially efficient in cities like New York and Tokyo where most of the population uses mass transit. (We also like the forthright title of their research paper: We Can Track You If You Take the Metro.)

Status: Interested, but not as worried as some might be (we’re in Houston, which is to mass transit what Nanjing is to air quality). However, as Privacy International points out in their pithy video, metadata of this sort is ripe for exploitation no matter where you live or how it’s collected – we would hope Google will take steps as suggested in this study to lock down and limit access this information and its potential for misuse.

Android Issues, Part Two: Reset…Doesn’t.

Tested and found wanting, by scientists at the University of Cambridge: the default data-wiping system built into Android devices. Access to theoretically-deleted content – including Google and Facebook tokens and data like text messages, videos and photos – can be gained due to a flawed factory reset procedure that leaves an estimated half a billion devices open to exploitation. (Note that tests were performed on Android releases from 4.3 back through 2.1 – current versions, however, are presumed to be similarly vulnerable.)

Status: Look, we like Android, and truly look forward to having it running our TVs, cars and refrigerators real soon now. However, we’d feel a lot better if, in between working on the self-driving hoverboards and broadband by blimp, Google would take steps as suggested in this…study…to – are we repeating ourselves here?

NON-Android Issue, Just to Switch Things Up

Discovered, by reddit user aus10_t8um: A text message which crashes iPhones upon receipt. The issue is discussed in detail over at the Register – the short version is that Apple’s CoreText display library and Unicode occasionally get athwart each other’s hawse. In this instance, this has been finessed to create a text message of doom. Entirely doable, since Unicode is kind of insane. (Great, but insane.)

Status: Less surprised than you might think –  OS X users may remember a similar Unicode-related bug back in 2013. The present problem appears to be confined to iOS’s iMessage service, and Apple has issued a workaround (spoiler alert: ask Siri) but it is an ongoing issue which we will follow with interest.

Ironic Certificate Expiration Issues, Number 1,247 in a Series

This week’s object lesson: The website of the UK’s Courts and Tribunals Judiciary, which threw visitors a “This Connection Is Untrusted” message as of May 27th due to an expired SSL certificate. Although corrected pretty quickly, any visitors just wanting to catch up on the swearing-in of the new Lord Chancellor might be nonplussed to read “this error could mean that someone is tampering with your connection.”

Status: Did you know that any customer can customize their account to schedule up to five expiration notices on whatever dates work best for them? Now you do!

Once again, we find there’s so much more than we can fit into one week’s roundup – nothing about this week’s crop of router exploits, no mention of how easy it is to tease data out of your FitBit, – but we’ll be back next Friday with more. As always, please let us know your take on these issues, and remember what truly believes – a safer internet is a better internet.