featured

Data Privacy: A Guide to Privacy in the Cloud

By James Green ~ February 13th, 2014 12:33 PM MST

the-cloud

The cloud can be utterly convenient, allowing us to seamlessly access all of our music, photos, and work files from anywhere in the world, even while on vacation (if you’re into that sort of thing). But, there are those who scrutinize the cloud for lack of privacy. Cloud skeptics criticize the security of cloud servers, question the fail-safes in place to prevent unauthorized access to data, and condemn companies who collect and trade customer data like currency.

So, can data stored on the cloud ever be truly private? I asked that very question to a champion of data privacy and the CEO of cloud service SpiderOak, Ethan Oberman. His response was a resounding “Yes, and there are a lot of reasons why!” Then again you would expect the CEO of a cloud company to say the cloud can be private, so what’s the catch? Truthfully, after my own independent research and my conversation with Mr. Oberman, who speaks objectively and in-depth about cloud and data privacy, the only catch is that some cloud services only consider privacy as an afterthought. Since you don’t want to be caught with your data exposed we’re here to help you understand how to find privacy in the cloud. 

Algorithm! Algorhyme! Get on up, it’s Cryptography time!

Online data privacy relies on the complex math of cryptography. The following is an example of an elementary version of the cryptographic process. We will encrypt our input “topsecretmessage” and we will receive an cipher text output. For the sake of brevity our example only completes the process once, real cryptography cycles though this process numerous times. 

  • A plaintext input (your data) is taken and divided into two-dimensional data blocks. (imagine a spreadsheet with rows and columns)

block

  • Each data character is then replaced with a corresponding crypto character according to a lookup table.

trnslate

  • The data is then shifted vertically by row, and then horizontally by column.

shuffle

As you can see our input of “topsecretmessage” was encrypted and the cipher text out put we received “#@&j@wr$##fu@w%#” is unrecognizable. This is a simplistic example of an encryption process. The standard encryption processes used today contain longer and more complex transnational methods. Encrypting data is a complex process and the art of cryptography relies on a community to test and audit cryptographic code.

According to Oberman, the reason cryptography isn’t standard practice is “cryptography is really hard math,” it’s not something that every developer has in their tool box. There are currently no out-of-the-box tools for developers to create cryptographically sound applications. Each developer must work out for themselves how to use an implement data encryption, which is no small feat.

Oberman and the boffins at SpiderOak are working on one of the first open-source, cryptographic application frameworks called Crypton. The goal for Crypton, or another crypto application framework like it, is to become a standardized tool for developers. Oberman envisions privacy as the platform on which all cloud services are built, and cloud companies competing to provide the most innovative services such as the SpiderOak private chat application rumored to be in the works.

Privacy > Data Encryption

Two algorithms, DES (Data Encryption Standard) and SHA (Secure Hashing Algorithm), are dinosaurs in terms of technology and have not been suitable for security purposes for some time. All too often following a data breach we have seen companies using these algorithms to store consumer data. Or worse yet, we find that companies have been storing data in plaintext. Before committing your data to any cloud service find out if stored data is encrypted and using which encryption algorithm.

Encrypt Data at Rest with AES –  Using the world’s most powerful supercomputer it would take 319 quadrillion years to crack data encrypted with AES-128. Data encrypted using AES will be secure beyond the end of time as we know it. 

Cybercriminals prefer to monitor insecure internet connections and steal unencrypted data in transit rather than spend time hacking individual devices and servers only to steal unusable, encrypted data. Data being transferred between your device and cloud servers requires its own type of encryption.

Data in Transit Requires an SSL – An SSL certificate encrypts data transferred between your computer and the cloud server. HTTPS in the address bar indicates a secure SSL connection.

Data encrypted with an SSL is decrypted once it arrives at the cloud server and a exists briefly in plaintext before it is encrypted for storage. Client-side encryption prevents rogue employees from accessing your cloud data, prevents a cloud service provider (such as Microsoft) from scanning the content of your data, and secures your data from spy programs of government overreach.

Client-Side Encryption – Client-side encryption means that data is encrypted locally on your device. This style of data encryption ensures the utmost privacy; no one can access your data without your password not even the cloud service provider.

Your Password Is Key

Cracking encrypted data is like trying to break into a lead vault with a plastic fork, it would be much easier to steal the key and open the door. Passwords are often the weakest link. A strong password does not contain real words, uses both upper and lower case letters, and contains both symbols and numbers. Create an acronym using an easy to remember phrase (example: “we’re gonna need a bigger boat”) then give it some pizzazz with special characters. (example: WgNaBb_/\_\0/_)

The Illusion of Free: Data Collection & Data Sharing

It is said that “there is no such thing as a free lunch;” even those offering free services need to eat. An increasingly popular business model to monetize free services is to collect and sell user data to advertisers to “serve personalized advertising to you.”  Exactly what data is collected and how it is used must be disclosed in the service’s Terms of Service or Privacy Policy.

Among the most commonly collected data is browser cookies which are used to track web activity. To prevent advertisers from monitoring your web activity you can:

  1. Disable cookies in your browser. Keep in mind that some services rely heavily on browser cookies and “(i)f you do not accept cookies… you may not be able to use all aspects of the service.
  2. Install a browser add-on such as DoNotTrackMe to monitor and block tracking cookies for individual websites.
  3. Opt-out of cookie advertising from nearly 100 companies by following this link: NetworkAdvertising.org.

Data Privacy Laws

In the US the Electronic Communications Privacy Act is the most recent federal regulation regarding the privacy of electronic consumer data. The ECPA was passed in 1986 before the internet had even been invented. Over 27 years later and the ECPA is still the only federal legislation protecting consumer privacy online.

Under the ECPA a warrant is required to access electronic communications (emails, text messages, shared data, etc) that are less than 180 days old. However, a warrant is not required for electronic communications more than 181 days old. This information is considered to be in “storage” and can be obtained with a subpoena. The ECPA protects electronic communications only and does not protect the privacy of data stored online such as “photos or Google docs.”

In November of 2013 the UN passed a resolution entitled “The right to privacy in the digital age.” In this resolution the UN “(a)ffirms that the same rights that people have offline must also be protected online, including the right to privacy.” As pioneers of the digital age we have the unique opportunity to shape the kind of legislation that will protect the public for generations to come. The ACLU and many other organizations are fighting for our digital rights, take a moment and join the movement for digital privacy. If you feel strongly about your digital privacy (and I hope you do) send an email in support of digital privacy legislation to your state Congressman or Senator. ♦

AFA_Cloud_v2

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

The 25 Most Common Passwords of 2013

By James Green ~ January 20th, 2014 10:41 PM MST

screambanner1

Rumor has it that the inspiration for the painting popularly known as “The Scream” by Edvard Munch was the incredibly widespread use of terrible passwords. Obviously that’s a slight fabrication of the truth but the 25 most commonly used passwords of 2013 are certainly worthy of a good long scream. In 2013 the password “123456” reclaimed the thrown as the #1 most commonly used password for the first time since 2010 but overall the top five offending passwords may have found a new order but otherwise remain unchanged.

The list of 25 most commonly used passwords in 2013 is produced annually by SplashData. This year’s list has been strongly influenced by the immense number off passwords leaked in the highly publicized Adobe data breach which exposed roughly 150 million usernames and passwords. This large new data set of passwords has exposed a password trend where we see that many consumers have started to create passwords specific to each service, such as “adobe123”. Security professionals have long since encouraged consumers to use a different password for each account, this is so that a single password lost in data breach does not compromise all other password protected accounts. However, the application specific passwords listed below are not exactly what security professionals had in mind; always avoid using the name of the company or product in your password. If there is nothing else positive to take away from this list at least it is encouraging to see a trend where people are using different passwords for different accounts.

In 2013 there were fifteen frustratingly awful passwords that maintain a spot from last year’s list, thirteen of these passwords have danced up and down the list to find new rankings and two remain completely unchanged. Finally there are ten newcomers who have been unceremoniously added to the list of 25 most common passwords of 2013. Without further ado:

The 25 Most Common Passwords of 2013

  1. 123456 (Up 1)
  2. password (Down 1)
  3. 12345678 (Unchanged)
  4. qwerty (Up 1)
  5. abc123 (Down 1)
  6. 123456789 (New)
  7. 111111 (Up 2)
  8. 1234567 (Up 5)
  9. iloveyou (Up 2)
  10. adobe123 (New)
  11. 123123 (Up 5)
  12. Admin (New)
  13. 1234567890 (New)
  14. letmein (Down 7)
  15. photoshop (New)
  16. 1234 (New)
  17. monkey (Down 11)
  18. shadow (Unchanged)
  19. sunshine (Down 5)
  20. 12345 (New)
  21. password1 (Up 4)
  22. princess (New)
  23. azerty (New)
  24. trustno1 (Down 12)
  25. 000000 (New)

Using a password from the above list to protect any online account is a huge security risk. Identity theft has become a prominent threat making it important to protect all of your personal information in every account. Creating a strong password is much easier than recovering from a stolen identity.

Strong passwords should not contain any real words as these make them more susceptible to dictionary based attacks. Serious hackers include common alternate spellings in their hacking dictionaries so using a number to replace a letter in a real word such as “pa55w0rd” is also discouraged.

Create an acronym of a memorable phrase such as lyrics from your favorite song “I wanna rock and roll all night.” Use both upper and lower case letters in your acronym “IwRaRaN” then add special characters to your password. Even special characters can be memorable, all you need to do is make them fun: IwRaRaN\,,/(*-*)\,,/

Make sure your accounts and sensitive information are secure and don’t use any passwords from the above list. Create a strong memorable password and protect your identity! For more information about the SplahData password list for 2013 follow this link. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Android Malware Outlook for 2014

By James Green ~ January 17th, 2014 12:32 AM MST

lanscapeheader

In 2013 cybercriminals took to the Android platform and accomplished some startling feats: Android threats surpassed the 1 million mark, Ransomware made the jump from desktop to Android, and Android represented 99% of all mobile malware. Android malware has become the Justin Bieber of mobile malware, both are hugely popular and we wish they would just go away. In the coming year cybercriminals will be keen to exploit the Android platform further and we expect to see the malware trends from 2013 continue .

The exact number of Android threats discovered prior to 2013 varies between reports but on average the number of threats for the Android platform was about 300K. By the end of 2013 the number of threats had more than tripled and surpassed 1 million. This growth rate of approximately 300% in 2013 is down from the 600% in 2012 but the total number of threats discovered has drastically increased. We expect that the growth rate trend will continue and the number of total Android threats will increase by approximately 150% resulting in 2.5 million Android threats by the end of 2014. 

AndroidOSPercentages

Android OS Distribution as of 1/16/2014

New Android security vulnerabilities are being discovered by the hacker community due to growing attention to the platform. In 2013 the highly publicized MasterKey Exploit left a reported 900 million devices vulnerable to attack. This exploit allowed malware authors to hijack legitimate applications and insert Trojan code that could steal an incredible amount of user data. The exploit was patched in an Android OS update but the OS update system is inherently flawed and nearly 8 months later only 9.2% of Android devices have received and installed the necessary update.

I predict that the Android OS update model will one day result in a massive data breach but it seems until that day the system will remain flawed. Android devices manufactured by Google receive OS updates immediately upon release but other manufacturers and carriers withhold the updates to customize the operating system and install their own proprietary software and applications. The additional steps in the manufacturer and carrier update process can lead to months and months of delay before the update is finally published, all the while the customers are left exposed to any security vulnerabilities that remain un-patched. We can only hope that it does not take a data breach the size of the recent Target data breach to bring actual change to the Android OS update structure.

As the Android platform grows in popularity and our lives become increasingly intertwined with our mobile devices we will see more sophisticated cyber criminals targeting Android and producing some very dangerous threats. Discovered in 2013, the Obad Trojan exploited previously unknown security vulnerabilities and was the culmination of all the most sophisticated Android malware techniques. One such previously unknown vulnerability prevented victims from being able to uninstall the threat from their device, this is the first example of this type of behavior on the Android platform. Obad is the most complex Android threat to date but because of the growing popularity of Android it won’t be long until Obad is surpassed by another threat.

Ransomware has been growing on the desktop platform for about two years, this form of malware locks victims’ computers, encrypts the data and, and demands payment to regain access. In the 2nd quarter of 2013 Ransomware made the jump from desktop to Android. Android ransomware threats cannot yet lock a device or encrypt the data but in 2014 we expect that Android Ransomware will become increasingly sophisticated and will likely develop these characteristics .

Common Sense Security Steps

Smartphones no longer just contain contact phone numbers, they also provide access to personal photos, emails, business documents and access to your bank and social media accounts. Through the course of 2014 and beyond it will become increasingly important to know how to recognize and avoid Android security threats. Armor for Android strongly recommends using an antivirus application but also encourages education about Android threats so that you can use your Android device responsibly. This year make is a priority to be safe and secure when using your android device.

  • Always check application permissions prior to downloading and installing an app
  • Use a PIN or Password Lock Screen to protect your information from unauthorized access
  • Setup a remote location/wipe application on your device
  • Backup your Android to protect yourself from data loss
  • Always think before sharing your location on social media, sometimes less is more
  • Stay up-to-date with updates as these often patch security vulnerabilities
  • Download and USE an antivirus application to protect your device and your information ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

Featured

Mobile Security Checklist

By James Green ~ November 11th, 2013 7:09 PM MST

These days everyone has a smartphone or tablet; mobile devices are so integrated into our daily life we hardly even think of their inherent security or a privacy risks… that is until our device is lost, stolen, or broken. Suddenly, our lives come to a full stop. The precious information that we forgot to back up is gone forever, or our sensitive information is at the fingertips of a stranger. To make sure that you don’t experience the debilitating side effects of Lost-Phone Syndrome, or any other mobile device related syndromes, we have created the Mobile Security Checklist.

The idea is simple, if you take steps to backup and secure your mobile data you can prevent the panic if something ever happens to your device. The Mobile Security Checklist is a series of quick and easy changes that you can make to ensure that the information contained on your device is safe and secure in all situations.

Item #1: Secure Your Device with a Mobile Lock Screen

This is non-negotiable. Using a lock screen on your mobile device is the most basic form of mobile security and should be priority number one on all devices. You may not be James Bond but thieves and spies still want your device and the potentially valuable information it contains. Stop them in their tracks by preventing access to your mobile device to anyone who doesn’t know your secret mobile PIN number, pattern, or password.

Item #2: Don’t Download Apps You Don’t Know

Mobile malware has risen substantially in the past few years. Mobile malware uses social engineering to trick users so it is incredibly important to research all applications prior to download. To spot mobile malware always review permissions, research the developer, read user reviews and consider the download source prior to confirming the download.

Item#3: Back Up You Data

In addition to the threat of a lost or stolen device there is the threat of a puddle, or a sink, or any body of water large enough to swallow your mobile device. Mobile devices and water go together like Chinese food and chocolate pudding. By backing up the information from your mobile device to computer or online backup service you ensure that all of your photos, phone numbers, addresses, applications, etc is safe even if you turn your mobile device into an expensive paperweight.

Item #4: Think Before Posting Your Location on Social Media

Don’t recklessly flaunt your location on social media, doing so allows other individuals to track your movement and broadcasts to the world that “you are not home,” thus advertising that your house and its contents may be ripe for the picking. Many mobile devices have the option to disable geo-location entirely but doing so has its own drawbacks. Emergency services use geo-location to locate your device should you ever require assistance. The best way to be safe using geo-location is to think twice before you post your location on the internet, does the world really need to know your every movement?

Item #5: Set Up a Remote Wipe/Locate Application on Your Device

Should you ever find a sneaky thief has separated you from your device or that it has been lost, it is important to be able to locate the device and in extreme cases clear it of all of the information that it contains. There are a variety of free and paid applications available for all platforms that allow you to track the GPS location of your device via a web interface and, if necessary, wipe it clean of all the data it contains.

Item #6: Enable Automatic Updates

Updates to applications and your device operating system are often designed to patch newly discovered security vulnerabilities. Enabling the automatic update feature is an easy way to ensure that you mobile device will stay up-to-date with updates.

Item #7: Turn off Wi-Fi/BlueTooth When Not in Use

Free public Wi-Fi is a bad place to perform sensitive online tasks like online banking. There is a trove of applications that allow the least tech savvy users to sniff out login credentials over public Wi-Fi networks. There are other applications (often referred to as “Hack-Tools) that allow individuals to access your mobile device via Wi-Fi or Bluetooth connections. It is good practice to turn off Wi-Fi and Bluetooth when not in use and disable the auto connect feature.

Item #8: Readily Display Alternate Contact Information

To assist good Samaritans who have found your lost mobile device you should readily display alternate contact information. Some mobile platforms actually have a setting that allows you display contact information on the device lock screen. You can also take a picture of your contact information and set it as your lock screen wallpaper, or use the lo-tech option of a sticker on the back of the device.

Item #9: Download and Use an Anti-Virus Application

This isn’t available on all mobile platforms but it is important to use where available. Just like computers, mobile devices can become infected with malware. Using an Antivirus product will help you maintain a clean, malware free device.

[poll id=”3″][poll id=”4″]

[poll id=”7″][poll id=”5″]

[poll id=”6″]

 

 

 

 

 

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Mobile Security Starts with a Lock Screen

By James Green ~ November 8th, 2013 11:38 PM MST

Have you ever come back from the bathroom to discover a friend posting an embarrassing status to your Facebook account from your phone? It happens… a lot! This is a lighthearted example of why everyone should protect their mobile device with a lock screen. These days’ mobile devices contain an incredible amount of sensitive data such as text messages, photos, emails and potentially credit card information. Using a secure form of screen lock is essential to protecting your sensitive information from unauthorized access, and thwarting your prankster friends.

There are several kinds of lock screen features available for mobile devices and they offer a varying level of protection. It is important to know the difference between a secure lock screen and weak lock screen. Along with protecting your information from unauthorized access a secure lock screen makes you device less desirable to thieves. A mobile device that can’t be unlocked is of no use to anyone but the individual who knows the secret to unlocking it.

To begin with let’s take a look at the types of lock screen features that are the most secure. Then we will discuss the other lock screen styles that do not provide any real level of protection and thus should be avoided.

SECURE STYLES OF LOCK SCREEN

FingergreasePattern Style Lock Screen –A Pattern style lock screen requires the user to play connect the dots to create a pattern, this pattern is previously set by the device owner. This form of lock screen is very common and can offer a high level of protection. Be sure to use a complex pattern, don’t use an easy to guess pattern like an ‘X’ or a ‘C’. An important note about pattern style lock screens is that finger grease on the device screen can give away your pattern. In the following picture you can see that finger grease can remain on the screen and allow others to easily pick up the device and guess the lock screen pattern. It is good practice to wipe your screen clean to prevent your pattern being cracked.

PIN Style Lock Screen – In the same way you use a PIN number to protect your bank account you can use a PIN number to protect your mobile device, but they should absolutely be different PIN numbers. This lock screen feature is fully capable of protecting your mobile device from unauthorized access. Choosing a strong PIN number is essential; in a study done by DataGenetics.com using a sample size of 3.4 million four digit PIN numbers (digits 0-9) it was discovered that 1.7 million PIN numbers use only 4% of the 10,000 possible combinations. The best PIN numbers to use are random and contain no numeric patterns, keypad patterns, and no references to years or dates.

Password Style Lock Screen – Using a strong password to protect your device is one of the best ways you can prevent unauthorized access to your sensitive, information and personal accounts. A strong password should include all of these features:

  • At least 10 characters long
  • Contain numbers, symbols and upper and lower case letters
  • Do NOT use words found in any dictionary, in any language (including names, and slang words)
  • Is not a word spelled backwards
  • Is different from your other passwords

For tips on how to create a nuclear strength password that you will always remember see our other blog post about creating strong passwords.

WHAT NOT TO USE:

These forms of lock screen (or lack thereof) do not protect your device and potentially allow unauthorized access to your device, sensitive information, and linked accounts. Armor for Android recommends that you do not use these forms of lock screen on your mobile device.

No Lock Screen– Obviously this provides no protection.

Slide Style Lock Screen– This only requires someone to slide their finger across the screen, no real protection is offered by this feature. We’re fairly confident some well trained animals may be able to crack this style of screen lock.

Face Unlock – This is actually a really interesting kind of lock screen but is not available on all devices and is unreliable. Face Unlock uses facial recognition software to match the user’s face to a predefined photo. The problem is that facial hair, glasses, makeup, lighting, etc can all cause this feature to malfunction. If the face unlock feature is set up poorly it will even recognize the wrong person. If the face unlock fails to recognize the user it will default to another style of screen lock. This screen lock feature just isn’t worth using long term, but is certainly fun to play with. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

featured

Android Malware Distributed by Worlds Most Popular BitTorrent Client

By James Green ~ October 21st, 2013 11:46 PM MST

The world’s most popular BitTorrent client, Xunlei, recently discovered that employees had injected malicious code into the company’s software. It was found that Xunlei software was automatically downloading Windows and Android malware to devices. The employees responsible have since been exposed and released from their employment with the Chinese company. Reportedly, prior to the malicious code being discovered thousands of devices were infected.

The malware distributed by the Xunlei BitTorrent client was brought to light by security company ESET. Xunlei’s own legitimate security certificates were used to sign the Windows malware which was automatically installed on devices as a plug-in to Microsoft Office software. The malware appeared invisible to user and required no interaction during the installation.

If an Android device was attached to the infected Windows machine via USB, the BitTorrent malware  would then attempt to install Android applications. The BitTorrent malware was observed installing three different Chinese Android market applications and an application that advertises phone calls at a discounted rate.

APKs

Photo Credit: ESET

ESET security researcher Calvet said that “Overall, the motivation behind the installation of these particular mobile applications remains unknown.” While the applications installed did not appear to be inherently malicious, it is a significant concern that other Windows malware may be able to exploit a similar installation process to distribute other Android malware. Additionally, Calvet made a point to note “that [the applications] code is heavily obfuscated.”

To install these rogue applications, the attached Android device needed to have USB debugging enabled. This allowed the BitTorrent malware to use the Android Debug Bridge (a feature included in the Android software development kit) to silently install these applications without the user’s knowledge or consent. The USB debugging setting is used for development purposes but is also commonly used for other applications (e.g. screenshot applications, as noted by Calvet) and rooted devices running custom ROMs. Individuals with rooted devices find that their devices are at higher risk of malware infection through this avenue as well as many others.

Armor for Android detects these threats as Armor.Riskware.XunleiBit, the windows malware is detected as W32/Kankan. If any of these threats are detected on your Android or Windows device it is recommended to uninstall them immediately. The full analysis by ESET Security Researcher Joan Calvet can be found here. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

Celebrity malware awards

The 2013 Most Dangerous Celebrity Search Term Awards!

By James Green ~ October 11th, 2013 8:13 PM MST

In 2013, there were 10 celebrities who were more likely than any others to return links to malicious websites in online search results. When these celebrities’ names were included with search terms such as “free downloads,” “free app downloads,” “nude pictures,” or other search terms the results frequently included links to websites containing spyware, phishing scams, and even Trojans. More than any other stars this year these 10 celebrities are the riskiest to search online.

Lily_Collins_by_Gage_Skidmore

Riskiest celebrity to search for online: Lilly Collins

Here are the runners-up for the Riskiest Celebrity to Search Online (for lack of a better term) Award:

  1. Emma Roberts
  2. Adriana Lima
  3. Jon Hamm
  4. Britney Spears
  5. Katy Perry
  6. Zoe Salanda
  7. Kathy Griffin
  8. Sandra Bullock
  9. Avril Lavigne

And the Winner of the 2013 Riskiest Celebrity to Search Online (for lack of a better term) Award is…

  1. Lilly Collins

The Riskiest Celebrity to Search Online (for lack of a better term) Award is obviously not real, but it is a fun way to address a very real threat. Security firm McAfee conducts an annual survey on which celebrities are used by cyber criminals to lure unsuspecting victims to malicious websites. The results were recently released and there were many interesting things to take away from the research.

By far, women dominate the risky celebrity search results. The only male in the Top 10 was John Hamm who crept into at #8. According to McAfee only two other men (Justin Timberlake #12, Patrick Dempsey#13) made it into the top 20.

Also interesting to note is that none of the top 10 celebrities from last year’s study returned to the Top 10 in 2013. This means cyber criminals are working to stay current with popular trends, including celebrity trends, to ensure that their malicious websites continue to have popular content that users are searching for.

The best way to prevent a malware infection is to avoid these celebrity search terms and other dangerous online activity (adult content, pirated TV-shows, pirated movies, etc). But, if you must know about these celebrities lives, relationships, and break-ups keep these tips in mind to avoid malicious websites.

Avoid downloads – Free downloads are the most prolific way to distribute malware. Avoid downloading content (songs, videos, apps) from untrustworthy websites.

Be cautious when searching trending topics – Cyber criminals will exploit popular topics that people are searching for to drive more traffic to malicious websites.

Never provide log in credentials to access “exclusive” content – This is a common phishing scam that is designed to harvest your email and a password. Cybercriminals prey on users who share passwords across several accounts, providing this information opens you up to identity theft.

Keep software and apps up-to-date – Updates are designed to patch security vulnerabilities. Staying current with updates will lower your risk of malware infection.

Stick to trusted sources – For news, downloads, and anything else your heart desires try to stick with websites that have a positive online reputation. Keep in mind, no reputation can be as dangerous as a bad reputation.

Use an Anti-Virus application – There are so many threats in the Android landscape, use an Anti-Virus application to ensure that you do not fall victim to Android malware. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

Dangerfeature

PSA: Be Safe When Using Public Wi-Fi

By James Green ~ September 23rd, 2013 11:06 PM MST

Free Wifi1Public Wi-Fi is a great shared resource that allows numerous individuals to connect to the beloved World Wide Web. While sitting and sipping on coffee we can happily log in and check our emails or peruse our favorite online store and make a quick impulse buy. Public Wi-Fi provides entertainment while we are out and about in our daily lives.

From a different perspective, cyber-criminals see public Wi-Fi as a potential gold mine. Public Wi-Fi hotspots rarely have any security features and traffic that is being sent over these insecure network connections can be easily monitored. Sensitive information, such as usernames and password, sent over public Wi-Fi networks is at risk of being stolen and used without authorization. It is important to know how to use public Wi-Fi safely to protect yourself and your sensitive information.

If at all possible forego public Wi-Fi connections and use your mobile data plan. This is a more secure internet connection that cannot be easily monitored. However, if you need to use public Wi-Fi because you are approaching your mobile data plan limit or for another reason, be sure to keep these things in mind.

  1. Always verify the Wi-Fi network before connecting. If you are at a business that advertises free Wi-Fi ask an employee the name of their Wi-Fi network. It is becoming increasingly common for cyber-criminals to create free Wi-Fi hotspots in public areas in an attempt to lure unsuspecting victims into connecting. These victims are directly connecting to a malicious server that will monitor their activity and steal any information possible.
  2. Practice responsible web surfing while using public Wi-Fi.  Limit your web surfing over public Wi-Fi to informational websites. Avoid using websites that request sensitive information such as login credentials and credit card information. While it may be secure, trusted website the Wi-Fi connection is not secure. Any sensitive information sent over the Wi-Fi network can be intercepted and used to gain unauthorized access to your social media, email, or financial accounts.
  3.  Use different passwords for each of your accounts. It may seem overbearing but doing so prevents a widespread loss on multiple accounts if a single password is comprised. At Armor for Android we created a step by step tutorial on how to create a strong, unique password that is easy to remember by using a password formula.
  4. Use a secure connection. When surfing the internet via public Wi-Fi make sure you are using an HTTPS connection, not the standard HTTP. Better yet, many devices have the ability to use a VPN (Virtual Private Connection) which encrypts all information sent out over the network.
  5. Turn off Wi-Fi when not in use. This goes double for turning off the Wi-Fi auto connect feature of your device. This prevents your device from connecting to an insecure or even malicious Wi-Fi network without your knowledge.

Cyber-crime is becoming increasingly rampant; taking simple steps when using public Wi-Fi will help keep your sensitive information safe and secure. Being safe and responsible when using public Wi-Fi will help you avoid becoming a victim of cyber-crime. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

passwordfeature

Create a Strong, Memorable Password Using a Password Formula

By James Green ~ September 12th, 2013 5:23 PM MST

Dear reader, this is never an easy subject to broach, and receiving criticism can be tough so we will deliver it as gently as possible with a revolutionary management tool called the “Compliment Sandwich”. We will say something good about you, talk about where you need improvement, and end with something good. Here it goes… You’re a fantastic reader, your password is terrible, and you look really great in that shirt. Phew, I think that went well.

Joking aside, the likelihood that your password is about as strong as soggy noodle is quite high. It is equally likely that you are using one or two passwords across numerous accounts or still using the same password you created five years ago. These are what you call “bad password habits”. We are going to show you how to create a strong, unique password for each of your online accounts and give you the tools to easily remember all of your passwords.

Over the past several years many popular websites have been hacked and tens of millions of users’ passwords have been leaked. Using a single password across several accounts increases the risk of personal or financial loss should your login credentials be compromised in a data breach. At Armor for Android we conducted a companywide survey of who had been affected by data breaches. Participants were asked to visit PwnedList.com or ShouldIChangeMyPassword.com and enter all of their email addresses to see if any had ever been part of a data breach. We found that over 10% of participants had been victims of a data breach. For the individuals affected this was important knowledge that required immediate action. We encourage you to visit either website and check all of your own email addresses to see if your information has ever been part of a data breach. Let us know the results and participate in our Data Breach Survey.

[poll id=”1″][poll id=”2″]

If none of your email addresses have been affected by a data breach that’s great news! Let’s take steps to create a strong, unique password for all of your online accounts so in the future you are unlikely to experience personal or financial loss due to a data breach. If you do find that one of your email addresses has been compromised it is incredibly important to go to the compromised email address and change your password. Do this immediately, we will show you how to create a strong, unique password for your accounts.

HOW TO CREATE A STRONG PASSWORD

Creating a strong unique password is quick and easy with our password formula. It may appear complicated but don’t fear, we have broken the password formula down step by step and we will walk you through how to create your own. This is the password formula we will use to create our password.

PASSWORDBASE + COMPLEXCOMPONENT + UNIQUEID = STRONG PASSWORD

The PASSWORDBASE and the COMPLEXCOMPONENT will always remain the same to make your password easier to remember. The UNIQUEID is the only component of this formula that will change to create a unique password for each of your accounts. Feel free to change the order of these password components when creating your own password.

CREATING THE PASSWORD BASE:

The PASSWORDBASE is an acronym created using a group of memorable information. This acronym should be at least six characters long and contain an uppercase letter, a lower case letter, a symbol and a number.

You can choose any group of information that is easy to remember such as the first name of each of your immediate family members, the lyrics to your favorite song, or the cast of your favorite movie. We will create an example password using family members from the TV show Family Guy, we encourage you to follow allow and create your own password with your own information.

  • Peter
  • Louis
  • Chris
  • Meg
  • Stewie

We have ordered the family members by age and created an acronym using the first letter of each name to create “PLCMS”. To increase complexity we include the number of children and create “PL#3CMS”. And finally, to incorporate both upper and lower case letters we have only capitalized the parents’ initials and the children’s initials will be lowercase, giving us “PL#3cms”. Very quickly we have created an easy to remember, strong PASSWORDBASE.

ADDING A COMPLEX COMPONENT:

Since the PASSWORDBASE will frequently contain mostly letters, the COMPLEXCOMPONENT should be numbers and symbols. Use information that you can remember easily to create a COMPLEXCOMPONENT at least three characters long. Here are a few examples:

  • Favorite player on your favorite sports team: #12
  • How old you were when you married: @30
  • A reminder to start your savings account: ^$!
  • Love: <3!
  • Heartbreak: </3
  • High five: 0/\0
  • Shark attack: _/\_\0/_
  • Shark attacking a cheerleader: _/\_*\0/*_

It’s surprisingly easy to create a COMPLEXCOMPONENT with three (or more) numbers and symbols that is easy to remember. Because we love Family Guy we used ‘<3!’ in our password, but it was hard to pass on the shark attacking a cheerleader.

CREATING A UNIQUE ID:

The UNIQUEID is the only component of the password that will change and should be also be at least three characters. This component is a set of two rules that you can apply to the name of the website (i.e. Google, Facebook, Twitter, etc) to quickly determine your UNIQUEID.

1.) SELECTION RULE – this is used to determine which letters will be included from the name of the website name.

Example: “the first and last pair of letters of the website name”

  • Google = gole
  • Facebook = faok
  • Twitter = twer

2.) ENCRYPTION RULE – this rule is used to encrypt these letters so that the pattern is not obvious in the event an individual password is ever compromised.

Example: “move up one letter in the alphabet for each letter”

  • gole = hpmf
  • faok = gbpl
  • twer = uxfs

GO CHANGE YOUR PASSWORDS!

Using the our password formula we have created the following complex password, that is easy to remember and can be customized for each online account.

PASSWORDBASE + COMPLEXCOMPONENT + UNIQUEID = STRONG PASSWORD

PL#3cms + <3! + hmpf = P L#3cms<3!hmpf

The time has come to employ the techniques you have learned and go change your passwords! Dream up your own password base and find a complex component to include. Then develop your own super secret unique id rules. Using this password formula you will be able to create AND remember strong, unique passwords and protect your sensitive information online. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA

SSOLink

Armor for Android Teams up with STOP.THINK.CONNECT

By James Green ~ September 4th, 2013 10:49 PM MST

AFA_Mobile_Malware_Infographic

Armor for Android has joined the STOP.THINK.CONNECT initiative! The STOP.THINK.CONNECT initiative is designed to increase awareness of cybersecurity, promote online safety strategies, and engage the nation in a cybersecutiry conversation. The initiative has been pioneered by StaySafeOnline.org whose mission is to educate and empower users to be safe and responsible online.

Through close collaboration, Armor for Android and the STOP.THINK.CONNECT initiative have produced an info-graphic detailing the threat of Android malware in 2013. It was determined that the Android platform has been the favorite target of mobile malware authors for several years. In addition to malware targeting the most popular mobile operating system, malware also targets the most popular versions of the Android OS. To avoid being the target of Android malware users are encouraged to stay up-to-date with the most current versions of the Android OS.

Together, Armor for Android and STOP.THINK.CONNECT determined the most prominent threats to Android users in 2013 are premium service fraud Trojans. This form of malware is designed to defraud and steal money by sending unauthorized SMS messages to premium rate SMS services or by connecting to premium rate telephone numbers without the device owner’s knowledge. The charges for these illicit activities are reflected in user’s mobile phone bill and often go unnoticed until it is too late and the unauthorized charges have been paid in full.

To read more about the results of the collaboration info-graphic visit the STOP.THINK.CONNECT blog article at StaySafeOnline.org! To stay update to date on the Android Malware landscape follow us on Twitter at @ArmorForAndroid and follow StaySafeOnline.org at @StaySafeOnline! ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA