Thursday, February 4, 2016

Serious Security Problem With Chinese Phones

Your Chinese Smartphone Might Have A Serious Security Problem

The allure of a cheap smartphone can be hard to resist, especially as they’re now almost as capable as more expensive models. It’s for this reason why formerly-unknown Chinese manufacturers like Huawei and Xiaomi are rapidly overtakingmore established, premium manufacturers, like Samsung, Sony, and even Apple.
But, as in all things, you get what you pay for. A recently discovered vulnerability in many budget Chinese handsets, which could allow an attacker to gain root access, proves that modus. Here’s what you need to know.

Understanding The Attack

Many phones run SoCs (System on Chip) built by Taiwanese-based MediaTek, who are one of the largest semiconductor manufacturers in the world. In 2013, they produced a phenomenal 220 million smartphone chips. One of their biggest sellers is the MT6582, which is used in a number of low-end smartphones, with many of them produced by Chinese manufacturers like Lenovo and Huawei.
The MT6582 came with a debug setting enabled, which according to wthe manufacturer, was used to test “telecommunications interoperability” in China.
While this was necessary for MediaTek to actually design the chip, and to ensure it works properly, leaving it on a consumer device represents an incredible security risk to consumers. Why? Because it allows an attacker, or a malicious piece of software, to gain root access to the phone.
From this, they would be able to modify and delete important system files and settings, spy on the user, and install yet more malware without the user’s consent. If an attacker wanted, they could even brick the phone, rendering it permanently unusable.
According to The Register, this vulnerability can only be executed on phones running version 4.4 KitKat of the Android Operating system.
The discovery of this vulnerability follows a similar flaw found in the OS keychain of version 3.8 of the Linux Kernel, which was disclosed by researchers in January. When exploited, this vulnerability would have allowed an attacker to gain root access of the machine.
This vulnerability affected virtually every distribution of Linux, as well as a plurality of Android phones. Thankfully, a fix was swiftly issued.

Put Down Your Pitchforks

Although phones from the likes of Lenovo and Huawei are especially affected, you shouldn’t blame them. Even though it might seem appealing, given some of these manufacturers have a history of security-related improprieties.
Lenovo is especially guilty of this. In 2014, they broke SSL for all of their users with SuperFish. Then they burdened their laptops with unremovable, BIOS-based malware. Then they installed a creepy, Big Brother-esque analytics program on their high-end ThinkPad and ThinkCenter desktops.
But here, their hands are clean. For once. The blame lies squarely at the door of MediaTek, who shipped these chips to manufacturers with this setting enabled.

Am I Affected?

It’s worth pointing out that this vulnerability won’t have the same reach as the aforementioned Linux vulnerability. The vulnerability is only found on phones running on a chipset which didn’t ship on any phones released in 2015 and 2016.
It can also only be executed on phones running a very specific version of Android, which despite running on around one-third of Android phones, is by no means ubiquitous.
Despite that, it’s probably a good idea to check whether your phone is vulnerable. As it so happens, I own a budget Chinese phone – a Huawei Honor 3C, which was my main device until I jumped ship to Windows Phone in August.
First things first, I looked up the device on GSMArena. This is essentially the Encyclopedia Britannica of phones. If a major manufacturer released it, this website will provide thorough statistics about it. Information about the chipset used can be found underneath Platform. Sure enough, my Huawei phone contains it.
So, then I need to see whether I am running the affected version of Android. I opened Settings, and then tapped About Phone. This might be a bit different for your phone though. Manufacturers are known for customizing the settings menu.
Fortunately, my phone is running Android 4.2 Jellybean, which despite being long in the tooth, isn’t affected by this vulnerability.

If You Are Affected

While I was rather lucky, it’s safe to assume millions of phones will be affected by this. If you are, you’d be wise to purchase a new phone.
The Motorola Moto G is a great budget phone, produced by a manufacturer you can trust. You can get one on Amazon for just $110. As an added bonus, Motorola are rather speedy when it comes to issuing software updates, which Huawei is definitely not.
If you can’t afford to upgrade, you’d be wise to make some simple security precautions. First, try to avoid downloading software from disreputable sources. Avoid downloading pirated apps and warez like the plague. Stick to the Google Play store.
It’s likely that many of the affected users will be based in China, where the Google Play store isn’t available. Chinese consumers have to make do with other alternative app stores, many of which aren’t as vigilant at filtering malware out as Google is. Those consumers would be advised to be extra careful.

In Short: Be Afraid, But Don’t

This vulnerability is scary. It’s scary because it’s borne from how a particular piece of hardware is configured. It’s scary because there are no steps a consumer can take in order to stay secure.
But it’s worth emphasizing that the majority of consumers won’t be affected. It only affects a limited number of devices, which were released by a handful of manufacturers around 2013 and 2014. Most people should be fine.
Were you impacted? If so, will you get a new phone? Or are you not all that concerned? Let me know in the comments below.

The Best Third-Party Password Managers for iPhone & iPad

Passwords can be one of the most frustrating parts of using modern technology. Assuming you follow basic online security principles and have unique passwords for every account, it’s nearly impossible to keep track of them all.
The easiest solution to this problem is to use a password manager on your phone or tablet. These apps store all of your passwords and sensitive information behind a master password, keeping them easily accessible but secure at the same time.
Unfortunately, iOS devices don’t come pre-loaded with a password management system that plays nicely with all platforms. If iCloud Keychain isn’t what you are looking for, then one of the other apps in this list might be a better option!
If you’re still a little foggy on why passwords need to be secure, what different types of encryption mean, or other password essentials, I highly recommend starting with Chris’ article on everything you need to know about passwords and our password management guide.

iCloud Keychain

Before you start downloading apps, it’s important to know the capabilities that your iPad or iPhone already has. The iCloud Keychain can (with permission) automatically store all of your Safari usernames and passwords, credit card information, and  WiFi network information and share them between authorized devices. Supported devices are of course Apple devices (including Macs running OS X 10.10 Yosemite or later), and iCloud Keychain doesn’t extend to Windows or Linux operating systems.
For many users, this kind of password storage will be enough – it’s easy, it uses industry standard encryption, and it does everything automatically. If you want to change your iCloud keychain settings, they can be accessed under Settings > iCloud. Read more about what iCloud Keychain is, why you might want it and how to use it.
With that being said, if you’re looking for a password management strategy that goes beyond these features then one of these seven apps might be a better choice for you.

Last Pass

Cost: Free, $12/year for LastPass Premium, or $24/User/Year for LastPass Enterprise (intended for team use)
Best Features: All of your passwords are securely contained behind a single master password, and can be auto-filled into your online accounts across browsers. Passwords are easy to save, search, and can be organized into folders.  You can also use LastPass Free to create secure notes and generate new, secure passwords.
Security: AES-256 bit encryption and salted hashing.
Cons: A premium subscription is required to access syncing across devices, a family folder, and priority tech support. So while LastPass is technically “free” on iOS, it’s not really worth it unless you pay.


Cost: Free, or $13.99 for Pro Features
Best Features: The basic 1Password app is one of the only free password management options that allows you to sync your vault across devices and share your information across a team of authorized people using end-to-end encryption. You can also store usernames, passwords, credit card information, and notes in plain text, mark items as favorites, and generate new secure passwords.
Security: AES 256-bit encryption, a Touch ID option, and automatic locking to protect your information even if your device is stolen.
Cons:  A Pro subscription is required to access other categories (including bank accounts and passports), multiple vaults, Apple Watch compatibility, and organization options like folders and tags.


Cost: Free for mobile app, pro license required on desktop or laptop if you store over 10 passwords ($9.95 for the first year, $19.95/year afterwards)
Best Features: Roboform has been a trusted password management system for many years. The free version can be used across devices and synced with your desktop or laptop, fill web forms with a single click, generate secure passwords, and automatically log in to your web accounts. Your Master Password can be input with either a PIN or through touch authentication.
Security: AES encryption, BlowFish, RC6, or 3DES algorithms with an encryption key generated from your master password.
Cons: No secure password sharing, form fill doesn’t work with smartphone apps


Cost: $4.99
Best Features: oneSafe makes it easy to sort, edit, browse, and sync your categories across devices. Information can be synced via iCloud, Dropbox, or manually, and can be backed up via email, iTunes or Wi-Fi. Secure sharing is available, and OneSafe can also be used for Documents, bank account details, and private photos and/or videos. This app is also more user-friendly and visually appealing than many of the other options available.
Security: AES-256 encryption algorithms. The master password can be a PIN, alphanumeric, pattern, combination lock, or TRI-PIN (combining numbers, colors, and symbols for increased security).
Cons: There are currently no browser extensions available and oneSafe is one of the “new kids on the block” when it comes to password managers.


Cost: Free
Best Features: If you aren’t familiar with KeePass, this article by Justin will help you understand the ins and outs of how it works . MiniKeePass is a third-party app developed to help you easily access your KeePass information from your mobile devices. Much like the original KeePass program, the source code for MiniKeePass is readily available so that you can check on the encryption algorithms yourself. MiniKeePass is a no-frills program that offers you a password generator, an integrated web browser experience, and Dropbox compatibility.
Security: AES and Twofish algorithms used for data, Touch ID lock option.
Cons: While this app’s no-nonsense approach to password management is part of what attracts many of its users, it also means that it may not have all the features you are looking for. There’s no syncing included, which means you’ll have to import a KeePass file from a cloud storage service each time you update your passwords. That also means you can’t make changes from within the iOS app and sync them with your main machine. In addition, the app tends to be updated less frequently than many other password managers available.


Cost: The app itself, and storage on your device, is Free. For an Unlimited Sync and Backup subscription the cost is $29.99/year.
Best Features: Keeper is one of the most popular apps in this list because of its large array of features (including a password generator, one-click login,  and private file, photo and video storage). The app has an auto logout timer for theft prevention, self-destruct protection, an integrated Apple Watch app, and Touch ID login.
Security: Everything in your vault is encrypted using AES-256 encryption, and the app is TRUSTe and SOC-2 Certified.
Cons: Keeper’s cost is higher than many other apps with similar features, there is no password strength report, and form fills often require multiple steps instead of a single click.


Cost: Free, Premium is $39.99 (in-app purchase)
Best Features: Stores passwords, notes, credit card information, ID details, and itemized receipts in one safe place. Auto-login and strong password generation features are included, you can receive notifications for potential security breaches, and you can instantly change your passwords to make your accounts safer with the “Password Changer” feature. Data can be stored locally or backed up in the cloud, and Dashlane is compatible with Apple Watch.
Security: AES-256 encryption, a Touch-ID lock option, and auto-lock after inactivity.
Cons: Premium is required for instant sync across devices, a secure cloud backup of your passwords, and web app access. Unfortunately, the Dashlane Premium subscription is also one of the more expensive options available.

What is the Best Password Manager for You?

It might seem counter-intuitive to trust your passwords to an app or a browser add-on, but password managers are a safer choice than writing your passwords on scraps of paper or using the same alphanumeric combination for all of your accounts.
When it comes to choosing the password manager app you want to use it will definitely be a matter of personal preference! Explore the apps above and look for the option that best fits your needs with regards to price, security, aesthetics, and function.
Have you used any of the password managers above? What has your experience been? I’d love to hear about it in the comments!

Is It Time To Replace Your Mac?

4 Signs It’s Time To Replace Your Mac

It’s no secret that Apple hardware lasts a long time. Eventually, however, the time comes when your Mac may outlast its usefulness, becoming obsolete.
It’s generally pretty obvious when it’s time to replace your computer, but just in case you’re unsure here four signs that it might be time for a trip to the Apple Store.

Your Applications Are Getting Slower

We say: Software applications tend to get bigger and more demanding with time. Eventually, your Mac won’t be able to keep up with those demands. In the short-term, you can slide back to an earlier software version to help with performance. Unfortunately, even this option becomes prohibitive at some point — especially if you want new features and functonality.
There are a few things you can do to speed up your Mac. For one, you can free up space on your hard drive by removing unwanted files. There are plenty of ways to do this, from emptying your trash can to removing entire libraries.
The number of Startup applications on your Mac can also slow it down.  You can take a look at your login items and remove those that aren’t needed. You can find these in System Preferences > Users & Groups, and then by clicking on your username. Next, click on Login Items and the name of an application you don’t need to launch during startup. Finally, click the “-” symbol located below the list to the left, thereby removing the application.
To make your Mac run faster, you can also see which applications are running in the background using Activity Monitor. Some of these applications can take up a lot of processing power. To access Activity Monitor, open up your Applications folder and then your Utilities folder. From here, open Activity Monitor and take a look at the list of apps and processes that are running on your Mac in real-time.
From here, click on the Memory tab at the top and then the Memory filter at the top of the list. Under this view, programs are sorted by the amount available RAM they are using. To stop an application, click on it and then select the gray “x” icon located at the top-left corner of the window. When in doubt, don’t stop an application or process.
You can also reinstall OS X for a squeaky-clean Mac. Eventually you will get tired of juggling your Mac’s processes, and that’s when you might want to consider an upgrade.

Your Computer Won’t Run The Latest OS X

We say: Apple wants us to be using the latest version of OS X on our Macs, providing it for free. When a Mac can’t run the latest version, it’s only a matter of time before a new purchase becomes a necessity.
About This Mac
Apple releases a new version of OS X each fall. The current version, OS X 10.11 El Capitan, is compatible with most Macs manufactured since 2007, including:
  • MacBook (Early 2015)
  • MacBook (Late 2008 Aluminum, or Early 2009 or newer)
  • MacBook Pro (Mid/Late 2007 or newer)
  • MacBook Air (Late 2008 or newer)
  • Mac mini (Early 2009 or newer)
  • iMac (Mid 2007 or newer)
  • Mac Pro (Early 2008 or newer)
  • Xserve (Early 2009)
If your Mac isn’t on this list, the time has come to consider making a new purchase. The reason for this is two-fold. First, along with not being able to run El Capitan, your Mac has probably been downgraded by Apple to “vintage” or “obsolete” status. Vintage products are those manufactured more than five and less than seven years ago.
Apple discontinues hardware service for vintage products, which means they won’t be able to get your Mac fixed for cheap if things go wrong. You may be able to get work done from non-Apple service points though.
Obsolete products are those discontinued for being more than seven years old. At this point, service providers can no longer order parts.

Components Don’t Work, Are Too Expensive

We say: Parts for Macs are expensive. Luckily, they typically last a long time. When a part needs replacing, you need to decide whether it’s worth the cost. Much of the time a better solution may be purchasing a new Mac.
You can certainly continue to use your MacBook when the battery dies by plugging it into a wall for power. However, this isn’t a great long-term solution, as a faulty battery could indicate that other system components are about to break. Although Apple offers a battery replacement program, this can be expensive.
In recent years, Apple has made it nearly impossible for end users to replace Mac parts, including batteries (which are now glued to the logic board), hard drives, and memory. In doing so, the prices for these components have steadily increased because of the added labor costs. Ultimately, the choice comes down to whether you’re willing to pay the price.
When faced with an eye-watering bill for a new logic board or laptop display, ask yourself: would I be better off putting that money toward a new Mac, that’s likely to have a greater life span in the longterm?

The Timing is Right

We say: Sometimes it’s worth waiting to make a new Mac purchase.
Most Macs receive an update on a yearly basis. When eying a purchase, it’s best to buy the most-current model available. It’s also a good idea not to buy a new Mac right before a new model is announced — for the same money you could have a faster machine, with better features and a potentially longer life span in terms of support.
The MacRumor Buyer’s Guide is an excellent resource for making sure you don’t fall foul of Apple’s update cycle. It provides some insight about when an update is likely arriving for each Mac model, based on historical trends and industry news.
If your Mac is already dead and you can’t wait, it’s a good idea to always buy the latest model available. Saving some money on an earlier model may sound tempting, but it could cost you in the long-run. The older the model, the closer it becomes to being vintage or obsolete, regardless of when you purchased it.
That said, we acknowledge that not everyone can afford to buy the latest model. For those of you who find youself on a tight budget, there’s a few things you can do to buy a Mac on the cheap.

Enjoy the Process

Buying a new Mac can be an enjoyable and frustrating process, all rolled into one. Because Apple’s hardware is generally of a high quality, however, we don’t have to replace our Macs all that often.
How often do you replace your Mac and why?
Image Credit: Kaspars Grinvalds via Source:

News headlines