Lookout for Android Can Now Find your Phone Even When the Battery is Dead

Last week I told you that Lookout, the popular security app for Android, was teasing a big announcement for this week.  Today their new update began rolling out to users and it came with several new features, but the one getting the most attention is called “Signal Flare”, which allows users to locate lost phones, even when the battery has died.

Signal Flare works by frequently flagging the location of your device so that if the battery dies, or is removed by a thief, you stand a better chance of still being able to locate it.  The company claims to locate thousands of phones every day for their users, but that when the service fails a battery is to blame in 30 percent of the cases.

While Signal Flare is the hot item in version 3.0 of the app, it’s not the only improvement.  Lookout also rolled out a new user interface, an “Activity Feed” that lets you see what’s going on in a single glance at the app dashboard and a “Safe Dialer” protection which protects against dialer-based attacks, such as the one recently seen hitting the Galaxy S3.

For all of these improvements, Lookout remains a free app (there is a premium version as well).  Version 3.0 is now live in the Google Play Store.  If you already have the service installed then you likely have received the update pushed to your device automatically.

NOTE: I should also, in fairness, note that Avast also produces a very good, and free, mobile security app.  Thanks to Milos over at Avast for pointing it out to me following my post last week.

Lookout for Android Has Something Big Planned

While the vast majority of Android users will probably never need to worry about malware contaminating their smartphone, it never really hurts to play it safe by installing something like Lookout.  If you install non-Google Play Store apps then this can be especially important to you and Lookout is perhaps the best option in this genre of mobile software.  If you are already a Lookout user then you may have received a teaser in your email inbox today.

There wasn’t much, well actually any, information about what is coming.  It was simple announcement that stated “Only 7 more days.  GET FIRED UP!  We’re taking mobile security to the next level. Stay tuned!”  Lookout already works as an anti-virus, allows you to backup your data, scans each download, scans new files on your SD card and provides a phone locator service.

So, what could they possibly have in store?  A couple of things come to mind, such as scanning the sites you visit in your mobile browser or perhaps scanning shortened URL’s received in email and texts.  While both of those things would be handy, they don’t seem big enough to warrant a teaser such as this.  We’ll know for sure next week.  In the meantime, if you would like to check out the app then head over to the Google Play Store where it’s available for free.

Create a One Time Email Using Gli.ph

Gli.ph There is a good chance that you have read about the problem of Matt Honan who was hacked by individuals who used social engineering to do it. One of the things that Matt admitted was he used the same email address for everything and in terms of security that might not have been a good idea. Are there times when you are purchasing something from someone, maybe on Craigslist or through a site you are not familiar with and they ask for your email address. You are reluctant to give it too them, perhaps you give them what I call a junk email address, an email address that you specifically set up to give to online merchants. That is what I do, this works until you forget that is the email you gave them and you are wondering why you didn’t get that package you ordered and there is an email sitting in your alternative folder saying the item is out of stock. Wouldn’t it be nice to be able to give out a fake email so you could get the information you need and then delete that email address and never worry about hearing from them again. That is one of the ideas behind Gli.ph

The first thing that you will need to do is sign up on the Gli.ph service and download the app on your iPhone. If you are using an Android phone you will have to use the mobile web app  for creating the cloaked email address. At the upper left hand corner of the app or mobile Web site you will see a figure that looks like a wizard, click on it. If you haven’t already done so you will need to confirm your email address. At that point you will be given a cloaked email address. When you are ready to send someone an email, just click on send cloaked email. There is the space for recipient, subject and message. To start off with there is no way to add an attachment, you earn that right by getting five of your friends to join Gli.ph. Ones you are done, hit the send button. The receiver will see your cloaked email address. Their reply will first go to the cloaked email address and then be forward to your real email address. This is where the real magic comes in now you can reply to their email through your actual email client and address and the recipient will only see your cloaked email address. Gli.ph will strip out all information that gives away your real email address from the header. Once you are finished communicating with the person or site, simply delete the cloaked email address. Now when they try to send you an email through that address it simply disappears into space. Gli.ph uses HMAC-SHA1 hashes, and stores cloaked Email addresses encrypted using the same AES–256 encryption. They do not store or see the email when it goes through them. It lives only in memory during the time it is passing through.

Right now the biggest complaint I have against Gli.ph is that on Android you have to use the mobile Web site to create a cloaked email address. On iOs you can do it directly on the application. Other than that I really like Gli.ph, their have been several times when I have been reluctant to give someone my real email address and now I don’t have to.

Protecting Your Digital Assets

Two FactorMat Honan’s story (as covered by Todd in the latest podcast) showed me that the strongest password in the world is worth nothing if it can be reset by a straightforward social engineering-based attack. I’m sure Apple and Amazon will be looking hard at their policies and procedures but for the individual, there’s also much to learn from the episode.

i) Two-factor authentication. There’s no doubt that this is a good thing and I enabled it on my Gmail account last night. Turning it on is easy, but it’s a pain in the ass for the first few hours as you re-login to all your Google-based services. With several regularly used PCs, email clients and umpteen mobile devices, it takes a bit of time to get them all setup correctly. Touch wood, now that I’ve been through the re-login process, things are largely back to normal.

ii) Backup, backup, backup. For at least part of the story, Mat is entirely to blame. If there’s only one copy of any piece of data, it might as well not exist. Never mind hackers; theft, damage and accidental deletion make it all too easy to lose data, especially with mobile devices. Disk space is cheap, so even if you have just one PC, have a working set of folders, a backup set of folders and also make copies on a regular basis to a USB drive, which you disconnect from your PC when not in use and preferably store somewhere else.

iii) It’s your data. Convenient as “the cloud” is, remember it’s your data and your responsibility to keep it safe. If you push information directly to the cloud, don’t forget to include this information in your backup routine. Google has tools to download data from its services. Or don’t bother with someone else’s cloud and build your own, using a PogoPlug or similar.

iv) Download email using POP3. I use web-based Gmail and IMAP-enabled apps to manage my email and if email is deleted from Gmail…poof, it’s all gone. By using a POP3 email client like Thunderbird, you can have a copy on your PC as well.

v) Spread the load. Convenient as it might be to have all your eggs in one basket, either with Apple or Google, consider spreading your digital assets across different services, e.g. email on Gmail, work files on Dropbox, personal files on Box, photos on Flickr. If someone does compromise one of your accounts, all is not lost in one go. But don’t use the same password across all the systems.

vi) Remote kill-switch. The ability to kill mobile devices remotely is very handy if they are stolen but there’s a risk that the kill-switch can get into the wrong hands as in this case. However, the benefits probably outweigh the risks in that you are far more likely to lose your device than be hacked, so it’s perhaps better to focus on minimising the fall-out from both physical loss and a remote wipe.

There’s certainly plenty of food for thought there and even if you only take on one or two of the suggestions above, you’ll make yourself much harder to attack while lessening the impact.

Picture courtesy of Brian Ronald.

Nothing to Hide, Nothing to Fear?

Interception of Communications Commissioner“If you’ve nothing to hide then you’ve nothing to fear” is often trotted out in the debate around privacy and secrecy. Superficially it seems reasonable but even with a modicum of critical thinking, the adage becomes trite and flawed. However, even if you did believe that “nothing to hide, nothing to fear” was reasonable, then the latest report from the British 2011 Annual Report of the Interception of Communications Commissioner (.pdf) ought to give food for thought.

The report covers the Regulation of Investigatory Powers Act (RIPA) which includes the postal service, telephony and electronic forms of communication, and can be carried out for both law enforcement and national security purposes. There are two distinct areas, the first being the interception of communications and the second being the acquisition of communications data. Simplistically, the first area is about directly listening in on a communication and the second is about who, when and where a communication took place.

In 2011, the total number of lawful interception warrants for the UK was 2911, and this all seems quite reasonable, given the population of the UK (60-odd million). However, in amongst the successful security operations, we also find that the security and associated agencies made 42 mistakes (1.4%), usually through typographic errors. In all instances, the error was discovered before the intercept took place or else all the material associated with intercept was destroyed.

Communication data requests cover information about communications, mainly subscriber data, service use data and traffic data, rather than the content of the communication itself. There were 494 078 communication data requests in 2011, an 11% decrease on the previous year. As you might guess, there were a few errors there too, with 895 mistakes being reported. Although this represents an error rate of only 0.18%, I’m sure it will be of little comfort to the two wholly innocent individuals who were arrested by the police because of these mistakes. Again typographic errors in the transcriptions of phone numbers or IP addresses were largely to blame but of additional concern was that nearly 100 of the errors were identified by auditors and weren’t recognised at the time of the requests.

If you think that because you’ve nothing to hide then you’ve nothing to fear, think again. You’ve everything to fear from the transposed digit, the wrong post code look-up and the minimum-wage flunky copying and pasting from the wrong records.

Probably not what you were worried about at all.

Formspring Had a Security Breach

Those of you who have a Formspring account might want to take a minute to go and check on it. Formspring announced today, July 10, 2012, that it has had a security breach. and that some user passwords may have been accessed.

They are taking a precautionary measure and asking all Formspring members to change their passwords now. The same blog post that announces the security breach has advice about some guidelines that they recommend you use in order to create a strong password.

I found out about this just a few minutes ago when Formspring sent me an ominous sounding email.

At first, I wasn’t sure if this email was legitimate, or if it was some sort of phishing scheme. So, I opened up a new window in my browser and attempted to log in to my Formspring account. The result wasn’t good.

Since I was getting nowhere, I decided to click the word “resend”, in the hopes that this would help me to recover my Formspring account. I rarely use it, but even so, I didn’t like the idea of it potentially being accessible by someone other than myself. It took a few tries, but I was, eventually, sent an email that gave me a link to click on so that I could reset my Formspring password.

I was able to click on the new link that I was sent. However, this did not enable me to achieve a desirable result.

Uh-oh! I ended up having Formspring resend another email, with a new link inside it. That one worked, and I was able to successfully access my Formspring account, and change the password to something completely different than what it was before the security breach. I figured it was worth it to send out this little “heads up” to other people out there who are using Formspring. Hopefully, after reading this, you won’t panic if Formspring sends you an email like the one it sent me.

Has DNSChanger Infected Your Computer

Back in November 2011 a group of Estonian and Russian hackers were arrested for creating and running a botnet called DNSChanger. DNSChanger was true to its name, it changed the DNS address of the computer it controlled and directed it to  rogue DNS servers. These rogue DNS servers were shut down by the FBI and the Internet Systems Consortium, a nonprofit company was assigned to run the replacement DNS servers so those who had effected machines wouldn’t lose their connection to the Internet. That was over eight months ago and the time that the court assigned the Internet Systems Consortium to run the replacement DNS servers has run out. So on Monday, July 9, these replacement DNS servers will be shut down. The computers that are still connected to these DNS servers will no longer be able to connect to the Internet. There are an estimate 300,000 computers that are still effected. These are not only personal computers, but also computers run by Fortune 500 companies.

The FBI has set up a site where you can check to see if your system has been effected and what to do if it has been. Most likely if you have kept your computer updated and have run your anti-malware and virus programs you will be ok. However we all know someone who never updates their system either because they are too lazy or for some reason believe they are invulnerable. If you know someone like that, suggest they go to the site the FBI set up. If they decide not too, you may get a call Monday morning if you are the computer “expert” of the family, with them screaming they can’t connect to the Google.

The most interest part of this story of course was not the DNSChanger bot, itself, but how the FBI and the court handled it. They could have shut it down immediate and the results would have been the same for those 300,000 plus 270,00 more. By delaying the shut down they did allow those 270,000 to recover. However it seems to me they dropped the ball in getting the word out. This didn’t become big news until the past week. I am not sure if the court and the FBI is to be blamed for this, or is it the media’s fault for not getting the word out. Whose ever fault it is, communication was lacking.

Hijacking a Drone

droneDrones are unmanned flying vehicles which are controlled by operators from thousands of miles away. They are used extensively in Afghanistan to track the Taliban’s activities. There has been increase talk among law enforcement in the United States that using drones might be useful in fighting crime. There is a Federal mandate that would permit drones to be used in US airspace. There are many questions involving the use of drones including privacy rights, lack of search warrants …. There are also technical questions. Right now the biggest problem that the DHS and the FAA are facing involving drones are jammers which don’t control the drones but simply jam the signal. This is the way the Iranians insist they were able to bring down a drone in 2011. Although that is still disputed by the US who insist it was operator error and not Iranian jamming that caused the drone to land off course.

However solving the jamming problem maybe easy compared to the problem of spoofing. Spoofing is where the drone is actually controlled by a third-party. In order for spoofing to be successful the drones GPS system must be hacked. That is what the University of Texas, Cockrell School of Engineering did under Assistant Professor Todd Humphreys when it hijacked a drone using $1,000 worth of equipment and custom software. These drones were using unencrypted software that the University of Texas team was able to hack. Their signal was more powerful than the GPS signal that the drone was receiving from the satellite that was originally controlling it. They were able to over ride that GPS signal sending the drone where they wanted to. As you can image this is a huge potential problem. Imagine what would happen if a terrorist group was able to hack a drone and send it where ever they wanted it to. They could control it from anywhere and sending it crashing into buildings with no risk to themselves.

Right now the DHS is still working on the jamming problem through the Patriot Watch and the Patriot Shield programs but the programs are underfunded and haven’t even started looking into the spoofing problem. Before we allow drones to fly above US cities we might want to find a solution to both jamming and spoofing first.

Arq and Backup Solution for the Mac

Arq Having a good backup system both locally and offsite is important for anyone with a computer. Once you have decide to use a cloud backup the first problem you face is the overwhelming number of options. There are two broad category of backups, manual and automatic. Services like Dropbox or Google Drive are what I call manual backups, in that they require you to physically drop a file or folder into them. An automatic backup system is just that, you choose the files/folders you want to back up and the system you choose backs up those files automatically either at a specific time or interval. There are a couple of things I look for in a backup system: first is it easy to use, second when I recover a file do I get back what I put in, third is the cost, and finally is it trust no one(TNO) compliant. The idea behind TNO is that you and only you has access to your content including your password and keys.

The solution I have found is called Arq after trying Backblaze, Carbonite, and Jungle Disk. Arq falls into second category of backups in that the backup happens automatically once you have set it up.
I first heard about Arq on Security Now Episode #351: Back To The Cloud. Arq is a Mac only backup solution, although there is an app available to view the files on iOS. Arq runs on Amazon S3 and does require you to sign up for the Amazon Web Service
Once you sign up it will give you an access key id, secret access key and you also have to provide a password. Make sure you keep a copy of all these, neither Arq nor Amazon can recover them for you (I use 1password for this purpose). Although this can be inconvenient it makes Arq TNO compliant. There is a 30 day trial, during the trial you pay only for the Amazon S3 fees After 30 days if you decide to continue to use it there is a $29.00 one time licensing fee. Amazon S3 fees are $1.25 $12.5 cents/GB or $.93 9.3 cents/GB for reduce redundancy storage. They also bill you for outgoing transfers. Outgoing transfers are free up to 1GB/month, from 1GB/month to 10/GB it is .120 per GB and so on. The price per GB goes down the more GBs you use. This is one of the things I like about Arq you are only paying for what you are using instead of a flat fee. As part of the sign up process Arq will ask how much you want to budget for backup starting in $5.00 increments. You put in the dollar amount you want to spend and it will tell you how much that will backup. If you are about to go over your budgeted amount Arq will automatically delete the oldest files. Arq does version backup similar to Time Machine, so it will always keep at least two versions of a backup.

You can choose which files/folders you want to back up and you can exclude specific files by name. You can back up from a network attach storage drive. It doesn’t delete backups from network storage devices even if you remove those devices from your network. If you can see it in the Finder menu it will back it up. In fact when I first start the backup process I noticed it was backing up my Dropbox folder, which I quickly unchecked. It does not care what type of file you are backing up. Arq allows you to back up automatically every hour at a specific time during that hour, you can schedule a backup once a day or you can do a manual back up and have it only back up when you tell it too. You can control the transfer rate, either maximum, automatic which will throttle the speed if you are transferring something else over the Internet or a fix transfer rate at a specific KB per second. If you want you can get a Growl notification when a backup is completed. Plus you can have Arq start-up on login, show on the menu bar and prevent your computer from sleeping when backing up.

To restore a file or folder you simply highlight it and then either click restore, which restores it to a folder labeled Arq folder or you can drag and drop the folder/file on to the Finder Window. I did a test restore on an image and it worked great, the image and all the metadata restored perfectly.

I have only been using Arq for a day now but so far I really like it. It was easy to set up, I like the fact it is TNO compliant and I like the cost. If you want to share the files with someone this is not the solution you are looking for. However if you are on a Mac and are looking for a good, secure backup solution I do recommend trying Arq.

Correction: made on Amazon fees 18:55 May 4

GNC-2012-05-01 #761 Listener Appreciation Month

May will be the month of giveaways, listen to win. I also go into some of things that I have been doing which you are probably already aware to ensure the stability of the show for the long hall. Extended dialogue time on this show but with a hard hitting tech show as well.

Support our Show Sponsor:
30% off your new order @ GoDaddy: gnc30
1.49 .com New or Renewal geek149
$1.00 / mo WordPress Hosting with a free domain! Promo Code: press4
$1.00 / mo Economy Hosting with a free domain! Promo Code: geeks12
GoDaddy Promo Codes always save you money, check out my Promo Codes Today

Download the Audio Show File

Show Notes:
Wind Generators and Global Warming?
Can’t trust the Tech Blogs!
Copyright is broke really bad.
Copyfraud and Trolls.
More Copyright Stupidity.
Harvard Battles Journal Costs.
Facebook likes not Protected Free Speech.
McCarthy is back at FBI!
Dotcom gets a bunch of his Money back.
Pirate Bay censored in U.K.
Hulu to require cable?
Backdoors Everywhere.
SETI to help Air Force?
Soyuz lands!
100 days to Mars Landing.
Time running out for Moores Law?
SiriusXM App Update not so good!
Microsoft dumps 300 million into Nook.
Fair Use is dead.
Digg to Washington Post?
Harley makes it from Japan.
Mirrorcase Kickstarter.
Paul Miller leaves the Net!
SpaceX test fire on pad?
Dish Hopper up to 6 channel record DVR.
Internet Speed down overall.
Bluetooth everywhere.
Skype Update on iOS.
www Turns 19.
Cloud Storage chart.