While Google's mobile operating system, Android, may be popular, it has one glaring problem: security. More often than not in a week, we hear about some problem that leaves Android users vulnerable to attack. Sometimes it comes from downloading apps outside of the Google Play Store and sometimes it comes from within. This week, we have one of each.
Gooligan, named by the
security firm Check Point, is malware that closely resembles another recent issue: HummingBad. Found in apps downloaded through 3rd party stores, this malware roots your device, giving the software direct access to all of your data. The important data that this software is looking for is your Google security token. This is a small piece of text that allows applications on your phone, including malicious apps, to connect to the Google Play Store and download new apps in your name. It also gives the software the ability to write reviews about those apps, also in your name.
While it may seem odd to write software to download other software. There's a lot of financial gain to be had. Some apps offer affiliate programs, paying the refer to encourage new downloads. If the apps that are downloaded through Gooligan participate in the affiliate program, then the creator can get paid for every device that they infect.
As of right now nearly 1,000,000 accounts have been breached using this process. If each device generated only a single dollar in revenue, that's a million dollars in revenue for very little work. The real potential for harm, however, comes in the future. The security token gives access to more than just your Google Play account. In fact, it gives the developer access to anything Google related. This means that they could theoretically read your email, get your credit card information and anything else you store in Google. If the affiliate programs can generate this kind of revenue, imagine what they could make on your contact list or search history. Your Google account is a veritable treasure trove of information.
It's difficult to recover an infected device but it's even more difficult to recover a compromised account. Luckily Google is prepared for such an eventuality having a dedicated page for fixing this type of problem. If you believe that your account has been compromised, change your password, remove the device from your authorized devices and enable Verified Boot on the device..
Another problem that persists on Android and other operating systems is insecure communication. This happens when the application developer sends important information over insecure channels. Normally, this kind of mistake results in the compromise of an account. In the case of the popular Android app AirDroid, it can result in the compromise of your device.
Here's what they're doing: After you log in securely the same information is then sent to a statistics server over insecure communication. This means that another device on the same network could get in-between your phone and the router and steal the information as it's being sent. Since the data is not encrypted, it means that anybody could read it and get your username and password. Under normal circumstances this would allow them to just log into your account, but because of the nature of AirDroid, it gives the hacker the ability to take over your device and install malicious code without your knowledge. Once that code is on there, it could act similarly to Gooligan.
The researchers that discovered this problem,
Zimperium, have been in communication with the developers, Sand Studio, since May, but they have not acted upon the information until now. Sand Studio's Chief Marketing Officer Betty Chen claims that the problem should be solved within the next 2 weeks.
As more advanced methods of security are developed, these types of problems should become more rare. Unfortunately, in the past couple of years, these types of problems have become more common. The idea that anybody can code and the hiring of untrained and untested developers for high-level positions often leads to these types of mistakes. Not everybody is able to code and even fewer are capable of architecting a full solution. These types of violations of trust should bring attention to the problem, but somehow they continue to persist.
In July of this year, we
tested 1080p Netflix streaming in-browser, confirming that only Microsoft browsers were capable of doing it. Both Microsoft Edge and Internet Explorer were capable of streaming from the service in 1080p, while Google Chrome, Mozilla Firefox and Opera all were limited to 720p. As it turns out, that is not the only limitation that those browsers will face.
Starting this week, Windows 10 PCs will get the ability to stream full UHD, or 4K, video. There are some limitations, however. First, you must be using Microsoft Edge - none of the other browsers, including Internet Explorer, will be able to support UHD streaming. Second, you must have an uber-modern computer. In fact, you must be using an Intel Kaby Lake processor, known to the world as 7th Generation Core CPUs, which have
only recently been made available. You will also need a UHD-compatible screen.
Obviously, just like when HD came to market, most content is not currently UHD-compatible. For content that is still in HD, that content will continue to stream normally (as mentioned earlier). However, for newer content, like
Daredevil, Jessica Jones and Fuller House, Intel and Edge are ready to bring you the ultra high-resolution picture quality now.
Check out Microsoft's
list of compatible devices in the store.
If you are anything like me, Reddit is a bit of a mystery to you. The online community is known for both their open exchange of ideas and their complete hatred of those who disagree with them, and no one on the site seems to see the irony in that. One thing that you can be sure of, though, is that everyone will band together when the upper management makes any moves, positive or negative. You can also be sure that management's response to their actions will be glib and dismissive.
This week proved to be no different, with CEO Steve Huffman making a bad move and dismissing his own actions. Here's what happened: In the pro-Trump community, /r/The_Donald, comments were made that mentioned Huffman's community handle, /u/spez, and these comments were not flattering. As someone who has run several online communities, sometimes comments can be negative, but all you can do is either wear them as a badge of honor, as does
Avram Piltch, or you can fold into a heap and cry in the corner. Huffman chose the latter.
Rather than accepting the negative comments gracefully, or addressing any concerns that the community might have with him, his performance or him personally, the CEO of the online community decided to deflect the criticism to others. In fact, he manually edited the posts in the subreddit, changing his own handle to those of the moderators of the /r/The_Donald instead. When called out for the actions, he addressed the accusations saying,
Yep. I messed with the "f**k u/spez" comments, replacing "spez" with r/the_donald mods for about an hour. It's been a long week here trying to unwind the r/pizzagate stuff. As much as we try to maintain a good relationship with you all, it does get old getting called a pedophile constantly. As the CEO, I shouldn't play such games, and it's all fixed now. Our community team is pretty pissed at me, so I most assuredly won't do this again. F**k u/spez.
He had a hard week, and it made him sad, so he made it look like people were mad at a group that had nothing to do with anything instead of him. While members of the community were discussing the possibility that administrators were editing user posts without any notification or marking, the CEO of the company was editing user posts without any warning or marking. At least it validated some of the concerns of the now-banned /r/pizzagate community, so glass half full, right?
It is going to take some time for the admins to get any form of credibility back after this, if it is possible at all. The good news for members of the community is that there are alternatives, so if you decide to jump ship, finding a new home should be fairly easy. It seems like the new platform of choice is
Voat, a similar platform that is having trouble staying afloat with all of the new user load.
One of the most exciting additions to Windows 10 was the ability to stream games and content from an Xbox One to your PC. When this feature was announced, most of the industry had hoped that this would be a sign of things to come, and Microsoft has not disappointed. Expanding on their partnership with Facebook's Oculus VR division, in December, Microsoft will bring this feature to the Oculus Rift.
Just like on Windows 10 PCs and compatible mobiles, the game streaming is made possible care of a connector app. The new app, Xbox One Streaming to Oculus Rift, will be available in the Oculus Store starting December 12th. Using the same technology, the console's output is routed over your home network to the Oculus hardware instead of your traditional television. From there, it is projected onto a virtual screen within the Oculus environment.
This will be yet another great reason why Oculus has been including an Xbox Wireless Controller with their headsets. Using the play-and-charge cable, an
Xbox Wireless Adapter or one of the preconfigured PCs, you can play your Xbox One games on the Rift with a native Xbox controller, in most cases wirelessly.
While it might initially seem counter-intuitive for Microsoft to be working with Oculus to make Xbox One streaming available, while the company is working with their own partners to build Windows-powered VR hardware, you would be mistaken. What they have done is ensured that, almost no matter what VR hardware you decide to purchase, the best accessory you can have to play games is an Xbox One.
In a deal valued at $2.3 billion, Symantec has agreed to purchase personal identity protection service LifeLock, Inc. The service rose to fame when, in 2007, they began traveling the country with a large vehicle on which was printed the social security number of co-founder, Todd Davis. The stunt was done to demonstrate Davis's confidence in his company's service, which promises to protect people from identity theft, even if all of the information is made public. As a result of the campaign, Davis was the victim of 13 cases of identity theft.
In 2010, the company was fined $12 million by the US Federal Trade Commission for false advertising. The chiefest among their complaints was the 100% protection promised by the television ad featuring the SSN truck. In fact, then FTC Chairman Jon Leibowitz had one of the greatest quotes in all of federal law history, stating,
The protection they provided left such a large hole... that you could drive that truck through it.
Since settling that case, the company was cited to be in contempt of thee agreement in 2015. A new $100 million fine was assessed, with much of the money being earmarked for a class action settlement against the company.
If this seems like a strange company for Symantec to acquire, you're right - in the midst of such a lack of consumer confidence, why would Symantec possibly be interested in purchasing them? It is likely that Symantec wants to add the technology and assurance behind LifeLock, without actually maintaining the brand. A new name will almost certainly be on the horizon for the service under its new owners, potentially even under their already well-known and respected Norton brand. Without the drag of the LifeLock name, and a boost from the Norton name, it is possible that Symantec could revive this once promising consumer protection service.