Another Big Ol’ Android Vulnerability — Certifi-Gate

Another day, another Android vulnerability. Maybe it is as bad as Flash. “Dubbed Certifi-gate, the researchers say that vulnerabilities in the OEM (manufacturers of Android devices like Samsung, LG and Sony) implementation of Remote Support allows a third party app’s plugins to access a device’s screens and actions using an OEMs own signed certificates. That means a nefarious individual could see what you’re doing and control your phone or tablet. And according to the researchers, there’s no reasonable way to revoke the certificates as an end user.”

Nasty Firefox Exploit Found In the Wild

A nasty Firefox exploit has been found. Update! “Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.”

Google, Samsung to do Monthly Android Security Updates

Samsung and Google will release Android security patches every month. “Alongside the new frequent security updates, Google has finally released a patch for Stagefright for its own Nexus line of phones, which it sells directly to customers. The company argues that the majority of users weren’t at risk, however, with application sandboxing limiting the amount of damage an attacker could do.”

San Francisco PD Has An “Instagram Officer”

The San Francisco Police Department has an Instagram officer. And it’s apparently useful. “The Instagram photos showed the minor, who was already on probation and prohibited from possessing any type of firearm, with a gun tucked into the waistband of his pants. Based on the Instagram photographs that showed the two suspects brandishing firearms, the officers decided to perform a probation search, where the suspects were detained — still wearing the same clothes they had been wearing in the Instagram photographs that Ochoa had seen earlier that evening.”

Google’s Retail Beacons May Have Some Security Issues

Google’s new retail beacons have some potential security issues. “Being able to push unauthorized updates to beacons in the field means that a physical version of the classic email ‘phishing’ scam is possible. And while we may be used to ignoring scam emails, scam notifications on phones are something new; apps and people who receive the notifications may be more easily taken in.”

Facebook, Now with Really Icky Patent

Facebook has gotten a really icky patent. “On Tuesday, the social network was granted a patent for authorizing and authenticating a user based on their social network on Facebook, as first spotted by SmartUp Legal. Though the document details multiple applications for the patent, including filtering out SPAM and helping with search queries, it also explicitly states that it could be used to approve a loan based on a user’s social connections…”

Yahoo Ads Used to Distribute Malware

A vulnerability in Flash has been used to distribute malvertising. “According to a recent discovery, it seems that hackers have actually been taking advantage of another Flash vulnerability and for the past seven days, they have actually used Yahoo’s ad network to distribute malicious bits of code. The malware was hidden inside Yahoo’s ads which rely on Flash, meaning that anyone who visited a website with Yahoo ads could potentially have been infected.”

Windows 10 Mentions + Phishing = Ransomware

Heads up official and unofficial tech support people: ransomware and Windows 10 mentions have intersected in a phishing scam. “Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign.”

EFF Announces New Standard for “Do Not Track” Web Browsing

The EFF has announced a new standard for “Do Not Track” Web browsing. “The Electronic Frontier Foundation (EFF), privacy company Disconnect and a coalition of Internet companies have announced a stronger “Do Not Track” (DNT) setting for Web browsing—a new policy standard that, coupled with privacy software, will better protect users from sites that try to secretly follow and record their Internet activity, and incentivize advertisers and data collection companies to respect a user’s choice not to be tracked online.”

Spanish Citizens Can be Fined for Criticizing Police

Apparently the Spanish government can fine citizens who refer to its police as “slackers”. “On July 1st, the Spanish government enacted a set of laws designed to keep disruption within its borders to a minimum. In addition to making dissent illegal (criminal acts now include ‘public disruption’ and ‘unauthorized protests’), Spanish legislators decided the nation’s law enforcement officers should be above reproach. This doesn’t mean Spanish cops will be behaving better. It just means the public will no longer be able to criticize them. “

Interpol Trains Police to Fight Crime on the “Darknet”

Interpol is training police to fight crime on the “Darknet”. “Interpol has just completed its first training course designed to help police officers to use and understand the Darket. The five-day course was held in Singapore, and attended by officers from Australia, Finland, France, Ghana, Hong Kong, Indonesia, Japan, Netherlands, Singapore, Sri Lanka and Sweden. According to Interpol, the next course will be held in Brussels. The students did not, it seems, explore the Darknet itself.”

Using Fake Data to Protect Real Privacy

A fascinating article from The Atlantic on using fake data to protect real privacy. “There are basically two ways to reduce the risk of a confidentiality breach, [John] Abowd explained. The familiar approach is to perform an analysis on confidential data and then add random error to the output of the analysis. Introducing random error in the output is necessary to reduce the chance that information about any individual will be revealed. But sometimes the random error precisely masks the features that researchers are interested in. Another way, that gets around this problem, is to implement privacy protections on the input of an analysis, by modifying the dataset itself.”

“Android is the new Flash”

If I were Google these would be fightin’ words: “Android is the new Flash”. “Several years ago, Steve Jobs called out Adobe Flash as a trainwreck of security and performance problems, garnering him contempt from industry players deeply invested in the software platform. Today, Google’s Android platform is getting same brutal appraisal, but it’s coming from Android’s own fans.”

Mississippi AG Tried to Censor Google Search Results

The Mississippi Attorney General tried to get Google to censor its search results. “Mississippi’s top law enforcement official suspended the campaign against Google last December, after U.S. District Court Judge Henry Wingate in Jacksonville issued a restraining order prohibiting Hood from attempting to enforce a subpoena for ‘millions’ of documents from Google. That subpoena apparently sought information relating to copyright infringement by sites returned in Google’s search results, and infringement by YouTube uploaders.”

Google Refusing to Comply With French “Right to Be Forgotten” Order

Google is refusing a French order to apply “Right to be forgotten” globally. “Google is refusing to bow to an order from the French privacy watchdog to scrub search results worldwide when users invoke their ‘right to be forgotten’ online, it said on Thursday, exposing itself to possible fines. The French data protection authority, the CNIL, in June ordered the search giant to delist on request search results appearing under a person’s name from all its websites, including”