The UpStream

A Week of Android Vulnerabilities

posted Saturday Dec 3, 2016 by Scott Ertz

A Week of Android Vulnerabilities

While Google's mobile operating system, Android, may be popular, it has one glaring problem: security. More often than not in a week, we hear about some problem that leaves Android users vulnerable to attack. Sometimes it comes from downloading apps outside of the Google Play Store and sometimes it comes from within. This week, we have one of each.


Gooligan, named by the security firm Check Point, is malware that closely resembles another recent issue: HummingBad. Found in apps downloaded through 3rd party stores, this malware roots your device, giving the software direct access to all of your data. The important data that this software is looking for is your Google security token. This is a small piece of text that allows applications on your phone, including malicious apps, to connect to the Google Play Store and download new apps in your name. It also gives the software the ability to write reviews about those apps, also in your name.

While it may seem odd to write software to download other software. There's a lot of financial gain to be had. Some apps offer affiliate programs, paying the refer to encourage new downloads. If the apps that are downloaded through Gooligan participate in the affiliate program, then the creator can get paid for every device that they infect.

As of right now nearly 1,000,000 accounts have been breached using this process. If each device generated only a single dollar in revenue, that's a million dollars in revenue for very little work. The real potential for harm, however, comes in the future. The security token gives access to more than just your Google Play account. In fact, it gives the developer access to anything Google related. This means that they could theoretically read your email, get your credit card information and anything else you store in Google. If the affiliate programs can generate this kind of revenue, imagine what they could make on your contact list or search history. Your Google account is a veritable treasure trove of information.

It's difficult to recover an infected device but it's even more difficult to recover a compromised account. Luckily Google is prepared for such an eventuality having a dedicated page for fixing this type of problem. If you believe that your account has been compromised, change your password, remove the device from your authorized devices and enable Verified Boot on the device..


Another problem that persists on Android and other operating systems is insecure communication. This happens when the application developer sends important information over insecure channels. Normally, this kind of mistake results in the compromise of an account. In the case of the popular Android app AirDroid, it can result in the compromise of your device.

Here's what they're doing: After you log in securely the same information is then sent to a statistics server over insecure communication. This means that another device on the same network could get in-between your phone and the router and steal the information as it's being sent. Since the data is not encrypted, it means that anybody could read it and get your username and password. Under normal circumstances this would allow them to just log into your account, but because of the nature of AirDroid, it gives the hacker the ability to take over your device and install malicious code without your knowledge. Once that code is on there, it could act similarly to Gooligan.

The researchers that discovered this problem, Zimperium, have been in communication with the developers, Sand Studio, since May, but they have not acted upon the information until now. Sand Studio's Chief Marketing Officer Betty Chen claims that the problem should be solved within the next 2 weeks.

As more advanced methods of security are developed, these types of problems should become more rare. Unfortunately, in the past couple of years, these types of problems have become more common. The idea that anybody can code and the hiring of untrained and untested developers for high-level positions often leads to these types of mistakes. Not everybody is able to code and even fewer are capable of architecting a full solution. These types of violations of trust should bring attention to the problem, but somehow they continue to persist.

Select Windows 10 PCs Get 4K Netflix

posted Sunday Nov 27, 2016 by Scott Ertz

Select Windows 10 PCs Get 4K Netflix

In July of this year, we tested 1080p Netflix streaming in-browser, confirming that only Microsoft browsers were capable of doing it. Both Microsoft Edge and Internet Explorer were capable of streaming from the service in 1080p, while Google Chrome, Mozilla Firefox and Opera all were limited to 720p. As it turns out, that is not the only limitation that those browsers will face.

Starting this week, Windows 10 PCs will get the ability to stream full UHD, or 4K, video. There are some limitations, however. First, you must be using Microsoft Edge - none of the other browsers, including Internet Explorer, will be able to support UHD streaming. Second, you must have an uber-modern computer. In fact, you must be using an Intel Kaby Lake processor, known to the world as 7th Generation Core CPUs, which have only recently been made available. You will also need a UHD-compatible screen.

Obviously, just like when HD came to market, most content is not currently UHD-compatible. For content that is still in HD, that content will continue to stream normally (as mentioned earlier). However, for newer content, like Daredevil, Jessica Jones and Fuller House, Intel and Edge are ready to bring you the ultra high-resolution picture quality now.

Check out Microsoft's list of compatible devices in the store.

Reddit CEO Admits to Editing Unflattering Posts, Community Freaks

posted Sunday Nov 27, 2016 by Scott Ertz

Reddit CEO Admits to Editing Unflattering Posts, Community Freaks

If you are anything like me, Reddit is a bit of a mystery to you. The online community is known for both their open exchange of ideas and their complete hatred of those who disagree with them, and no one on the site seems to see the irony in that. One thing that you can be sure of, though, is that everyone will band together when the upper management makes any moves, positive or negative. You can also be sure that management's response to their actions will be glib and dismissive.

This week proved to be no different, with CEO Steve Huffman making a bad move and dismissing his own actions. Here's what happened: In the pro-Trump community, /r/The_Donald, comments were made that mentioned Huffman's community handle, /u/spez, and these comments were not flattering. As someone who has run several online communities, sometimes comments can be negative, but all you can do is either wear them as a badge of honor, as does Avram Piltch, or you can fold into a heap and cry in the corner. Huffman chose the latter.

Rather than accepting the negative comments gracefully, or addressing any concerns that the community might have with him, his performance or him personally, the CEO of the online community decided to deflect the criticism to others. In fact, he manually edited the posts in the subreddit, changing his own handle to those of the moderators of the /r/The_Donald instead. When called out for the actions, he addressed the accusations saying,

Hey Everyone,

Yep. I messed with the "f**k u/spez" comments, replacing "spez" with r/the_donald mods for about an hour. It's been a long week here trying to unwind the r/pizzagate stuff. As much as we try to maintain a good relationship with you all, it does get old getting called a pedophile constantly. As the CEO, I shouldn't play such games, and it's all fixed now. Our community team is pretty pissed at me, so I most assuredly won't do this again. F**k u/spez.

He had a hard week, and it made him sad, so he made it look like people were mad at a group that had nothing to do with anything instead of him. While members of the community were discussing the possibility that administrators were editing user posts without any notification or marking, the CEO of the company was editing user posts without any warning or marking. At least it validated some of the concerns of the now-banned /r/pizzagate community, so glass half full, right?

It is going to take some time for the admins to get any form of credibility back after this, if it is possible at all. The good news for members of the community is that there are alternatives, so if you decide to jump ship, finding a new home should be fairly easy. It seems like the new platform of choice is Voat, a similar platform that is having trouble staying afloat with all of the new user load.

Xbox One Streaming Coming Soon to Oculus Rift

posted Sunday Nov 27, 2016 by Scott Ertz

Xbox One Streaming Coming Soon to Oculus Rift

One of the most exciting additions to Windows 10 was the ability to stream games and content from an Xbox One to your PC. When this feature was announced, most of the industry had hoped that this would be a sign of things to come, and Microsoft has not disappointed. Expanding on their partnership with Facebook's Oculus VR division, in December, Microsoft will bring this feature to the Oculus Rift.

Just like on Windows 10 PCs and compatible mobiles, the game streaming is made possible care of a connector app. The new app, Xbox One Streaming to Oculus Rift, will be available in the Oculus Store starting December 12th. Using the same technology, the console's output is routed over your home network to the Oculus hardware instead of your traditional television. From there, it is projected onto a virtual screen within the Oculus environment.

This will be yet another great reason why Oculus has been including an Xbox Wireless Controller with their headsets. Using the play-and-charge cable, an Xbox Wireless Adapter or one of the preconfigured PCs, you can play your Xbox One games on the Rift with a native Xbox controller, in most cases wirelessly.

While it might initially seem counter-intuitive for Microsoft to be working with Oculus to make Xbox One streaming available, while the company is working with their own partners to build Windows-powered VR hardware, you would be mistaken. What they have done is ensured that, almost no matter what VR hardware you decide to purchase, the best accessory you can have to play games is an Xbox One.

Symantec to Add LifeLock to Security Offerings

posted Sunday Nov 27, 2016 by Scott Ertz

Symantec to Add LifeLock to Security Offerings

In a deal valued at $2.3 billion, Symantec has agreed to purchase personal identity protection service LifeLock, Inc. The service rose to fame when, in 2007, they began traveling the country with a large vehicle on which was printed the social security number of co-founder, Todd Davis. The stunt was done to demonstrate Davis's confidence in his company's service, which promises to protect people from identity theft, even if all of the information is made public. As a result of the campaign, Davis was the victim of 13 cases of identity theft.

In 2010, the company was fined $12 million by the US Federal Trade Commission for false advertising. The chiefest among their complaints was the 100% protection promised by the television ad featuring the SSN truck. In fact, then FTC Chairman Jon Leibowitz had one of the greatest quotes in all of federal law history, stating,

The protection they provided left such a large hole... that you could drive that truck through it.

Since settling that case, the company was cited to be in contempt of thee agreement in 2015. A new $100 million fine was assessed, with much of the money being earmarked for a class action settlement against the company.

If this seems like a strange company for Symantec to acquire, you're right - in the midst of such a lack of consumer confidence, why would Symantec possibly be interested in purchasing them? It is likely that Symantec wants to add the technology and assurance behind LifeLock, without actually maintaining the brand. A new name will almost certainly be on the horizon for the service under its new owners, potentially even under their already well-known and respected Norton brand. Without the drag of the LifeLock name, and a boost from the Norton name, it is possible that Symantec could revive this once promising consumer protection service.

Why China's new cybersecurity law is a threat to international businesses and innovation

posted Friday Nov 25, 2016 by Guest Blogger

George Haour on China and cybersecurity

China has the world's largest market for digital shopping, mobile payments, and Internet-enabled financial services. Close to 400 million people in China do most of their payments using their smartphones. China's overall business in information technology is a market of well above USD $300 billion, and it is estimated that more than 700 million Chinese have access to Internet. So any law impacting the online space-cybersecurity included-will make ripples in the way China does business.

That's why its new cybersecurity law-due to take effect in June of next year-is particularly alarming. It is part of an ongoing government program to reinforce China's cybersecurity, and arguably targets non-Chinese hackers. But it comes amidst continuous tensions between the U.S. and China, not just in terms of cybersecurity (each country has accused the other of hacking), but with trade, the economy, and, of course, the U.S. election, which will inevitably change how business is done between the two nations. The law appears to be counterproductive in several ways.

First, as the law sets forward, important network equipment and software will have to receive government certifications. This means that specific pieces of intellectual property or technical features will have to be divulged, which could easily be passed on to Chinese companies by the regulators behind cybersecurity. It shouldn't be forgotten that the state in China has tremendous power and plays a critical role in economic plans. Government interference is much more prevalent than in Western nations. And under the veil of cybersecurity, regulators will have access to proprietary information that could benefit Chinese firms at the expense of foreign business.

The type of businesses most at risk will be those with special hardware and systems for network management. But it could even include data from and for ATMs. New generation ATMs have a much higher level of connectivity with mobile integration and face recognition. This makes them more vulnerable to hacking and means confidential devices and information will have to be used for protection. And under this law, that creates a big entry place for government snooping.

This law is also counterproductive because companies gathering data in so-called "critical areas" will have to store that data inside China. At this stage, the definition of "critical" is worryingly broad. Complying with this requirement will force international firms to make expensive investments to build duplicate facilities within China. This is in total contradiction with the free flow of data, expected to swell in 2020 after the introduction of 5G.

International companies will have to weigh this risk against the opportunity to do business in China. China has had a long reputation for 'copying' without getting insider access, and this law could only open the ease to which China's business sector can review competition. For international companies there is no easy way forward as the choice is black or white. Either foreign companies will comply, knowing China has a way to peek into what previously was private, or they will chose to stand by principles of privacy at the risk of being excluded from the Chinese market. Despite the challenging dilemma, companies are likely to comply and give in to China's demands. The market is too huge and far too ripe for future growth, especially when compared to more stagnant outlooks in Europe and the U.S.

In addition to creating barriers for international business in China, this kind of legislative move goes completely against innovation. It could well be considered to be part of what is called "indigenous innovation" in China. This consists in favoring Chinese firms by establishing non-tariff barriers, such as specific standards or regulations on products, in order to prevent non-Chinese firms the access to China's large and dynamic market. And the impact would be wide-ranging, from consumer electronics to products such as equipment to produce renewable energy, including windmills and solar panels.

Innovation involves a complex process, but it requires a society to be as open as possible and to allow vibrant exchanges between people. While cybersecurity is important, this law will wrap around the free market as it grips security. Within China, entrepreneurs are, by and large, not bothered by their government's management of the Internet, called the "great firewall". However, this new law is a new step to tighten the government's grip on the Internet. Furthermore, far from favoring China's champions in this very dynamic area, such as Huawei, Lenovo, or Tencent, this law will handicap them in the long term. Maybe the hope is that these companies themselves will fight to alter the law and mitigate the negative implications for China's Internet landscape.

U.S. companies have already began to strongly lobby against the law, as well as China's position that the Internet must be managed by authorities. But despite the efforts of any company, Chinese or other, the cybersecurity law is just a piece in a larger ongoing political puzzle that companies will have to deal with. Trump's stance on trade and is equally, if not more, alarming for business. In the end, agility will be key for companies to succeed in the tense political environment.

IMD Professor Georges Haour is a Professor of Technology and Innovation Management at IMD business school and co-author of the new book - Created in China: How China is Becoming a Global Innovator (Bloomsbury, London, 2016).

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats