What Mobile Users Should Know About Heartbleed: Free McAfee Android App

By now, you have probably heard about the Heartbleed bug, estimated to affect up to two-thirds of all websites using the OpenSSL encryption protocol to protect usernames, passwords, credit and debit card numbers, and other sensitive information. Whether hackers have previously been taking advantage of this bug is still unknown, but now is the time to take precautions to avoid a security breach.

This now infamous bug might reach beyond your favorite websites—it could also affect your Android mobile devices. Attention around Heartbleed has focused on the most obvious scenario: a malicious client attacking a server to steal sensitive data online. However, the reverse is also possible, where a malicious server could exploit this weakness to siphon data from a mobile device’s browser and apps. Below is some additional information you can use to protect your device, data and identity in the wake of this incident.

What is Heartbleed?

It is important to understand that Heartbleed is not a virus, but rather a mistake written into an older version of OpenSSL—which is a security standard encrypting communications between you, the user, and the back-end servers provided by a majority of online services. The mistake makes it possible for hackers to extract data from databases containing user names, passwords and other sensitive information.

How are mobile users affected?

At this time, mobile devices running Android 4.1.1 (Jelly Bean) use the OpenSSL version with the Heartbleed bug. A Google spokesperson confirmed to Bloomberg that millions of devices in use today still run 4.1.1 Jelly Bean.

Is this issue limited to just Android 4.1.1?

Not exactly, your apps may also be affected.  App developers may have used the unsafe version OpenSSL, so even if the OS version on your device is not vulnerable, your installed apps may be impacted.

What do Android users need to do?

  1. Download the free McAfee Heartbleed Detector app to determine if your device is vulnerable and to check your apps’ risk level.
  2. Check Android Settings -> About Phone section to determine which version of Android is running on the device. If it is Android 4.1.1, check for a system update and update immediately.
  3. Even after updating the OS, users should still avoid sensitive transactions on mobile devices, such as banking, mobile payments, etc.  While Google is currently working to fix the OpenSSL problem in Android 4.1.1, it is best to take extra steps to prevent your personal information from getting into the wrong hands in the meantime.

Our free McAfee Heartbleed Detector app can help users determine if a mobile device or any installed apps are affected by checking two data points:

  • Determines which version of OpenSSL the Android device is using and then checks to see if the Heartbleed bug is present. If the device is running the vulnerable version of OpenSSL, the user will be notified so that they can be sure to upgrade to the latest version of Android OS available for the device.
  • Checks the OpenSSL version of every app installed on the device to determine if it is Heartbleed vulnerable. If the app is affected, you will be notified and can then make the decision to uninstall or update the app to a newer, safer version, if one is available from the developer.

While this app will tell you if your devices or apps need to be updated, it should be noted that the Heartbleed bug can only be fixed with a software update from the device manufacturer or app vendor.

To stay up to date on the latest in mobile privacy and security news, follow us on Twitter at @McAfeeConsumer and Like us on Facebook and share your thoughts with us!

lianne-caetano

The post What Mobile Users Should Know About Heartbleed: Free McAfee Android App appeared first on McAfee Blogs.

What is Social Engineering?

No, it’s not some new engineering field to develop social media sites. Social engineering has been around as long as the con artist has been around. The terms stems from social_engineeringthe social science world where social engineering is deemed as an act of psychological manipulation.

In our tech-laden world of today, social engineering still involves deceit but it’s used to deceive you into giving up personal or sensitive information for the bad guys’ financial gain. Social engineering can take many forms from an email, phone call, social networking site, text messages, etc., but they all have the same intent—to get you to part with valuable information.

Any one of us can be a target. And social engineering continues to be a tool that cybercriminals use because it works. They play on our emotions and our innate sense to want to trust others and be helpful. The also rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it.

For instance, after major natural disasters or major news topics, like a hurricane or earthquake, cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions.

And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

How can you protect yourself?

  • Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages, and any time the phone rings and they are requesting personal information consider it a scam.
  • Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
  • If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions, and most sites, don’t send emails or text messages asking for your user name and password information.
  • When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
  • Consider using a safe browsing tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
  • Make sure your all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets.

 

So remember to ask yourself if this is really legit, the next time you get a message that plays on your emotions. Stay safe online!

 

RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post What is Social Engineering? appeared first on McAfee Blogs.

Protect your business from data loss and cyber threats – infographic

Click to enlarge the infographic above

Now that tens of millions of devices worldwide are in danger of being affected by the Heartbleed security flaw, keeping data protected has become a major priority. But it’s not only individuals who should be worrying about valuable information being accessed; many businesses are also under threat of data breaches every day. As the infographic above shows (statistics are from various sites and reports; see the “sources” section for details), a significant number of businesses are not implementing simple security measures such as backing up data or protecting against malware, leaving them vulnerable to data breaches.

The effects of data loss can be catastrophic. A staggering 72% of businesses that experience a major data breach shut down within 24 months, which suggests that the most effective strategy will be to focus on preventing breaches from occurring in the first place. As well as the financial consequences of data loss, the impact on a company’s reputation can contribute heavily to a loss of customers, which can also cause it to shut down.

There are simple steps that every business, no matter what its size or sector, can take to ensure that data is protected. One of these is to make sure that all employees are informed of the causes and consequences of data loss and that they are dedicated to guarding against it.

According to a report by Trend Micro (pdf), 77% of employees admit to leaving their computers unattended. Employers can substantially reduce the risk of a data breach by reminding their staff to lock their computers and change their passwords on a regular basis. Approximately one-third of cases of external data loss involves employee data, so it is in the best interests of employers to be vigilant about computer security.

In addition to educating staff about data breaches, employers can improve their malware solutions to guard against attacks. The most common cause of external data loss is malware attacks, which highlights the importance of installing and updating effective programs to protect computers. This may seem obvious, but a startling number of business owners are not taking these basic IT steps to avoid data loss. In terms of small to medium business, our research revealed that 60% state that they do not routinely back up the data on their computer systems.

Torgny Gunnarsson is CEO of Imprima

To get weekly news analysis, job alerts and event notifications direct to your inbox, sign up free for Media Network membership.

All Guardian Media Network content is editorially independent except for pieces labelled ‘Advertisement feature’. Find out more here.

What steps should you take to protect your SME from an online attack?

While many small business owners are aware of the threat of cybercrime, the day-to-day demands of running a company means it can fall down the to-do list. Taking steps to minimise the risk of an online attack is clearly important but it can appear a complex task.

There are straightforward measures a business can take, such as raising awareness of the issue among staff and installing anti-virus software. But after the basics have been implemented, what next? Should SMEs deal with all aspects of cyber security in-house, or outsource parts of it? Does it depend on the sector? How do you find a qualified security professional? And crucially, how much does a small business need to spend on making sure its business is safe?

Join us on Wednesday 23 April between 1pm and 2.30pm when we will discuss these questions and more with a panel of experts. Feel free to post your questions now or put them to the panel during the live Q&A.

Our panel:

Emma Philpott is CEO of The IASME Consortium Ltd (Information Assurance for SMEs). IASME has developed, and now maintains, the information assurance management standard for SMEs, based on international best practice. It also licenses the assessors and issues certificates of compliance to the client.

James Lyne is from cyber company Sophos, a developer and vendor of security software and hardware, providing endpoint, encryption, email, web, mobile and network security.

Zain Javed is head of penetration testing services at Xyone Cyber Security, which helps businesses to minimise the risk of becoming a victim to hackers.

Elliott Atkins works at Nominet, an internet registry company which is about to launch a pilot called Cyber Assist that aims to help smaller companies arm themselves with the knowledge, tools and expertise needed to fight against cybercrime.

Rob Hadfield is head of content at Get Safe Online, a website about online safety. He delivers regular educational presentations and speaks at UK and international events.

Tor Macleod is director at Via Resource, a provider of information security consultancy services and recruitment. Via Resource specialises in providing interim, contract, permanent and managed services.

Suzanne Fribbins is BSI’s EMEA product marketing manager for the risk portfolio. Her role is to position and drive demand for the assessment and certification product range including the International Standard for Information Security (ISO 27001), IT service management (ISO 20000), and the new CSA STAR Certification Scheme (cloud computing).

Sponsored content

This content has been sponsored by BIS, whose brand it displays. All content is editorially independent.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.

Appearances Can Be Deceiving: Fake Anti-Virus App Dupes Users

If the laws of nature are capable of teaching us one thing it’s this: if it seems too good to be true, it usually is. One of the most popular apps in the Google Play Store was recently found to be just that – a fantasy. The app titled Virus Shield purported to “improve the speed” of Android devices, prevent dangerous apps from being installed, and protect your information without annoying advertisements. In reality, the app was proven to be a fake and scammed buyers out of $3.99.

While it was devoid of any actual security benefit, the app managed to jump to the top of Google Play’s “top paid” chart within one week after its release. Despite the false claims, it was able to rack up more than 10,000 downloads before removal, meaning that the creators got away with nearly $40,000 from unsuspecting users.

However, this type of scam isn’t exclusive to any one app store. Even Apple’s App Store has had its fair share of fraudulent games that were pushing in-app purchases.

So, how are these fraudulent apps ensnaring consumers? Well, it has to do with each app store’s vetting process. Both companies have their own way of filtering out the good from bad, and both have their weaknesses.

Google Play has an open philosophy when it comes to its Android platform and the apps created for it. This means that nearly anyone can develop an Android app or contribute to a new version of Android’s operating system, provided they have the programming skills needed. The upside to this philosophy is the active, open community constantly monitoring the Google Play Store and contributing to the success of Android. The downside is that it’s easier for opportunistic scammers to get users to download malware instead by flooding the store with malicious apps.

Apple’s App Store, on the other hand, is frequently compared to a walled garden — an environment that is tightly regulated and vetted, but at the cost of providing increased functionality and aesthetic changes. The positive side to this philosophy is that it’s much more difficult for malware to spread on iOS. But a walled garden still isn’t enough to keep out some of the riffraff, and many scammers try, with varying degrees of success, to bypass Apple’s vetting process by leaning heavily on in-app purchases and advertisements to spread their misdeeds instead.

So how can users protect themselves from cleverly disguised app scams? It starts with awareness, and here are a few tips to help you stay safe when downloading and using apps on your mobile devices:

  • Always stay up to date with the latest software. Because crafting software can be difficult, it usually takes time for hackers to create malicious apps. Software updates typically include patches to bugs and potential malware vulnerabilities that help to reduce your chances of downloading a potentially fraudulent app.
  • Install Anti-Virus software on your device. No operating system is completely free from the threat of malware. That means you need to be wary of any potentially dangerous app or unsecured Wi-Fi network. The best way to protect yourself is with a comprehensive security solution like McAfee® Mobile Security for iOS and Android. These solutions can help you keep track of your device, secure your connections, and scan Android apps that may leak personal data.
  • Read the description and check the reviews. One telltale sign of a potentially fraudulent app is poor grammar and spelling mistakes. If you’re seeing frequent misspellings and awkward syntax, consider passing the app over. Scammers have been known to inflate their app’s score with fraudulent reviews. If you feel that’s the case for an app, check the reviews for anything suspicious.

Stay up to date on the latest in mobile privacy and security by following us on Twitter at @McAfeeConsumer and Like us on Facebook.

lianne-caetano

The post Appearances Can Be Deceiving: Fake Anti-Virus App Dupes Users appeared first on McAfee Blogs.