The days are short and the nights are long in our November’s here in the Northern hemisphere (but shout out to my pals south of the equator!) and that means that bad guys have more time in the dark. This issue of the SKY ECC newsletter looks at bad guys controlling a SKY ECC competitor and how they were shut down, how bad guys can exploit biometrics and why Sky doesn’t use them, Alexa can be used by bad guys to spy on you, and SMS data is being targeted by state-sponsored bad guys.
November Industry News and Trends
Flaw in PDF encryption standards found
Businesses the world over use encryption on their PDF files to add a layer of protection on them. A flaw has been discovered by researchers, which they are dubbing “PDFex”, that can allow attackers to extract plaintext data without having the encryption key.
A number of ways have been found to ex-filtrate the encrypted PDF data, but they all center around the attacker being able to manipulate the ciphertext and the victim taking an action which leads to the document being decrypted.
Google Pixel 4 Face Unlock problems
In yet another example of how biometrics are not yet up to snuff as secure methods of unlocking a phone, Google’s Pixel 4 has been found to unlock even when a user’s eyes are closed.
All SKY ECC devices have had their biometrics stripped out of them for exactly this issue. We are not yet at the point where biometrics are foolproof, and our phones will not have this features until it’s proven to be secure. Here’s the proof:
Why is it a big deal though? Because someone else can unlock your phone when your eyes are closed. You know, like you do for 7-8 hours per day when you’re asleep.
Google gathers health data without your consent
In a recent reveal which makes me wonder whether HIPAA ever mattered, Google’s “Project Nightingale” has been gathering:
- Lab results
- Hospital records
- Health histories
- Dates of birth
This has been gathered with direct links to patient names all thanks to the country’s second-largest health care provider; Ascension. Not only is this repulsive from the perspective of Google having intimate information about your body, but they also do it without your consent. This is information which is supposed to be between you and your doctor being shared with a data collection corporation.
A quote from Google’s Cloud president, Tariq Shaukat, said:
“To be clear: under this arrangement, Ascension’s data cannot be used for any other purpose than for providing these services we’re offering under the agreement, and patient data cannot and will not be combined with any Google consumer data.”
Ya, sure. Just like how big tech’s data harvesting firms would never, ever ever, combine your 2FA data with their ad targeting. No. Wait. Facebook did that last year.
I also have a really bad feeling about Google buying Fitbit and having all this health data. Left unchecked, this would likely turn out well for Google and terribly for you. There is good news below though…
Alexa vulnerabilities give hackers another exploit
That dirty girl Alexa, and her pal Google Home, are both giving away more of your secrets through an easy exploit demonstrated by SRLabs. With both machines, a skill was uploaded which activated recording of anything said within ‘earshot’ of these smart speakers, even after the command to stop had been said.
The researchers also created an exploit where Google would ask for your Google account password which would be recorded for use whenever the hackers felt like it. People should know better than to say their password out loud like this, but they do it anyway.
Yes, this is why we disable the internal microphone on all SKY ECC devices outside of the app with UEM. With it off the phone is incapable of ever listening to you should someone, in the extreme unlikeness of this happening, install an exploit in the container outside of SKY ECC.
The last word…
Chinese hackers–or government employees? Who can tell–have found a way to collect SMS data concentrated on keyword lists based on possible political agitation. These keyword then trigger the conversations to be recorded and later analyzed.
In a totally fake interview with me at SkyECC, I asked China’s President Xi JinPing how he reacted to the above allegations, and that he’s running an authoritarian regime with extreme privacy invasions via spying on every aspect of citizen’s lives. I imagined that his reaction went something like this…
Links to stories mentioned:
- MPC Secure Phone Resller and Organized Crime
- Issues with Biometrics as Security Tools
- SRLabs reveals Smart Speaker Vulnerabilities
- Chinese SMS spying Practices Revealed
Read recent posts from SKY ECC
As always, visit the SKY ECC blog for more posts on security, privacy, and SKY ECC product updates. On the blog the last month we have a very important deep-dive on how SKY ECC secures contact lists, a comparison between Threema and SKY ECC, a look at phone security and online message protection, and a quick one on how to delete Signal (and what to replace it with).
How SKY ECC Secures your Contact List
With a heavy focus on how contact lists are commonly built–on a searchable directory server using phone numbers–this post will help your clients understand why SKY ECC built contact lists the way we did, and show them that this is the truly secure way to build and manage them.
Threema vs. SKY ECC Comparison
Read about how SKY ECC compares with the paid secure messaging app Threema. While the review is fair, and includes the strong features of Threema, there is no denying the fact that it doesn’t measure up to SKY ECC.
Phone Security: How to Protect Your Messages Online
In this post created for Cyber Security Awareness Month, we look at the hardware, software, and passcode tactics needed to keep a phone secure. Each one is looked at on its own with a concluding look at how SKY ECC handles these aspects of phone security.
How to Delete Signal
If your clients are looking to upgrade their secure messaging from the not-so-secure Signal to SKY ECC, here’s a little nudge to help them along the funnel. There are steps and screenshots for every platform so that account deregistration and app uninstallation is done properly.