Bluefield Daily Telegraph, Bluefield, WV

Latest Updates

April 12, 2014

Millions of Android phones, tablets vulnerable to Heartbleed bug

SAN FRANCISCO — Millions of smartphones and tablets running Google's Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Web and into consumer devices.

While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the "limited exception" was one version dubbed 4.1.1, which was released in 2012.

Security researchers said that version of Android is still in use in millions of smartphones and tablets, including in popular models made by Samsung, HTC and other manufacturers. Google statistics show that 34 percent of Android devices use variations of the 4.1 software and the company has said more than 900 million Android devices have been activated worldwide.

The Heartbleed vulnerability was made public earlier this week and can expose people to hacking of their passwords and other sensitive information. While a fix was simultaneously made available and quickly implemented by the majority of Internet properties that were vulnerable to the bug, there is no easy solution for Android gadgets that carry the flaw, security experts said. Even though Google has provided a patch, the company said it is up to handset makers and wireless carriers to update the devices.

"One of the major issues with Android is the update cycle is really long," said Michael Shaulov, chief executive officer and co-founder of Lacoon Security, a cyber-security company focused on advanced mobile threats. "The device manufacturers and the carriers need to do something with the patch, and that's usually a really long process."

Christopher Katsaros, a spokesman for Mountain View, Calif.-based Google, confirmed there are millions of Android 4.1.1 devices. He pointed to an earlier statement by the company, in which it said it has "assessed the SSL vulnerability and applied patches to key Google services."

It's unclear whether other mobile devices are vulnerable. Apple Inc. and Microsoft Corp. didn't respond to messages for comment.

The Heartbleed bug, which was discovered by researchers from Google and a Finnish company called Codenomicon, affects OpenSSL, a type of open-source encryption used by as many as 66 percent of all active Internet sites. The bug, which lets hackers silently extract data from computers' memory, and a fix for it were announced simultaneously on April 7.

The reach of the vulnerability continues to widen as Cisco Systems Inc. and Juniper Networks Inc. said yesterday that some of their networking-gear products are affected and will be patched. The Canadian government has ordered websites operated by the federal government that use the vulnerable version of OpenSSL to be taken offline until they can be fixed.

The vast majority of large companies protected their systems immediately and the push is now on to make smaller companies do the same, said Robert Hansen, a specialist in Web application security and vice president of the advanced technologies group of WhiteHat Security Inc.

Hackers have been detected scanning the Internet looking for vulnerable servers, especially in traffic coming from China, though it's difficult to know how many have been successful, said Jaime Blasco, director of AlienVault Labs, part of AlienVault. Many attempts have hit dead ends, Blasco said.

More than 80 percent of people running Android 4.1.1 who have shared data with mobile security firm Lookout Inc. are affected, said Marc Rogers, principal security researcher at the San Francisco-based company. Users in Germany are nearly five times as likely as those in the U.S. to be affected, probably because there is a device that uses that version of Android that is popular there, Rogers wrote in an email.

Still, there are no signs that hackers are trying to attack Android devices through the vulnerability as it would be complicated to set up and the success rate would be low, Rogers said. Individual devices are less attractive to go after because they need to be targeted one by one, he said.

 "Given that the server attack affects such a larger number of devices and is so much easier to carry out, we don't expect to see any attacks against devices until after the server attacks have been completely exhausted," Rogers wrote in an email.

 

1
Text Only
Latest Updates
  • new water treatment facility Officials break ground on new waste water facility

    Rain didn’t dampen enthusiasm Thursday when ground was broken for a wastewater plant that will double both the treatment capacity and opportunities for economic development in the Claypool Hill and Wardell communities.

    July 25, 2014 1 Photo

  • Absentee voting lagging

    Absentee balloting is off to a slow start in a closely-watched Southwest Virginia Senate race that will determine which political party controls the General Assembly.  
    Three candidates are vying to succeed former lawmaker Phillip Puckett, who resigned in June. A special election is set for Aug. 19. The candidates are Republican A. Benton “Ben” Chafin Jr. Democrat D.M. “Mike” Hymes and independent Rick A. Mullins.

    July 25, 2014

  • Civil complaint filed against GM alleging defects caused local woman’s death

    The estate of a young Mercer County woman and her unborn child have filed a civil complaint in Mercer County Circuit Court alleging that a defective ignition switch in the woman’s 2005 Chevy Cobalt led to her death as well as the death of her unborn child.
    Keisha Dawn Vest, 26, of Princeton, the wife of Jason Vest, and mother of a (then) 3-year-old son, was driving to Mt. Airy, N.C., on May 2, 2006, when the brakes on her vehicle failed. Mrs. Vest was working in Mt. Airy as an MRI technician. Without brakes, Mrs. Vest lost control of her vehicle and entered an intersection into the path of a tractor-trailer. She died as a result of the injuries she received in the wreck.

    July 25, 2014

  • ‘Overwhelming:’ Area fans supporting Saints trip to West Virginia

    The community response to the New Orleans Saints’ three-week visit to The Greenbrier for training camp can be described best in one word that Greenbrier owner Jim Justice, Saints general manager Mickey Loomis and Saints head coach Sean Payton all used Thursday when discussing the team’s first 24-plus hours in the Mountain State.
    “Overwhelming,” they all agreed.

    July 25, 2014

  • Va. to join higher education distance learning agreement

    Virginia higher education officials are working to make it easier for students to take online classes and for universities to offer them.

    July 24, 2014

  • Police Brutality screen shot. Technology plays key part in battling police brutality (VIDEO)

    Allegations of police brutality are nothing new -- as long as there has been law enforcement, citizens have registered claims that some officers cross the line. But in the last few years, the claims of excessive force are being corroborated with new technology from cell phone cameras, police dash-cams and surveillance videos. 

    July 24, 2014 1 Photo

  • Lindley, Tom.jpg Better police needed for college teams enticed to cheat

    The NCAA once cracked down on colleges that went too far luring top prospects, then it targeted teams that lathered players with special treatment. That was until the NCAA's get-tough approach backfired, rendering it ineffective and creating an opportunity for those who want to play dirty.

    July 24, 2014 1 Photo

  • Has the ipad lost its swag?

    July 24, 2014

  • Facebook continues moneymaking trend

    Facebook seems to have figured out - for now at least - the holy grail for all media right now: how to make money selling mobile ads.

    July 24, 2014

  • McAuliffe heads West to fundraiser

    July 24, 2014