Monthly Archives: August 2015

Android Lock Patterns Laughably Easy To Guess

A researcher shows that people rely on weak Android lock patterns just as they do weak.

When Google launched Android in 2008, it also introduced lock patterns — a way to unlock Android devices by tracing a pattern on the screen rather than using a traditional password or PIN. A new study suggests people aren’t very creative when it comes to forging hard-to-guess patterns.

By now we all know that using “password” or “123456” as your password is about as dumb and lazy as it gets. Those are easily guessed and are hardly a speed bump to hackers. Pattern locks have the potential to be very secure, but people are lazy with patterns, too.

Marte Løge, a graduate of the Norwegian University of Science and Technology, analyzed nearly 4,000 Android lock patterns and found incredible similarities throughout. “Humans are predictable,” Løge told Ars Technica. “We’re seeing the same aspects used when creating a pattern lock [as used in] PIN codes and alphanumeric passwords.”

Android lock patterns require users to connect at least four of nine nodes, which are arranged in a three-by-three grid.
(Image: Goldy/iStockphoto)

Though users have to use a minimum of four nodes, they can use up to all nine if they wish. Løge says the average number of nodes used is five, which allows for slightly under 9,000 total pattern combinations. Using only four nodes limits the total number of patterns to 1,624. The total number of all possible patterns reaches 389,112 when a combination of four through nine nodes are used.

Løge’s test subjects mostly chose to use only four nodes. Though the number of nodes used limits the total number of combinations, so too does the pattern complexity. For example, patterns that change direction can dramatically increase the level of complexity.

The data reveals that 44% of all patterns start in the top-left node and a whopping 77% start in one of the four corners. Most patterns start in the top left and move to bottom right.

Worse, a significant number of patterns correspond to a letter in the alphabet, which often matched the first letter of the name of the pattern-creator or that person’s spouse or child. This leads to a 1-in-10 chance of attackers guessing the pattern in no more than 100 guesses, according to Ars.

The odds go down if the attacker knows the target or the names of those close to the target.

“It was a really fun thing to see that people use the same type of strategy for remembering a pattern as a password,” said Løge. “You see the same type of behavior.”

Want to improve the security of your Android smartphone? Use more nodes, said Løge.

Incorporating cross-overs (passing over the same node twice) makes it harder for shoulder surfers to figure out the pattern, too. Android users can also turn off the “make pattern visible” option, which turns off the lines that appear between nodes as they are connected by the user.

Enterprise IT should be requiring Android device users to have a higher number of nodes in their patterns. The safest bet, according to Løge’s data, is eight nodes.

Eric Zeman “Android Lock Patterns Laughably Easy To Guess” 8/24/2015
12:05 PM

Wireless network performance

wifi_exampleIt has been a successful start to the semester as far as the wireless network is concerned.  We’ve been connecting almost 9,000 unique devices on our wireless network each day and at peak times are serving more than 3,000 concurrent devices across both campuses.  We’re very excited about the performance of the system this semester and we’ll continue to do everything we can to improve.  As always, if you have trouble or have questions, come by or call the UITS help desk in CCT on main campus or the Dilligham building on our Riverpark campus.  The phone number for the help desk is 706-507-8199.

What you need to know about the new Android vulnerability, “Stagefright”

What is Stagefright?
Recently a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.

Any number of applications can process MMS content and thereby receive exploits, but devices using Google Hangouts for this purpose may be most at risk since a victim may not even need to open the message in Hangouts for an attacker to take control of their device. In all other hypothetical attacks it appears a victim needs to open their default SMS messaging app and the message thread itself for the exploit to work (although the media file does not necessarily need to be played within the app).

Based on Lookout’s own Stagefright research over the last 24 hours it also appears that multimedia viewed in a browser (e.g. a web video) could be used to deliver a Stagefright attack.

The Stagefright vulnerabilities affect all Android devices running Froyo 2.2 to Lollipop 5.1.1, which covers approximately 95% of all Android devices today. The security researcher who discovered these vulnerabilities first alerted Google to this issue in April and included security patches. Google has accepted the patches and sent security updates to its partners to be distributed to vulnerable devices.

Lookout’s Protection

Lookout protects devices from malware delivered using Stagefright exploits. Keep in mind that a device will remain vulnerable until it receives Google’s patches for these vulnerabilities. Android devices other than Nexus devices will ultimately need to get these patches through a Google partner (either a device manufacturer or wireless carrier). Nexus devices, however, will receive a direct security update from Google next week, according to a Google spokesperson.

Unfortunately, security patches delivered by Google’s partners can take weeks and even months to fully deploy. To check if a patch is available for most Android devices, go to Settings and click System Updates. In the meantime, Android users waiting on Stagefright security patches can take additional steps on their device to protect themselves.

Additional Protection

As an added protection measure, Lookout recommends disabling auto-fetching of MMS messages on a device’s default SMS app.

When an Android device receives a video message via SMS, by default it will automatically download the file. Therefore, disabling auto-fetching prevents an attacker from getting a device to automatically download a malicious video containing Stagefright exploits, which allows the user to delete the message and avoid device exploitation.

A device’s default SMS app may be “Hangouts”, or it may be a version of a native Android app variously named “Messages”, “Messaging”, or “Messenger”, depending on the device model and Android version. To determine your device’s default SMS app, go to Settings > Default applications > Messages.

We’ve included walk-through instructions below that show how to disable MMS auto-fetching for the four messaging apps listed above. If a device uses a different default SMS app, Lookout recommends disabling MMS auto-fetching within that app or switching to an app such as Hangouts that allows this feature to be disabled. Lookout users can contact Lookout support if they need help disabling MMS auto-fetching.

While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders.

Instructions for Hangouts
Instructions for Messages
Instructions for Messaging
Instructions for Messenger

Lookout “What you need to know about the new Android vulnerability, “Stagefright” July 28, 2015

Ten Steps to Smartphone Security

Smartphones continue to grow in popularity and are now as powerful and functional as many computers. It is important to protect your smartphone just like you protect your computer as mobile cybersecurity threats are growing. These mobile security tips can help you reduce the risk of exposure to mobile security threats:
1.Set PINs and passwords. To prevent unauthorized access to your phone, set a password or Personal Identification Number (PIN) on your phone’s home screen as a first line of defense in case your phone is lost or stolen. When possible, use a different password for each of your important log-ins (email, banking, personal sites, etc.). You should configure your phone to automatically lock after five minutes or less when your phone is idle, as well as use the SIM password capability available on most smartphones.
2.Do not modify your smartphone’s security settings. Do not alter security settings for convenience. Tampering with your phone’s factory settings, jailbreaking, or rooting your phone undermines the built-in security features offered by your wireless service and smartphone, while making it more susceptible to an attack.
3. Backup and secure your data. You should backup all of the data stored on your phone – such as your contacts, documents, and photos. These files can be stored on your computer, on a removal storage card, or in the cloud. This will allow you to conveniently restore the information to your phone should it be lost, stolen, or otherwise erased.
4. Only install apps from trusted sources. Before downloading an app, conduct research to ensure the app is legitimate. Checking the legitimacy of an app may include such thing as: checking reviews, confirming the legitimacy of the app store, and comparing the app sponsor’s official website with the app store link to confirm consistency. Many apps from untrusted sources contain malware that once installed can steal information, install viruses, and cause harm to your phone’s contents. There are also apps that warn you if any security risks exist on your phone.
5. Understand app permissions before accepting them. You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone. Make sure to also check the privacy settings for each app before installing.
6. Install security apps that enable remote location and wiping. An important security feature widely available on smartphones, either by default or as an app, is the ability to remotely locate and erase all of the data stored on your phone, even if the phone’s GPS is off. In the case that you misplace your phone, some applications can activate a loud alarm, even if your phone is on silent. These apps can also help you locate and recover your phone when lost. Visit CTIA for a full list of anti-theft protection apps.
7. Accept updates and patches to your smartphone’s software. You should keep your phone’s operating system software up-to-date by enabling automatic updates or accepting updates when prompted from your service provider, operating system provider, device manufacturer, or application provider. By keeping your operating system current, you reduce the risk of exposure to cyber threats.
8. Be smart on open Wi-Fi networks. When you access a Wi-Fi network that is open to the public, your phone can be an easy target of cybercriminals. You should limit your use of public hotspots and instead use protected Wi-Fi from a network operator you trust or mobile wireless connection to reduce your risk of exposure, especially when accessing personal or sensitive information. Always be aware when clicking web links and be particularly cautious if you are asked to enter account or log-in information.
9. Wipe data on your old phone before you donate, resell, or recycle it. Your smartphone contains personal data you want to keep private when you dispose your old phone. To protect your privacy, completely erase data off of your phone and reset the phone to its initial factory settings. Then, donate, resell, recycle, or otherwise properly dispose of your phone.
10. Report a stolen smartphone. The major wireless service providers, in coordination with the FCC, have established a stolen phone database. If your phone is stolen, you should report the theft to your local law enforcement authorities and then register the stolen phone with your wireless provider. This will provide notice to all the major wireless service providers that the phone has been stolen and will allow for remote “bricking” of the phone so that it cannot be activated on any wireless network without your permission.& security > Set up screen lock. The timeout delay is configured separately, under Settings

FCC “Ten Steps to Smartphone Security”

Welcome Back!



Your UITS team is here to help!

We can assist with:

  • Microsoft Office 365 FREE download
  • Atomic Learning- Software Tutorials/Training
  • FREE Antivirus Software
  • Open Computer Labs
  • CSU Computer Repair Shop
  • WebPrint
  • Mobile Apps
  • Connecting to Wireless Network
  • CougarNet & CougarView
  • Collaborating with Google Drive