Carphone Warehouse Breached

Carphone Warehouse, one of the UK’s biggest mobile phone companies, has suffered a major breach. It’s reported that over two million customer records have been compromised, including 90,000 encrypted sets of credit card details.

If you had an account on a Carphone Warehouse website (including Talk Talk), and you used the same password anywhere else, you need to change it now. And keep an eye on your credit card statements and report anything suspicious.


Update Firefox Now

If you use Firefox, you need to update it right now. There’s a zero-day vulnerability being actively exploited. The particular exploit that has been discovered affects Windows and Linux but not OS X; however, OS X users should still upgrade.

And after you’ve upgraded, install an ad blocker. Ads are a frequent vector for this kind of exploit. You can whitelist sites you trust if you want to support them.

Active Mac OS X Exploit

Sometimes keeping your operating system fully patched is not enough. Malwarebytes have discovered active use of a Mac exploit that Apple have not yet patched (except in the OS X 10.11 beta).

To protect yourself, be cautious when downloading and running software on your Mac. The exploit can only work if you run a downloaded program, which can then exploit the vulnerability to gain full privileges on your system. And of course keep an eye out for a fix from Apple, and install it as soon as it is available.

Bad Security Can Be Fatal

If you want to know just how bad it can be when software suppliers get their security wrong, look no further than this advisory from the FDA.

There appears to be a remote exploit against medical drug infusion pumps, potentially allowing an attacker to change the drug dosage. While there are no reports of any actual attacks against this exploit, it could obviously have extremely serious consequences. It’s the Hospira Symbiq Infustion System, so you don’t need to worry (this time) unless or your hospital you use one of those devices.

It seems to be the result of schoolboy security errors. The advisory recommends closing the FTP and Telnet ports. Networked medical devices should under no circumstances be programmed to accept FTP or Telnet connections. They also advise changing the default passwords — the device should not function until the default password has been changed. Such mistakes may be forgivable on some networked devices, but no on medical devices.

Stagefright Android Vulnerability

This looks like a bad one. An attacker can execute their own code on many Android phones simply by sending an MMS message, and in some cases you don’t even have to view the message to be infected. And the whole Android software update ecosystem is a complete mess, so very many phones will never get patched for it. At the time of writing it seems like there are almost no fixes available from handset suppliers, although the vulnerability was discovered and reported (by Joshua Drake at Zimperium zLabs) in April.

There’s not much you can do about other than waiting for your supplier to release a fix. It’s worth changing the settings in apps like Messenger and Hangouts that can receive MMS messages to not “automatically receive MMS messages”. If your Android version uses Messenger for SMS messages, you can block messages from people you don’t know, but of course that could block messages that you want to receive.

If you’re on an old handset — and that may mean only a few months old — you may never get a fix. I would certainly avoid opening messages that you’re not expecting from anyone you don’t know, but it seems that may not be enough on at least some phones — the bug is much harder to exploit on iOS versions 4.1 and later, so they’re potentially less affected. If your Android version is so old that it’s 2.1 or earlier, then you’re not affected at all.

It’s this kind of thing that frankly makes me question whether anyone should be buying an Android phone, except for a Nexus or another phone made by Google themselves. The manufacturers don’t regard themselves as software companies, and so don’t pay enough attention to software issues and getting updates out to users, especially users on handsets that aren’t being manufactured any more.

More later, when we have clearer details of exactly who is affected and how bad it is.

Edited to add: Here is the original blog post announcing the vulnerability.