June 19

Tough week for security across the board

Oy vey. As fast as we create technology that changes our lives, we discover holes in the systems that threaten our online and mobile safety. Here are two things that happened this week that you need to know.

Samsung Vulnerability

According to a recent report, 52% of U.S. mobile device owners choose Android operating systems, vs. 43.1% for iOS. Microsoft has 3% of us, and Blackberry folks comprise 1.5%. Further, 43.1% own Apple phones, and just less than 30% carry a Samsung brand.

This week researchers discovered a security flaw that leaves 600 million Samsung phone users at risk. It’s kind of a strange thing. As I understand it, a flawed Samsung Swift keyboard (the cool one that lets you drag your finger across a keyboard rather than type) lets bad guys pretty much take over your device if you’re using a compromised open wifi system (such as a random system you might find in a coffee shop). They have an open window if you’re updating your language pack. You might say, “Well, I have never updated my language pack, so no big deal.” But how many times have you pushed the button to update your app when a notice comes up? Yes, you might be vulnerable, but for the most part, most of us aren’t going to be at risk.

The fixes are coming. In the newer phones, just make sure your security policy updates are set to download automatically. In the meantime, stay off public wifi (which is a good rule almost always).

Update: To clarify, this is the keyboard that came pre-installed with your phone. If you bought a SwiftKey app, you’re just fine.

Apple Vulnerability

Yeah, Apple didn’t have a very good week, either. Two days ago researchers discovered a huge hole in the iOS security system that protects the passwords you save in Keychain. No word on a fix yet, but it’s scary. I’ve always been wary of built-in password savers, which is why I choose LastPass, but…. see below! Yeah. Tough week. Another note: a second password manager, 1Password, is also affected by the Apple vulnerability.

LastPass Breach

I’ve long espoused the benefits of using a password manager, but when people ask me if the system is 1000% safe, I emphatically say no. Nothing is safe. Nothing. If you’re online, you’re not safe.

So it is worrisome but not surprising that LastPass “noticed suspicious activity” that led to a discovery of a major security breach. The good news is that they are pretty darn sure that the bad guys didn’t/couldn’t hack into your vault of user names and passwords. The bad news is that if your master password is weak, you’re vulnerable. If you use LastPass, change your master password. Now.

So How Do We Stay Safe?

There are vulnerabilities you can’t do anything about, and some that you can. Your best defense is a superb offense: complicated, unique passwords; smart password reminder questions/answers; conservative use of public wifi; conscientious awareness of security breach news. Another huge key is to enable two-factor authentication every time it’s even remotely possible. Should you switch back to a Filofax full of handwritten passwords and skip password managers? Others have pondered this question this week, and my answer is no. LastPass and 1Password and other major services are still much better at staving off attacks and handling problems than you would be, BUT you have to do your part.


privacy, security, utility

You may also like

Make your own graphic alphabet

Make your own graphic alphabet
  • Hi I’m Megan and I work for AgileBits, makers of 1Password.

    I just wanted to take a moment to thank you for writing such an informative article. You’re right, it has been a rough week for security! Attacks on our security, including ones thus far contained only in research, are always unsettling.

    These recent events are a reminder that we must continue to be mindful of the software we install on our devices. Being an informed citizen of the internet is key, and this article goes a long way to keeping us all informed. Thanks for sharing!

  • I’m curious as to your thoughts/opinions on the Dashlane password app? Good? Bad? Safe, or not so safe?


  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}