Since its initial release in February 2012 the Raspberry Pi – a very inexpensive, palm-sized computer meant to help teach computer science in schools –  has become a favorite of hobbyists, makers, and tech enthusiasts everywhere. Why wouldn’t it be? The Raspberry Pi offers tinkerers a very low-cost (both to buy and to run) computer in an extremely compact platform. In addition, because of its origins as an educational tool, it’s easy to use and is versatile. Accordingly, it can be used in all sorts of creative ways.

However, its apparent simplicity and low cost comes with a downside. The Raspberry Pi is not a simple “device” with limited capabilities; it is a fully capable computer. The same pitfalls that befall normal desktop computing can  hit the Raspberry Pi, if it is not properly secured.

Some uses of the Raspberry Pi actually turn them into servers, and that is something that users may not really know how to secure. For example, some people have made the Raspberry Pi into a server that controls their home automation system, or allows users to watch videos served by the Pi remotely.

For many uses of the Raspberry Pi, security isn’t much of a concern – it will never be online or even exposed to external input that could be used as an infection vector. The trouble comes when it’s used in situations where it is online – particularly as a server – where it’s at potential risk. For example, some automated scanners are already trying to log in with the pi user.

In short, the Raspberry Pi is only as secure as the uses you use it for. Good server security is not always easy; consider that even IT professionals make mistakes. Look into known server best practices if you do use a Raspberry Pi for these uses. Considering its origin as an educational tool, learning how to secure a server would be an appropriate use for a Raspberry Pi.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

A few weeks ago, we noted that we believed it was likely that Bitcoin miners using GPUs might become part of the threat landscape. It appears that that has happened, in a somewhat roundabout way.

The e-sports league ESEA was recently forced to admit that an employee had, without authorization, pushed a Bitcoin miner to users and forced the client machines to mine coins – for his own gain. They claim that the code to do so was born out of internal tests to see if this could be added as a feature to their software clients. ESEA themselves described the affair as a “fiasco“.

By itself, this would be interesting enough. A legitimate software service was used to push unauthorized software to the machines of end users, much like what happened in Korea recently. However, the payload itself was unusual too: it was a Bitcoin miner, specifically one that was capable of harnessing the GPUs of users.

This incident may well have been the first that did use GPUs, but we doubt it will be the last. The losses to users may not have been that large, but they were real nonetheless: increased energy usage and wear and tear on their computers. In addition, affected users will also see increased bandwidth usage as effective miners use a noticeable stream of bandwidth.

Gamers may want to pay particular attention to signs of heavy GPU load on their system in the absence of any gaming activity. These can include excessive levels of heat or noise from their system, as well as poor performance in games. The control panels provided by AMD and nVidia can also be used to check the load on GPUs – under normal, non-gaming circumstances, GPUs should not be heavily loaded.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.

We will note that recently the FTC settled with HTC just two months ago over the Carrier IQ controversy. Unpatched vulnerabilities were a key part of the settlement; HTC agreed to patch the vulnerabilities within 30 days. While the action of ordering the patches fixed was laudable, it wasn’t exactly timely: Carrier IQ came into the limelight in late 2011.

What the lawsuit does do is highlight the Android update problem beyond just tech industry circles and into the hands of regulators. Two years ago, at Google I/O, the Android Update Alliance was unveiled. Google promised to work with both carriers and device manufacturers to keep devices updated for 18 months after they were released. Unfortunately, almost nothing has not been heard from the alliance since then.

Let’s consider Google’s own statistics. The most common version of Android in use is… Android 2.3 (Gingerbread), which was last updated in September 2011. The percentage of users on the latest version, Android 4.2 (Jelly Bean), is… 2%. It is rumored that the next version of Android, codenamed Key Lime Pie, will be released as soon as this May. It’s quite possible that 4.2 will not even hit double digit percentages by the time its successor is released.

Read the rest of this entry »

Bitcoin is still in the news, even if it’s not exactly for the right reasons. From it’s peak value of $263.798 per bitcoin on April 10, it has since fallen to just over $100. That actually represents a recovery from it’s post-peak low value of just over $50. Clearly, the market for Bitcoins is… volatile.

For those not in the know, Bitcoin is a new digital currency which is generated, or “mined”, by software solving computationally difficult problems. Cybercriminals have latched onto Bitcoin as well, as it represents another way to earn money (Bitcoins are exchangeable for real-world currencies like US dollars via various exchanges.)

Since 2011, we have found various malware threats that try to use victim machines as Bitcoin miners, or steal user’s Bitcoins. One even tried to pass itself of as a Trend Micro component. Just this past week, malware exploiting the Boston Marathon bombing to spread turned out to be stealing Bitcoin wallets as well. Bitcoin exchanges have also been hit with frequent denial-of-service attacks, with the largest exchange (Mt. Gox) suffering from three DDoS attacks in April alone.

For criminals, using infected systems as miners makes perfect sense, as using infected machines offloads the costs associated with Bitcoin mining, which can be significant. They would no longer need to purchase expensive graphics cards and/or application-specific integrated circuit (ASIC) chips. (Either one is necessary to mine Bitcoins with any reasonable expectation of profit.)

Read the rest of this entry »

Facebook Home is now available for (some) Android devices, aside from its launch device, the HTC First. It is easy to understand this direction that Facebook has chosen to take. There are many users who would find something like Facebook Home useful and would like it: people who use their mobile devices primarily to connect with their Friends and share likes, updates, photos, and other such social activities.

However, people are becoming genuinely concerned about how much of our data is ending up in the hands of Internet companies. Facebook Home doesn’t collect new types of information that existing apps already don’t, as their officials went at some length to explain. The concern though is that they said nothing about the quantity of data that will be gathered. This in and of itself is of great value to Facebook; increasing the amount of data to correlate can only “improve” what Facebook knows about its users.

What we would suggest is for people to be genuinely mindful and thoughtful about what they do share online. Do you really have to share that photo? Do you really want to send this status update out into the public, where future friends, partners, and employers will be able to find it down the road? A good way to moderate the sharing of information is through privacy scanners, (which we offer for free in Google Play, and is a built-in feature in Trend Micro™ Titanium™ Security) but of course the users’ mindset would play a crucial part.

One more thing to consider is how companies will treat our data if it’s no longer in use. Google recently released the Inactive Account Manager, which lets Google know what to do with your data if you’re no longer accessing Google. While the advertised use is for someone’s death, it could easily be used for less morbid uses. In this case, if you want Google to forget about you, just stay away for at least three months. Google deserves kudos for steps like these, and other companies would be well encouraged to follow suit.

In the end, users should remember one thing: nothing ever goes away on the Internet.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.