Dangerous Android security apps in the Google Play store, advice for email and WordPress administrators and more on unsafe credit card readers
Welcome to Cyber Security Today. It’s Friday March 15th I’m Howard Solomon, contributing writer on cyber security and privacy for ITWorldCanda.com. To hear the podcast click on the arrow below:
So you want a security app for your Android smart phone or tablet. Think you can pick just anything from the Google Play store? No, says an antivirus testing firm called AV-Comparatives. It analyzed 250 security applications in the Google store and found almost half of them are ineffective. Either they detected less than 30 per cent of malware in tests, or they had a relatively high rate of false positives when scanning clean apps. In some cases the apps were just buggy because of the way they were written. Others were just unreliable, still others were apparently designed to pass minimal tests so they would be accepted by app stores and make money. Worst of all, some actually included malware.
Just because an app has the word “security” or “antivirus” in its name doesn’t mean it’s safe or effective at what it’s supposed to do. Just because a security app is in the Google Store doesn’t mean its effective.
What should you do when looking for a security app? Check lists from companies like AV-Comparatives or AV-Test. Some sites test software for Android, iOS, Mac and Windows. Look for apps that have at least a 90 per cent detection rate. Usually the safest apps come from well-known brand names.
Can you trust user reviews in app stores? Well, many will give a rating based solely on their experience in using the app, not whether its effective. And some reviews in app stores are fakes.
Attention corporate email administrators: If you use a cloud application like Office 365 or G Suite, make sure you turn off the IMAP protocol. According to security vendor Proofpoint, criminals are increasingly exploiting IAMP in using brute force login attacks. IMAP helps organizations enroll lots of people, but it also bypasses multifactor authentication. Multifactor authentication is when users get an extra code sent to their smartphones to enter in addition to a username or password. So, IT teams, turn off IMAP on cloud applications and enable multifactor authentication. It may make things a little more complicated, but it’s safer.
WordPress administrators should be aware there is a new security patch now available. Version 5.1.1 includes 14 fixes. One of them patches a problem that could lead to a cross-site scripting corruption of your site if the comments capability is enabled. This affects all versions of WordPress. This latest update also includes things needed for the upcoming major version 5.2.
In my last podcast I mention how disappointed I was at finding stores in San Francisco that insisted I swipe my chip-enabled credit card along the side of the card reader. It’s much safer to either tap a card or insert from the bottom and enter a PIN number. Taping or inserting in the bottom allows the reader to use the security chip on the front of the card. Security vendor Flashpoint this week said it has found another version of data-stealing malware aimed at these store readers that may have been used for several years in the restaurant and entertainment business. If you’re a store owner, it’s important you pay up for modern credit and debit card readers that can use card with security chips. If you’re a consumer, stop using cards that don’t have the safety chip on the front. And refuse to swipe your card.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cyber security professionals. Cyber Security Today can be heard Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon