Headaches for older Android phones are coming, encryption debate rises again and beware of a fake Microsoft Teams update.
Welcome to Cyber Security Today. It’s Wednesday November 11th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Some people keep their smartphones or tablets as long as possible. That can be dangerous if the manufacturer has stopped issuing security patches or upgrades to the latest operating system. I mention this because the ZDNet news service pointed out this week that Android phones may have trouble connecting to some websites in January if they run Android 7.1 or earlier.That’s because those websites use a security certificate issued by a free service called Let’s Encrypt.
A little technical stuff here: Some websites start with the “https”. The “s” means their traffic is encrypted. That protects users from passwords or payment card details being intercepted. The encryption is verified through the use of what’s called a security certificate, a piece of hidden code. Let’s Encrypt offers a free certificate service. The problem for Android users is the original Let’s Encrypt certificate expires on Sept. 1, 2021. If a site they want to go to has one of those certificates, there may get an error message asking if they still want to go to the site, which is inconvenient. But it may be they can’t get to the site at all. One solution is switching to the Firefox Mobile browser. That’s the situation for users.
For website operators who use or are about to start using Let’s Encrypt certificates the problem comes earlier. Starting January 11th — which is only two months away — Let’s Encrypt is changing to a different certificate management system. That, too, will give headaches to users of older Android devices.
This is a lot of words about one specific problem facing owners of older Android devices. The point is if you want to connect to the internet for email and websites you’ve got to have a safe device. And regardless of whether you go to a site that has certificates from Let’s Encrypt or not, if your phone no longer gets security updates or is using a version of Android that’s older than version 7.1 you’re on risky ground. Just a reminder the current version of Android is 10. So go into your Settings, look under Security and see when the last security update was issued. If it hasn’t been in a while either you haven’t checked for updates or the manufacturer no longer supports the phone. Then look under the About Phone section. If the version of Android is 7.1 or older, think seriously of getting a new phone.
It’s important to regularly update the applications on any device you use as well. But hackers also use that as a way to install malware by tricking you into downloading fake updates. The Bleeping Computer news service has spotted one of the latest scams aimed at organizations: A malicious ad on search engines or web pages with links to a fake update for the Microsoft Teams collaboration application. Fall for this and you get hit with ransomware. Software update notices should only be trusted if they come from inside an application.
Privacy experts are calming down after an initial news report suggested a European Council draft paper proposed forbidding providers of email, text and social media services from using end to end encryption. End to end encryption helps ensure criminals can’t hack your messages. But it also makes it almost impossible for police and intelligence agencies to intercept communications of criminals and terrorists. The first news report from Austria worried a lot of people on Twitter. However, others read the full text of the proposed draft and saw it only urged the tech industry and law enforcement to find some way to allow the use of strong encryption in products but let police access data in a lawful and targeted way. This has been talked about for years. The United States has been pressing its allies on this. In fact last month a number of countries including Canada, the United Kingdom, Australia, New Zealand, India and Japan joined the U.S. in calling for technology companies to allow some way for police to legally access encrypted mail and texts. But experts say you can’t have encryption protection and have some way for police and intelligence agencies to access those messages. This debate will go on for a while.
That’s it for Cyber Security Today. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.