A newly discovered backdoor that has managed to infect over one thousand Android devices was designed to steal sensitive data from popular social media applications, Google reveals.

Dubbed Tizi, the malware comes with rooting capabilities and has been already used in a series of targeted attacks against victims in African countries such as Kenya, Nigeria, and Tanzania. Discovered by the Google Play Protect team in September 2017, the backdoor appears to have been in use since October 2015.

A fully featured backdoor, Tizi installs spyware that allows it to steal sensitive data from the targeted applications, Google says. The malware family attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.

To date, Google has identified over 1,300 devices affected by the malware. According to the company, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.

Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi's capabilities. If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.

Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device's GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.

“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps,” Google says.

On top of that, however, the malware can also record ambient audio and take pictures without displaying the image on the device's screen.

To stay safe, users are advised to pay close attention to the permissions they grant to newly installed applications; to enable a secure lock screen, such as PIN, pattern, or password; keeping their devices up-to-date at all times, given that the threat exploits old, known vulnerabilities; and ensure Google Play Protect is enabled.

Apple has now released a fix for the bug described here. That fix is part of Security Update 2017-001, which is available from the Mac App Store, in the Updates tab, with the label “Install this update as soon as possible.” (Somewhat confusingly, there have already been previous Security Update 2017-001 releases, for unrelated issues, for Sierra, El Capitan and Yosemite.) This update should be installed as soon as possible, and does not require a restart. It turns out that the issue in question works with any authentication dialog in High Sierra. For example, in any pane in System Preferences, click the padlock icon to unlock it and an authentication dialog will appear. Similarly, if you try to move a file into a folder you don’t have access to, you’ll be asked to authenticate:

Enter “root” as the username, and leave the password field blank. Try this a few times, and it may work on the first try, but more likely you’ll have to try two or a few more times.

When the authentication window disappears, whatever action you were attempting will be done, without any password required.

Let’s take a step back for just a moment and consider what this means. On a Unix system, such as macOS, there is one user to rule them all. (One user to find them. One user to bring them all and in the darkness bind them. /end obligatory nerdy Lord of the Rings reference>)

That user is the “root” user. The root user is given the power to change anything on the system. There are some exceptions to that on recent versions of macOS, but even so, the root user is the single most powerful user with more control over the system than any other.

Being able to authenticate as the root user without a password is serious, but unfortunately, the problem gets worse. After this has bug has been triggered, it turns out you can do anything as root on the first try, without a password.

The root user, which has no password by default, is normally disabled. While the root user is disabled, it should not be possible for anyone to log in as root. This is how macOS has worked since day one, and it has never been an issue before, but this vulnerability causes the root user to become enabled… with no password.

Unfortunately, this means that anyone will be able to log into your Mac using user “root” and no password!

Note that this does not require that the login window be set to always ask for a username and password. If you have it set to display a list of user icons instead, after triggering this vulnerability, there will be an “Other…” icon that will be present on the login screen. Clicking that will allow you to manually enter “root” with no password.

Remote access

This bug does not appear to be exploitable through some of the remote access services that can be enabled in the Sharing pane of System Preferences. Remote Login, which enables access via SSH, does not appear to be exploitable in our testing, nor does File Sharing. Even after triggering the bug and, thus, enabling the root user with no password, we were not able to connect to the vulnerable Mac through these methods.

Unfortunately, it looks like Screen Sharing, which allows you to view and remotely control the screen of your Mac, is vulnerable to this bug. In fact, it can actually be used to trigger this bug, without needing to rely on the root user already having been enabled!

In the screen sharing authentication window on a remote Mac, the same technique can be used. We were able to connect via screen sharing, using “root” as the username and no password, on the second attempt. At that point, the root user was enabled on the remote Mac, and we were able to log in to the root account via screen sharing without any blatant indication that we were doing so appearing on the screen shown to the logged in user on the target Mac. (An icon does appear in the menu bar on the target Mac, but it is not immediately obvious what that icon means. The average user will likely never notice the new icon.)

Unforeseen consequences

Once someone is logged into your Mac as root, they can do whatever they want, including accessing your files, installing spyware, you name it. So, in other words, if you were to leave your Mac unattended for 30 seconds, someone could backdoor it and have a very powerful way in later.

Suppose that you are Suzy, an average office worker in a cubicle farm. You step away from your desk for a moment to grab a cup of coffee. You’ll only be gone for about a minute, and don’t bother locking your screen. While you’re gone, Bob from the next cubicle comes over and “roots” your computer.

Later, you go to lunch. You’re gone for an hour, and Bob knows this because he’s familiar with your routine. He uses the root user to log into your Mac and install spyware—perhaps something to peep through the webcam, hoping to catch you in a compromising position later on when you’ve taken your MacBook Pro home with you.

Of course, all that’s even easier if you have screen sharing turned on, and he can install the spyware remotely, without ever touching your Mac.

Creeped out yet?

Fortunately, if you have your Mac’s hard drive encrypted with FileVault, this will prevent the attacker from having a persistent backdoor. In order to log in, the attacker would have to know the password that will unlock FileVault. Not even the all-powerful root user can access an encrypted FileVault drive without the password.

It’s also worth pointing out that a well-prepared attacker with access to your unlocked Mac could install spyware in less than a minute without relying on this vulnerability and without needing an admin password of any kind (depending on what the spyware does). Some spyware can be installed with normal user privileges.

Further, with a longer interval of unsupervised physical access to any Mac that doesn’t have FileVault turned on, an attacker can install spyware of any kind without needing an admin password.

Avoiding an attack using this vulnerability is actually fairly trivial. Just turn on FileVault, and always lock your Mac’s screen or log out when you’re away from it. While you’re at it, set a firmware password. And, to prevent remote access, turn off all services in System Preferences -> Sharing as a precaution.

Still, this is a very serious vulnerability, which Apple needs to address as quickly as possible. We contacted Apple for comment, but by the time of this writing, had not heard back.

Undoing the damage

If you, like many, have tried this out on your own Mac, you’ve opened up a potential backdoor. Fortunately, closing that door isn’t particularly hard, if you know the door is there and that it’s open.

First, open the Directory Utility application. It’s buried deep in the system where it’s hard to find, but there’s an easy way to open it. Just use Spotlight. Click the magnifying glass icon at the right side of the menu bar, or press command-space, to invoke Spotlight. Then start typing Directory Utility in the search window. Once the application is found, simply double-click it in the list to open it. (Or, even easier, press return once it’s selected in the search results.)

Once Directory Utility opens, click the lock icon in the bottom left corner of the window to unlock it. Then, pull down the Edit menu.

If you see an item reading Enable Root User, as shown in the screenshot above, you’re good. Whatever you did, the root user wasn’t enabled. Quit Directory Utility, and go about your business.

If, instead, you see an item reading Disable Root User, choose that. The root user will be disabled again, as it should be, and it will no longer be possible to log in as the root user from the login screen. Just be aware that this does nothing to protect against the vulnerability, so the root user could easily be enabled again.

Be sure to take the other measures described above to secure your system against unauthorized physical access. Namely,  turn on FileVault, always lock your Mac’s screen or log out when you’re away from it, set a firmware password, and turn off all services in System Preferences -> Sharing.

The FCC announced its plans to do away with net neutrality rules. What effect will that have on IoT? It was hardly a surprise, but this week Federal Communications Commission Chairman Ajit Pai made it all but official: He announced a plan to scrap Obama-era net neutrality rules.

Since Republicans hold a 3-2 edge at the FCC, Pai’s plan is virtually certain to pass — despite lobbying efforts and court challenges from just about every internet constituency apart from big internet service providers (ISPs). "The Restoring Internet Freedom Order," as it’s cynically called, will very likely upend the current rules classifying internet service as a public utility and prohibiting carriers from slowing or blocking certain types of traffic.

Most of the commentary so far has centered on possible blockages of fast access to consumer services such as Netflix, or higher ISP prices to ensure unfettered access to popular online content. But the looming end of net neutrality is likely to have far more pervasive effects than a jittery picture when streaming old episodes of Breaking Bad.

The IoT thrived under net neutrality

One of the biggest questions, in fact, is what effect the sunset of net neutrality provisions will have on the Internet of Things (IoT). My initial analysis suggests that the effects could be significant, but will take time to shake out.

We’ve never really lived in a world with no net neutrality rules, so ISPs and enterprises will be feeling their way around the new landscape. But there are already concerns about how the end of net neutrality could affect the IoT.

Blocking and throttling internet traffic

First of all, if carriers can block, throttle, or delay traffic at their discretion, they could very easily decide to impede IoT traffic in a variety of ways, for a variety of reasons. Unless, perhaps, users paid a premium for fast, timely deliver of their IoT data or agreed to buy IoT devices only from the carrier or its approved partners. In areas where a carrier held a monopoly on internet access, it could pretty much dictate terms.

I haven’t yet heard of any plans to do such noxious things, but it’s hard to put anything past these companies. They’re some of the most disliked companies in America, and they’re under pressure to justify their huge network investments. What do you really expect them to do … let a potential gold mine just sit there?

Effects on enterprise users and small businesses

Attempts to leverage the new rules might not have be so blatant, though. A carrier might simply tell a company like GE that if it wants guaranteed prompt delivery of the data from its industrial IoT devices, it will have to upgrade to a higher — read, more expensive — tier of service to ensure the required service levels.

Given the high stakes, a company the size of GE might be willing go along. But smaller businesses — especially those upstart IoT startups with the cool new ideas might — not be able to afford to pay the freight for premium net access. So, the data from its IoT devices might not be delivered for analysis in a timely fashion … or at all. For enterprise IoT users, the initial effect is likely to be higher costs to ensure access and greater uncertainty about the best ways to connect IoT devices.

The IoT, like the net as a whole, runs on the free exchange of data. That freedom might not disapper immediately upon the death of net neutrality, but this week’s FCC actions certainly makes it more likely to erode over time.

At this moment, someone wants your information. Hackers covet your email account, your home address and your Social Security number. They want to commandeer your webcam and break into your bank account. They are just waiting for you to slip up and give them a chance. Everywhere you look, malevolent coders are finding backdoors and vulnerabilities. There are simple ways to protect yourself. But where do you start? Follow these five steps to boost your safety online instantly.

1. Passwords

Relying on a weak password is asking to be hacked. Your passwords are either your first line of defense against hackers, or they’re an open window that lets them slip through. In cybersecurity, there is no middle ground.

How dangerous is it? A lowercase, six-character password takes a hacker around 10 minutes to figure out. Add four more characters, and you extend the time of that heist by 45,000 years.

Create a long, complex password that isn’t hard to remember. One trick is making your password a sentence – focus on positive sentences that are easy for you to remember and unique to you, such as “My son was born on Aug. 12.” On many sites, you can even use spaces!

Additionally, if one of the apps or websites you use is involved in a data breach, you’ll want to update your password for that account immediately. And don’t reuse passwords across different accounts!

2. Set Up Two-Factor Authentication

You’ve probably seen this before, even if you didn’t know what it was called. Two-factor authentication – a type of strong authentication– for is a fancy name for adding another step to the login process. A login page may ask for your first car or your favorite food. The website might even send a text message with a special code to make sure you are who you claim to be or ask you to verify your identity with touch ID or a physical security key.

Two-factor authentication adds an important layer of protection to your account. For hackers, the coup de grace is setting up instant alerts when your account is accessed from an unfamiliar device or location. Usually, this is because you’re logging in to your email account from an internet café in London, or you’re checking your bank balance on a trusted friend’s phone. Other times, it’s a hacker who is trying to figure out your credentials. You will receive a notification by email or text message saying that there was a login from an unrecognized machine or someone asked to reset your password. The login will not be authorized or the password reset without having the special code included in the email or text.

If you do nothing else on this list, click here for the steps to turn on two-factor authentication on Google, Facebook and other sites you use.

3. Delete Accounts You’ve Abandoned

You’ve probably encountered this before. Some spammy message shows up in your inbox, allegedly sent from your beloved Aunt Joan. Why does Aunt Joan want you to click on this strange-looking link? Why is she suddenly interested in giving you a limited-time discount on a Rolex watch? These messages are sure signs of a hacked account.

The rule of thumb is this: An old account contains more personal data than you realize, no matter how short-lived it is and no matter how long it’s been abandoned.

Have too many online accounts to remember them all? Click here for a site that provides you with the steps you need to close down the accounts you’re no longer using.

Research new apps and/or websites before using them to make sure others have had positive experiences from a security and privacy perspectives. Sometimes, you may even want to delete accounts simply because you’ve lost trust in the company that’s storing your private information. The Federal Trade Commission’s identitytheft.gov shares steps to take if your information has been lost in a breach.

4. Check If Your Information Has Been Stolen

Now you’re on a mission to boost your security. But what about data that’s already been stolen? How do you find out whether an account has already been broken into?

At least one trusted site is dedicated to precisely that: HaveIBeenPwned sifts through your accounts in search of security breaches. Just run your email address and username through the search field, and it will tell you if your login information has been linked to any past breaches.

5. Encrypt All of Your Messages

“Encryption” used to be a word reserved for international superspies, but not anymore. What you’re looking for is “end-to-end encryption.” This method scrambles your messages so that they can’t be read if someone other than the intended recipient gets it. There are a variety of services you can use that provide end-to-end encryption; here’s the free one I recommend.

All the deals are in it’s the time to run them head-to-head to pick out the best deals! This is a breakdown of Cyber Monday 2017’s biggest winners.

best Deals

• Amazon - Amazon Echo Plus for $119.99 (save $30) - product link - A great deal on a very popular product that is making its debut this holiday season.
• Amazon - Amazon All-New Echo for $79.99 (save $20) - product link - I rated this a star buy for Black Friday and at the same price for Cyber Monday, it remains one. For comparison, the original Echo sold on Prime Day 2017 for $10 more.
• Amazon - Amazon Echo Dot for $29.99 (save $20) - product link - This is the lowest price ever for the Amazon Echo Dot and is the same price the device was for Black Friday 2017. An easy Star Buy for Amazon’s Cyber Monday.
• Amazon - Amazon Fire TV Stick with Alexa Voice Remote for $24.99 (save $15) - product link - This matches the lowest price ever for this bundle which occurred on Black Friday.
• Amazon - Free Amazon Prime Membership Trial - sign-up link - Amazon’s fast free shipping at any price requires you to have an Amazon Prime Day membership. The good news is it comes with a 30 day trial free trial so you can do all your shopping then cancel it without a penalty. Given it unlocks so much and costs nothing, Amazon Prime membership is not only a Star Buy but an essential one for holiday sales shopping.
• Best Buy - Save $300 or $350 on Galaxy Note 8, Galaxy S8 or Galaxy S8 Plus when you buy and activate with a monthly installment plan for select plans - product link - I say “or” because Best Buy keeps changing this deal. Both Cyber Monday and Black Friday ads said $300, but the Best Buy website states $350. Even at $300 this is a Star Buy because rivals are only offering a similar amount in vouchers. Note: right now the deal is limited to Verizon but may well open up to other carriers on Cyber Monday.
• Microsoft Store - Xbox One S 500GB Console + Free Game and 1-Month Game Pass for $189 (save $60) - product link - The top confirmed Xbox One S deal for Cyber Monday. While other stores are selling the Xbox One S 500GB Console for $189, Microsoft Store is including a Free Game and 1-Month Game Pass.
• Sam’s Club - Samsung 43-inch 4K UHD TV with Xbox One S 500GB Console Bundle for $499 (save $250) - product link - A highly rated Samsung 43-inch 4K TV with an Xbox One S 500GB Console Bundle for $499 is great deal, there’s nothing not to love here.
• Samsung.com - Save up to $400 with an eligible smartphone trade-in when you buy a Galaxy S8 or Galaxy Note 8 - product link - This was the best Black Friday 2017 trade-in offer and it remains so for Cyber Monday continuing Samsung.com’s superb holiday sales discounts.
• Target - 15% off sitewide beginning early morning November 27th - shop link - The top Cyber Monday 2017 deal of the year because this is site wide and electronics are included. Note you do not need to apply any coupon code to get this offer.
• Target - Save an additional 5%with the Target REDcard - sign-up link - Yes, you can combine this offer with the 15% off deal (and apply it to many of the already discounted products) to result in massive savings. It is so straightforward (not a voucher in sight) that this makes it my favorite Cyber Monday store card offer.
• Walmart - Google Home Mini + $25 Shopping Offer for $29 (save $20) - product link - This was easily the best Black Friday sale on the Google Home Mini. With the deal coming back for Cyber Monday 2017, it has to be a Star Buy.
• Walmart - Straight Talk Samsung Galaxy S7 for $299 (save $200) - product link.  With most smartphone deals only offering gift card kick backs, this is an incredible price on what remains an extremely good smartphone.
• Walmart - RCA 55-inch 4K Roku Smart HDR LED TV for $379 (save $420) - product link - The model number is not specifically listed in Walmart’s press release but I believe the price point for this TV was $429.99 on Black Friday so the Cyber Monday price is even better.

Great deals

• Amazon - Amazon Fire HD 8 for $49.99 (save $30) - product link - A price match with Amazon Prime Day 2017 and Black Friday 2017, it’s nothing new but it’s still a strong price on a popular product.
• Amazon - Amazon Fire 7 Kids Edition for $69.99 (save $30) - product link - As above, a familiar price but a further $5 less than the cheapest holiday sales price last year.
• Amazon - Amazon Kindle Paperwhite for $89.99 (save $30) - product link - Another price match, but $10 cheaper than at any point last year.
• Amazon - Amazon Kindle for $49.99 (save $30) - product link  - Amazon’s most consistent deal, it has been this price on every sales day back to and including Black Friday 2016 but it keeps being repeated for a reason. This is a solid deal.
• Amazon - Amazon Tap for $79.99 (save $50) - product link - This has been Amazon’s go-to sales price for the Tap in 2017, but it remains popular and is a $10 reduction on the holiday sales period last year.
• Best Buy - Sharp 43-inch Class LED 2160p Smart 4K Ultra HD TV Roku TV for $299.99 (save $130) - product link - Not be the cheapest 43-inch 4K TV, but the quality is much higher than most other models in this price range.
• Best Buy  - Sony Handycam CX405 Flash Memory Camcorder +$20 Gift Card for $179.99 (save $50) - product link - Not the newest product but I really like the combination of brand, price, and free gift card.
• Kohl’s  - Google Home for $79.99 (save $50) - product link - Other stores had this deal with an included gift card on Black Friday, but there seems to be less offers for Cyber Monday. Either way, this is a nice deal. Unfortunately, no Kohl’s coupons apply to this offer.
• Target - Samsung 50MU6300 Smart UHD TV for $479.99 (save $370) - product link - A well reviewed TV with a very solid discount.
• Sam’s Club - HP Pavilion X360 2-in-1 Touchscreen Convertible Full HD IPS 15.6-inch Notebook for $679 (save $320) - product link - Solid laptop for a decent price. Cheaper options do exist, but I like this model and its flexibility.
• Walmart - Sony PlayStation 4 1TB Slim Gaming System for $199 (save $100) - product link - This was the average price on Black Friday but it sold out everywhere. With Walmart promising new stock tomorrow for Cyber Monday, this becomes a solid deal for what is clearly an in-demand offer.
• Walmart - Sony PlayStation 4 Pro 1TB Gaming Console in Black for $349 (save $50) - product link - Once again this is a familiar sales price over the holiday season, but Walmart is $1 cheaper than the competition so why not save a dollar.
• Walmart - Microsoft Xbox One S for $189 (save $90) - product link - This is Walmart’s Black Friday 2017 pricing but it is a sought after item and expect additional stock for Cyber Monday.
• Walmart - Samsung 58-inch 4K Smart LED HDTV for $598 (save $200) - product link - This is the same price Walmart had on Black Friday and I expect the model to once again be the UN58MU6070. Solid deal.
• Walmart  - Bose QuietComfort Noise-cancelling Headphones for $179 (save $100) - product link - Very popular and well reviewed headphones which retain its Black Friday price and make for a solid Cyber Monday deal