SAN FRANCISCO – Did you know your smartphone’s accelerometer can be used to steal keystrokes from a nearby keyboard?

Using an iPhone 4 and some pirate software they wrote, a team of researchers at Georgia Tech has managed to capture complete sentences from a nearby keyboard with up to 80 percent accuracy.

The team initially tried to use an iPhone 3GS in their experiments, but the results were too difficult to read.

“But then we tried an iPhone 4,” says Georgia Tech School of Computer Science Assistant Professor Patrick Traynor, who is a member of the team along with Carter, Georgia Tech grad student Arunabh Verma, and MIT Lincoln Laboratory’s Philip Marquardt.

“[The iPhone 4] has an added gyroscope to clean up the accelerometer noise [and] the results were much better. We believe that most smartphones made in the past two years are sophisticated enough to launch this attack.”
Other researchers have attempted to steal keystrokes using a phone’s microphone, but there are drawbacks to that method. For example, microphones have a sampling frequency of 44,000 vibrations per second. This is much more difficult to analyze than an accelerometer, which samples at just 100 times per second.

Also, handset makers typically restrict app access to phone microphones. When an app tries to grab hold of the mic, your phone will usually ask you if you want that to happen. Such protections aren’t placed around accelerometers.

How it Works

The malware creates a model based on probability and keyboard pairs. It determines if a pair is on the left or right side of the keyboard, and then it determines the distance between the keys in the pair–are they far apart or close together? After analyzing that data for a series of pairs, it compares what it’s hearing to a pre-loaded dictionary that classifies words based on left-right, near-far characteristics.

For example, the word “canoe” would consist of four pairs: C-A, A-N, N-O and O-E. The malware would interpret those strokes into Left-Left-Near, or LLN, LRF, RRF and RLF. When that data is compared to the entries in pre-loaded dictionary, a statistically probable result would be produced. In this case, “canoe.”

For the technique to work reliably, words must be three letters or more. Working with a 58,000 word dictionary, the researchers found their word recovery rate was as high as 80 percent.

Should you start being paranoid when a colleague places their cell phone by your keyboard? Not really. “The likelihood of someone falling victim to an attack like this right now is pretty low,”Traynor says. “This was really hard to do. But could people do it if they really wanted to? We think yes.”

SAN FRANCISCO – Since more and more malware is emerging for the Android platform every day, you must pay strict attention to what is happening on your phone or tablet. Smartphones are essentially computers–and all computers are vulnerable to viruses, phishing, and other attacks from malicious software.

Here are five quick tips to help you keep your Android phone or tablet free of malware.

Always research the publisher of an app: What other apps does it offer? Does the publisher have its own website? Do any of the other apps look a bit shady? If so, you should probably stay away. Read online reviews, but remember that Android Market reviews may not always be truthful. Check around to see what reputable websites such as PCWorld, AppBrain, or AppLib are saying about the app before you press the download button.

Always check app permissions: Whenever you download or update an app, you see a list of permissions for it. An alarm clock app, for instance, probably shouldn’t need to look through your contacts. The general rule of thumb: If an app is asking for more than what it needs to do its job, you should skip it.

Avoid directly installing Android Package files (APKs): When Angry Birds first came to Android, you could get it only through a third-party app store and “sideloading” it, installing the app by using an APK file. Although Angry Birds wasn’t malware, in general it is highly advisable not to download and install APK files from third-party websites or app stores. Most of the time you won’t know what the file contains until you install the file–and by then it’s too late.

Put a malware and antivirus scanner on your phone: Several different big-name security companies already offer mobile-security options, many of them free. Antivirus apps such as Lookout Mobile Security can scan your phone and make sure that no malware is installed. On top of that, most of the utilities include features that allow you to track your phone–and perhaps even remotely lock it and wipe your personal data–if you lose the handset.

Watch out for scams: Believe it or not, your smartphone is prone to phishing scams, malicious sites, and drive-by downloads, just as your PC is. Malicious sites often try to trick people into entering personal information about themselves; even more annoying, however, is some sites’ ability to automatically download malware to your phone. Because of a phone’s smaller screen, users are three times more likely to click a suspicious link on a phone than when they are using a PC. Again, though, Lookout Mobile Security has your back: Its Safe Browsing feature is currently available in the Premium version of its app.

If you follow these steps and keep a watchful eye on your device, you should be able to enjoy your phone malware-free.

That’s where Linux can be a life-saver. Without ever having to install the free alternative, you can still use it temporarily on a PC to get rid of any infection. Here’s how.

1. Get a LiveCD or Live USB

LiveCDs and USBs are a wonderful thing in the Linux world because they let you boot a machine directly from the CD or USB stick without ever having to access the computer’s boot records. Not only are they a great way to take Linux for a test-drive, but they can also be put to work when Windows can’t.

By far the fastest way to get a LiveCD or USB is to download the .iso file of the Linux distribution you’d like to use and then burn it onto a CD or USB stick. Since Ubuntu is the most popular distribution out there, I’ll go with Maverick Meerkat–the latest version of the software–for this example.

Ubuntu can be downloaded from the project’s Website for use on a LiveCD or USB; download links for other distributions can be found listed on FrozenTech. UNetbootin is another nice option if you want to go the USB route, which tends to run much faster.

Of course, to take either of these options you’ll have to have a working, Internet-connected computer. If you don’t, or if your Internet connection is slow, you may want to order a LiveCD or USB via snail mail. OSDisc and LinuxCD both offer a variety of options; pricing is about $2.

2. Boot into Linux

Once you’re equipped with a Linux LiveCD or USB, you’ll need to make sure the infected computer is turned off, and then turn it on again with the CD or USB installed. This will boot the computer into Linux, completely bypassing Windows and its infection. Again, nothing has been installed — you’re simply using Linux to get the machine running reliably again.

3. Get Antivirus Software

Next it’s time to get the Linux-based ammunition you’ll need to wipe out the malware: antivirus software. I’m going to use ClamAV, my favorite, via ClamTK, which provides a nice graphical front end.

From the main Ubuntu desktop, then, go to “Applications” and then “Ubuntu Software Center.” Choose “Edit” and then “Software Sources.” You’ll be presented with a box entitled, “Downloadable from the Internet,” and you should be sure all four boxes are checked before you click on “Close.”

Next, from the main Ubuntu Software Center page, click on the “Accessories” icon and type ClamTK into the search box. It will be shown as “Virus Scanner,” but if you click on “More Info” you can verify it’s the right package. Click “Install” and wait for it to download.

Once installation is finished, you should launch ClamTK by going to “Applications” in Ubuntu’s main menu, then “Accessories” and “Virus Scanner,” which is how the software will still be shown.

4. Run a Scan

When the ClamTK window opens, click on the “Scan” tab and select the option for a Recursive Scan. Next, you’ll need to tell the software which drive you want to check for viruses, which in this case is the one that includes Windows. Scanning may take some time, but once the infection is found you’ll get the usual options for what to do with it, including quarantine and removal.

5. Return to Normal

Assuming the infection has now been removed, your computer should be clean once again, making it safe to remove the LiveCD or USB and boot back into Windows as usual. As you enjoy your malware-free machine once again, remember that it’s all thanks to Linux. It’s also not a bad idea to keep your LiveCD or USB handy so you’ll be ready for the next time.

The start of a new school or university term is the perfect time to invest in a home PC so the kids have a machine on which to do their homework. Students setting off for university or beginning post-GCSE education will almost certainly need a laptop on which to write essays and keep in touch with friends back home, too.

But the new term is also a good time for hackers and malware vendors. With all those new PCs and laptops in circulation, there are virgin terminals ripe for infection and inexperienced users busy getting to grips with their shiny new toys, rather than paying attention to what’s lurking with intent in the ether.

We don’t want to deter you from sending the kids off to university or setting up younger offspring with new PCs and laptops for homework. But you’ll want to ensure their machines will run infection-free and won’t leave your little dears with egg on their faces.

If you’ve just bought a new computer with this in mind, you’re no doubt enamoured of the slickness of the Windows 7 operating system. Although it’s no radical update to Vista, it’s a more immediately likable version of Windows to use. It offers improvements to home networking and introduces a more logical way of storing and accessing files. There’s also a more refined Security Center that allows you to manage many aspects of your new computer’s setup and to see, at a glance, the status of its various tools.

Even so, many of us are likely to skip spending time on such mundane aspects in favour of getting to know the more exciting capabilities of our new computers. This is human nature, but it could leave you exposed to a number of threats.

Here, we look at some of the most important security issues when setting up a new PC or laptop, and what you can do to ensure a safe computing experience.

Avoid common security issues

Create a protected Administrator account: The first thing to do when setting up a new machine is create the main user account and give it a name and icon. Your next step should be to add a password that will be required whenever you leave the computer unattended for more than, say, 15 minutes.

Add a Standard user account: You should use the primary account only when altering settings and installing/uninstalling programs. Set up a second account for other tasks. In Control Panel, User Accounts lets you add users, while ‘Change Account type’ lets you specify whether it’s a Standard or an Administrator account.

Get our free Security Advisor newsletter Security Advisor Security reviews Security news Internet security suites Antispyware software Antivirus software Free security downloads

Restrict access: Password-protect your second user account and assign it limited access privileges. You’ll still be able to perform most tasks using this account but, crucially, if a virus worms its way on to your PC, it won’t be able to make any changes to the Registry or install diallers or keylogging tools.

Secure your web connection: The web itself poses the biggest threat to your PC. Going online with no security software in place is foolhardy at the very least; doing so at an insecure location, such as an open wireless network, is asking for trouble. Crank up the privacy, security and content settings in your browser.

Get free antivirus protection: If nothing else, install free antivirus and firewall software. Microsoft’s Security Essentials is free. Other free options include Avast and AVG. Keep up to date by allowing the software to search for new malware definitions when prompted.
Perform regular scans: Previously renowned for hogging system resources, today’s antivirus programs shouldn’t impact your day-to-day PC use. It’s prudent to perform a full scan of your PC every once in a while. This is best scheduled to run overnight or when you aren’t using the PC.

Get our free Security Advisor newsletter Security Advisor Security reviews Security news Internet security suites Antispyware software Antivirus software Free security downloads
Use an effective firewall

A firewall forms a barrier between your PC and the outside world. It’s a bit like the membrane at the bottom of a pond, designed to prevent all the water from seeping out. You probably wouldn’t have noticed the slow leak of water – or data – which is why such a barrier is so valuable. Keylogging programs that get in via a back door such as an unsecured port or a less-than-robust email sentinel are often identified and hung out to dry by firewalls.

Windows has its own firewall in the form of Windows Defender, but you may prefer to use another. If so, deactivate the Windows one so they don’t have a showdown.

Time-limited trials

Although it can be useful to have a free trial of 30 days or longer for a well-known security suite preinstalled on your new PC, you’d do best to make a snap decision about whether it’s the security program you are going to depend on from now on.

If it is, buy the full version immediately. If it isn’t for you, choose another program and buy that instead (or use a free one such as AVG or Security Essentials). This way, you won’t fall into the common trap of thinking your computer is secure, only to find the trial has ended and your PC is infected.

Unencrypted wireless access

Wi-Fi networks and hotspots pose particular problems. Cheeky neighbours may piggyback your web connection, but an unencrypted router also leaves your PC vulnerable to attack and to being recruited as part of a botnet – a zombie army of infected PCs that could eventually form part of a distributed denial-of-service attack.

Older routers often come with a default blank or easy-to-guess password, such as ’1234′ or ‘password’. Newer routers tend to have more rigorous security settings and use Wi-Fi protected access (WPA) rather than the older, easier-to-crack wired equivalent privacy (WEP) encryption. A new router will also let you distance your connection from the spectrum your neighbour uses.

Safe surfing

Logging on to the free Wi-Fi at a hotspot makes perfect sense if you’re a student watching the pennies. It’s also very convenient to be able to check your email
or Facebook to see what friends are up to over a frothy cappuccino. It’s just as convenient for web snoops. For them, Wi-Fi hotspots are fertile hunting grounds.

Bluetooth can also leave you open to data interception, so turn off this powerful short-range transmission service except when you actively require it. This is just as applicable to your mobile phone as to your laptop. If you’re a BlackBerry owner and need to send sensitive information, the end-to-end encryption of the BlackBerry Email Server is your safest bet.

In any case, we strongly suggest you don’t use a wireless hotspot for web transactions such as buying an item on eBay or checking your bank balance. A well-timed glance over your shoulder or the surreptitious snap of a cameraphone could be enough to compromise the privacy of your bank login details.

Download dangers

It takes time to familiarise yourself with a new PC or laptop, particularly if the operating system on which it runs is also new to you. Spend some time getting to know the security setup for routine tasks such as downloading programs. Are these automatically scanned, or is there an assumption that a download you initiate must be safe? Many of us blithely click the Ok or Continue button when prompted to check whether Windows should install a downloaded program. A decent web browser will actively check for the presence of malware, but you should also routinely check for rogue software using your installed security suite’s scanner.

As per our previous advice, you may need to log out of your everyday account and into the one you’ve set up with full Administrator rights to install anything. Don’t forget to switch back to the other account afterwards.

Plug it in

It’s all too easy to bypass your own security setup: simply plugging in a USB flash memory drive can do the trick. USB drives are incredibly useful, but they ought to come with a warning. Tales are rife of viruses being spread around the office after an employee plugged in a drive they brought into the office with them from home, where it wasn’t virus-scanned.

Once a virus finds its way on to a networked device, it can quickly infect anything with which it comes into contact or that is connected to anything that’s also plugged in or accessible. It’s little wonder that educational institutions often don’t allow students to plug in their own memory sticks and have stringent security software in place to prevent infections being transmitted this way.

And malware isn’t the only risk to worry about – USB drives also make you vulnerable to data theft. Get a security-enabled USB drive that you can access only with a password or a fingerprint, and your data will be safer. At least if you lose the device in the bar or leave it in the library, no one can steal your notes, even if you don’t end up getting the drive itself back. Secure memory drives such as an Ironkey or a Victorinox Swiss Army USB key provide reassurance and, in the case of the latter, double as useful tools for other tasks.

Beware of strangers

Our final two security tips are particularly relevant to younger PC users, but ‘stranger danger’ is also pertinent for adults.

Once you’ve set up your new PC or laptop you’ll want to start reaching out to friends. ‘Friending’ people on Facebook and chatting online can be fun, but be cautious about what you divulge – particularly if you have never met somebody in person.

It’s all too easy to give away information about where you live, when you were born and when you’re going away. Thieves and data miners thrive on such fodder, while luring kids into adult conversations is a well-documented danger.

Parental responsibilities

Monitor your child’s web use by being present when they go online and use the parental controls in Windows and in Internet Explorer’s Internet Properties, Parental Controls settings menu to prevent them using instant-messaging clients when you’re not there.

As we outlined at the start of this guide, setting up separate user accounts for different family members can pay dividends here. A child’s user account that imposes time-of-day and content-suitability limitations, depending on their age and what you deem suitable, can lead to less anxious times and fewer arguments.