Category: Aside

Self-Mutating Trojans Come to Android

Post author By Christopher Parsons
Post date February 12, 2012

Symantec is warning that the next generation of smartphone viruses has come:

Researchers from security vendor Symantec Corp. have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.

This technique is known as server-side polymorphism and has already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it.

A special mechanism that runs on the distribution server modifies certain parts of the Trojan in order to ensure that every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed.

This is a clever means to avoid the rudimentary analysis systems that the major vendors use to ID malware. It’s also (another) indication of how important antivirus is going to become for the mobile marketplaces. I suspect that, by the end of the year, a lot of users (on iOS, Android, and the rest) are going to wish that the post-Steve Jobs smartphones on the market today met Jobs’ initial thoughts regarding smartphones when Apple released the iPhone. Specifically, he held that:

He didn’t want outsiders to create applications for the iPhone that could mess it up, infect it with viruses, or pollute its integrity

While our pocket computers are better now that apps are available, I can’t help but think that Jobs’ earliest worries are now looming at today’s potential nightmares.

Tags Android, Apple, iOS, iPhone, Malware, Mobiles, Virus

Aside Links

iOS is a Security Vampire

Post author By Christopher Parsons
Post date February 8, 2012

I’m sorry, but what Path did is (in some jurisdictions, such as my own) arguably a criminal offence. Want to know what they’ve been up to?

When developer Arun Thampi started looking for a way to port photo and journaling software Path to Mac OS X, he noticed some curious data being sent from the Path iPhone app to the company’s servers. Looking closer, he realized that the app was actually collecting his entire address book — including full names, email addresses, and phone numbers — and uploading it to the central Path service. What’s more, the app hadn’t notified him that it would be collecting the information.

Path CEO Dave Morin responded quickly with an apology, saying that “we upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.” He also said that the lack of opt-in was an iOS-specific problem that would be fixed by the end of the week. [emphasis added]

No: this isn’t an ‘iOS-specific problem’ it’s an ‘iOS lacks an appropriate security model and so we chose to abuse it problem’. I cannot, for the life of me, believe that Apple is willing to let developers access the contact book – with all of its attendant private data – without ever notifying the end user. Path should be tarred, feathered, and legally punished. This wasn’t an ‘accident’ but a deliberate decision, and there should be severe consequences for it.

Also: while the Verge author writes:

Thampi doesn’t think Path is doing anything untoward with the data, and many users don’t have a problem with Path keeping some record of address book contacts.

I think that this misses a broader point. You should not be able to disclose mass amounts of other people’s personal information without their consent. When I provide key contact information it is for an individual’s usage, not for them to share my information with a series of corporate actors to do whatever those actors want with it. The notion that a corporation would be so bold as to steal this personal information to use for their own purposes is absolutely, inexcusably, wrong.

Tags Apple, iOS, Privacy, Security, Surveillance

Aside Links

Practical Quantum Computing?

Post author By Christopher Parsons
Post date February 3, 2012

From the article:

So-called quantum key distribution is unconditionally secure–it offers perfect secrecy guaranteed by the laws of physics.

Or at least that’s what everyone thought. More recently, various groups have begun to focus on a fly in the ointment: the practical implementation of this process. While quantum key distribution offers perfect security in practice, the devices used to send quantum messages are inevitably imperfect.

It will be interesting to see how quantum computing practically differs from the theoretics of quantum physics; I suspect that efforts will be made to find ‘kludges’ that will ultimately be the source of practical problems to quantum-based security and computing efficiency. Of course, this is a similar issue that currently besets security and computing: dealing with real-world materials and accommodating imperfections (and variable modes of breaking security models that extend beyond the system being imagined) are amongst the most pressing of today’s issues.

Tags Encryption, Physics, Quantum Computing

Aside

Useful Warnings

Post author By Christopher Parsons
Post date February 2, 2012

THIS is the kind of actionable, helpful, warning information that should be presented to end-users. It gives them the relevant information they need to choose ‘Cancel’ or ‘Add Anyway’ without scaring them one way or the other. If the jailbreak community can do this, then why the hell can’t the big players like Apple, RIM, Google, Microsoft and the rest?

Tags Android, Apple, Blackberry, Google, iOS, Playbook, Security, UI

Aside Links

American Internet Imperialism

Post author By Christopher Parsons
Post date January 30, 2012

Think about this for a second: you are a good, law abiding citizen, and thus break no local laws. Your state has no reason to bring criminal charges against you. Your actions, however, are provisionally criminal in another jurisdiction. As a result, despite your actions being perfectly legal in your home nation you are threatened with extradition. This is not a theoretical concern:

TVShack was a site that collected links to TV shows. Certainly, many of those shows were likely to be infringing – but TVShack did not host the content at all, it merely linked to it. Richard O’Dwyer, the guy who ran the site, was a student building an interesting project over in the UK. However, the US Department of Justice decided that he was not only a hardened criminal, but one who needed to be tried on US soil. Thus, it began extradition procedures. Even worse, nearly identical sites in the UK had already been found legal multiple times – with the court noting that having links to some infringing content was certainly not criminal copyright infringement. That makes things even more ridiculous, because extradition is only supposed to be allowed for activities that are criminal in both the US and the UK. [Emphasis added]

The implications for extradition would be significant: UK citizens could be extradited to certain countries for actions that are legal within their own nations, on the basis that they violate the laws of other countries. It is precisely this kind of process that can stifle innovation, speech, and association online. It narrows the range of speech actions whilst demanding that – prior to speaking or acting or creating – individuals consult with counsel as the first part of any serious online behaviour.

Such an approach – lawyers, then speech – is directly contradictory with basic rights that form the bedrock of our Western democracies.