Tag: Security

Categories
Links Writing

Fragmentation leaves Android phones vulnerable to hackers

Via the Washington Post:

“You have potentially millions of Androids making their way into the work space, accessing confidential documents,” said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the ACLU. “It’s like a really dry forest, and it’s just waiting for a match.”

The high degrees of fragmentation in the Android ecosystem are incredibly problematic; fragmentation combined with delays in providing updates effectively externalizes the security-related problems stemming from mobile OS vulnerabilities on individual owners of phones. Those owners are (typically) the least able parties in the owner/carrier/manufacturer/OS creator relationship to remedy the flaws. At the moment, Google tends to promptly (try) to respond to flaws. The manufacturers and vendors then have to certify and process any updates, which can take months. It’s inexcusable that these parties can not only sit on OS updates, but they can continue to knowingly sell vulnerable phones.

Imagine if, after a car line was reported to have some problem that required the line’s recall and refurbishment, dealers continued to sell the car. They didn’t even notify the person buying the car that there was a problem, just that ‘enhancements’ (i.e. the seat didn’t eject when you hit something at 60Km/hr, plus a cool new clock display on the dashboard) were coming. The dealers would be subject to some kind of legal action or, failing that, consumers could choose to work with dealers who sold safe cars. Why, exactly, aren’t phone carriers being subjected to the same scrutiny and held to the same safety standards?

Categories
Quotations

On Choosing a Maiden Name

Credit card company: What’s your mother’s maiden name? Me: Donkey Kong Bumper Boat. Them: Uh, yes. What? Me: I’m in security.

Steve Werby (@stevewerby) February 7, 2013
Categories
Links Writing

Banking Trojan Ships With Its Own Certificate

This is all kinds of badness, and speaks to malware vendors becoming increasingly sophisticated in how they are targeting low hanging fruit (i.e. random users). In essence, the attack involved getting a certificate issued and then using it to create valid digital signatures for .pdf invoice documents. Once individuals opened the invoices the malware associated with the .pdf would burrow into the OS and act as a key logger that targeted banking information.

Unfortunately, I’ve not yet seen a media article discuss the mediocre effectiveness of revoking the certificate used to sign the .pdf. The OCSP protocol is incredibly susceptible to being defeated, especially if malware already resides on the target’s computer or a point in between the target and the revocation server is controlled by the attacker (possible by setting a compromised computer to proxy traffic to a host controlled by the attacker). So, while while the cert has been revoked, this actions does not necessarily stop the malware from functioning, but just reduces the prospective attack surface. Moreover, if browser/operating system CA stores are not updated – again, possible if the attacker already controls the host – then the same attacker can convince the browser or OS to continue trusting an expired certificate.

Categories
Aside Humour

chartier:

Genius.

OK…this is incredibly amusing. It also speaks volumes about the relative accuracy of biometric analysis technologies that are incorporated into contemporary consumer electronics.

Categories
Quotations

2013.2.5

I treat the Internet like a fucking asp, like a dangerous reptile – my comfort sole squashed down hard on the snakeneck … Your security is only as trustworthy as the worst person on Earth.

Security advice from ‘Tycho’, “A Teachable Moment
Categories
Links Writing

EU citizen warned not to use US cloud services over spying fears

shonelikethesun:

What the title says, basically. I had missed this.

The warning should be heard by non-EU citizen too, with the Cloud, privacy is fucking dead. And what’s sadder is that 90% of people simply don’t care.
Unless it makes more probable for your significant other to see your transsexual porn browser history…

The EU Report is well worth a full read (available here in .pdf). Things to keep in mind that aren’t all that being well discussed:

  • you know about this report – media is covering it – because of the tireless efforts of Caspar Bowden, one of the authors and a noted global privacy advocate. It was out for months before it hit the media.
  • everyone is focused on US intelligence (good) but missing the significance of the FISAAA amendments: it’s not just that you can be spied on. It’s that the spying does not have to happen for national security reasons. No, it’s sufficient to conduct surveillance for political (read: espionage) reasons.
  • a huge aspect of the report – which isn’t touched on, even in the European media that much – is its call for the European Parliament to given EUROPOL and ENISA a direct mandate.

The second point is particularly important for non-Europeans. While it’s a lesser spoken about part of the intelligence world, spooks are routinely engaged in industrial espionage on the grounds that such acts assist the nation-state’s finances. This can include the theft of foreign corporations’ information, or (in extreme cases) the deletion of the same information. It seems that FISAAA’s amendments would only permit the former, and not the latter. However, as a result of these amendments corporations should be more wary of outsourcing their document storage to US-based cloud services, content creation to US hosts and online services, or communications systems to (you guessed it!) American firms. Placing such data in the hands of the Americans is rife with potential economic harms and, no matter how much you like Dropbox, Google, or other cloud provider, they’re all likely to turn on you if the NSA comes knocking.

Source: EU citizen warned not to use US cloud services over spying fears

Categories
Quotations

2013.2.4

Privacy is not simply an individual right or civil liberty; it is a vital component of the social contract between Canadians and their government. Without privacy, without protective boundaries between government and citizens, trust begins to erode. Good governance requires mutual trust between state and citizen. Otherwise, alienation and a sense of inequality begin to spread, circumstances under which no program for public scrutiny can be tenable or effective in the long term. Where citizen trust hits a low point, in fact, such security measures may be undermined, ignored, circumvented – or in the most egregious cases – passively or actively resisted.

Office of the Privacy Commissioner of Canada, “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century
Categories
Aside Humour

Bell and Internet-Based Security

A dated, but poignant, bit of information from Bell Canada concerning Internet-based computer security threats in Canada

Categories
Aside

NYT and TLS/SSL

Those moments when big sites seem to seriously screw up their SSL certs

Categories
Quotations

2013.1.17

The same vulnerabilities that enable crime in the first place also give law enforcement a way to wiretap — when they have a narrowly targeted warrant and can’t get what they’re after some other way. The very reasons why we have Patch Tuesday followed by Exploit Wednesday, why opening e-mail attachments feels like Russian roulette, and why anti-virus software and firewalls aren’t enough to keep us safe online provide the very backdoors the FBI wants.

Matt Blaze and Susan Landau, “The FBI Needs Hackers, Not Backdoors