Tag: Security

Categories
Links

Security Bugs In Google Chrome Extensions

A piece that was authored last September, enumerating some of the security issues with Google Chrome Extensions. The authors:

reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers.  Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.  We’ll show you how you can prevent attacks on your extension using Content Security Policy.

In a followup, the authors have published a full report (here) that outlines their methodology and identifies the extensions that, as of February 2012, remain unpatched.

Check out the article, and some of the other great pieces that they’ve published on security.

Categories
Links

Internet Voting is a Bad, Bad Idea

Last year The Star ran an article detailing the merits of online voting. You get the usual benefits: increased turnout, happier constituents, and enhanced convenience. What the article entirely misses, of course, are the security and associated legitimacy issues linked with voting online. An academic blogger, writing before the article, notes that:

‘securing’ the Internet is a Herculean task. It absolutely cannot be regarded as a ‘secure’ development environment, especially when dealing with matters that are highly sensitive to political, technical, and social fault conditions. Such conditions may be worse that a fail condition, on the basis that faults generate fear and concern without a clear indication that something has gone wrong. In the case of an election, a perceived exploitable fault condition threatens to undermine political legitimacy and politically-generated solidarity on grounds that electoral results might be questionable. Thinking back our bridge example, a ‘fail’ might be a bridge collapsing. A ‘fault’ might include cracks spanning the support columns that cause motorists to avoid using the bridge out of fear, even though the cracks do not endanger the bridge’s stability. If ‘faults’ cannot be corrected, then there may be general fear about the validity of an election even if the election is not manipulated. If a ‘fail’ condition occurs but is not detected, then there may be a perception of electoral legitimacy without the election actually being legitimate.

Elections are not something to be trivially tampered with. Heightened conveniences should not trump electoral security and legitimacy. While paper voting is annoying it is a far more ‘secure’ method than online voting mechanisms. It really isn’t too much to ask/expect of people to mail in a vote, go to a polling station, or (quite reasonably) abstain from the process for their own reasons. We should not undermine a foundation of democracy just to make things a little bit more convenient.

Categories
Humour

Door Code

mnancy:

Oh really?

I’m really tempted to do something similar for the door in my office.

Categories
Links

Papers on Android Mobile Malware

Android often receives high levels of criticism when hostile programs are found in its respective app stores. While anger is high, how prevalent is malware in Android markets? A series of papers, curated by Security Research Computer Laboratory at the University of Cambridge, examine just those questions. Go read them!

Categories
Links

Let’s Say It Together: Apple Is Not A Security Company!

I sympathize with people’s concern and anger when they learn more about Apple’s atrocious APIs that let developers run off with consumer data. In the most recent revelation

Accepting an iOS prompt that asks permission to access location data can also allow copying of private photo and video libraries, the Times said yesterday. Because these devices often save coordinate information along with photos, it might also be possible to put together a user’s location history, as well as recording current location.

Apparently in an attempt to make photo apps more efficient, access to private photos has been available since the fourth version was released in 2010.

All of this, however disturbing it might be, make a lot of sense. Apple is a consumer company that aims to engineer products so that users can best enjoy them. This means they don’t want to throw a whole lot of security warnings in front of you, for two reasons: First, you’ll just ignore them anyways; second, they’ll annoy you and thus could reduce your iDevice usage.

Very few mobile companies ‘do’ security. The much-maligned Research In Motion is actually about the only mobile company that sells its products on security grounds, though the need to have secured code reduces the rate that they can bring new, highly innovative, product to market. Consumers, businesses, governments, and the market point to their slower rates of innovation as indicative of RIM’s forthcoming doom, but in so doing miss that the ‘cost’ of RIM’s death would be a near-absolute dearth of secured mobile platforms.

If you’re interested in reading about the economics of ignorance and mobile security, check out a piece that was written last year on this very subject.

Categories
Links

Good, Brief, Interview on Trust and Security

An excellent piece from Bruce Schneier, in interview, concerning the relationship between trust and security. It’s short, so just go read it. For a taste:

My primary concerns are threats from the powerful. I’m not worried about criminals, even organised crime. Or terrorists, even organised terrorists. Those groups have always existed, always will, and they’ll always operate on the fringes of society. Societal pressures have done a good job of keeping them that way. It’s much more dangerous when those in power use that power to subvert trust. Specifically, I am thinking of governments and corporations.

Categories
Aside Links

The Big Threats to Internet Security

Dan Goodin has a good piece on one of Bruce Schneier’s recent talks. From the top of the article:

Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.

The notion that government – largely composed of security novices – large corporations, and a feudal security environment (where were trust Apple, Google, etc instead of having a generalizable good surveillance footprint) are key threats of security is not terribly new. This said, Bruce (as always) does a terrific job in explaining the issues in technically accurate ways that are simultaneously accessible to the layperson. Read the article; it’s well worth your time and will quickly demonstrate some of the ‘big’ threats to online security, privacy, and liberty.

Categories
Links Writing

User vs Corporate Understandings of ‘Security’

A really interesting paper on social authentication has just been released that looks at how facial identification ‘works’ to secure social networks from unauthorized access to profiles/records. The authors note that users of social networks are most concerned in keeping their interactions private from those who know the users. Specifically, from the abstract:

Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).

Moreover, a targeted effort to identify a users’ friends on a social network – and examine their photos – will let an attacker penetrate the social authentication mechanisms. While many users would consider this a design flaw Facebook, which uses this system, doesn’t necessarily agree because:

[Facebook] told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.

What Facebook is doing isn’t wrong: they simply has a particular attacker-type in mind with regards to social authentication and have deployed a defence mechanism to combat that attacker. Most users, however, are unlikely to consider that the company has a different attack scenario in mind than its end-users, leading to anger and concern when the defence for wide-scale attacks fails to protect against targeted attackers. While I don’t see this as a security or policy failure, it is suggestive that companies would be well advised to explain to their users how different security inconveniences actually interact with different hack/attack scenarios. Beyond educating users as to what they can expect from the various defence mechanisms, it might serve to raise some awareness about the different kinds of attackers that companies have to defend against. In an ideal world, this might serve as a beginning point in educating users to become more critical of the security models that are imposed upon them by corporations, governments, and other parties they deal with.

Categories
Aside Links

Terrific Set of Short Privacy Papers

The folks at the University of Cambridge’s Security Research and Computer Laboratory have pulled together a terrific set of short (and accessible) papers on security and privacy. I’d highly recommend taking a look.

Categories
Links

Sony’s Smartgrid Micropayment System

Sony is promoting a product concept: smart electric outlets that enable micro payments and authentication for energy usage at the device level. As described by The Verge:

Sony is developing power outlet technology that uses IC chips to determine a user’s identity or permissions. Possible use case scenarios include managing energy usage in large buildings, device theft prevention, and — yes — the potential for paid access to power. Sony says it expects the technology to be employed in cafes, restaurants, airport waiting lounges, and other public places. The outlets have an IC chip built-in, and send authentication information down the power line itself — this can come from an IC chip built into the plug, or potentially inside an NFC-equipped device or payment card.

This isn’t a surprising new concept – contemporary ‘smart systems’ are largely sold on these kinds of logic – but it’s telling that we would be moving payment and identity authentication into integrated ICs on the devices that we use in daily life. I’ll be incredibly curious to see the threat models and risk assessments associated with these next-generation smart systems: if they are deployed as imagined, payment security and electrical privacy issues would be incredibly serious, and challenging, issues to adequately address.