Page 12 of 18
This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth.
The NSA has released its specification for a secure Android.
One of the interesting things it’s requiring is that all data be tunneled through a secure VPN:
Inter-relationship to Other Elements of the Secure VoIP System
The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with the exception of emergency 911 calls, shall not be allowed. The phone must function on US CDMA & GSM networks and OCONUS on GSM networks with the same functionality.
All data communications to/from the mobile device must go through the VPN tunnel to the VPN gateway in the infrastructure; no other communications in or out of the mobile device are permitted.
Applications on the phone additionally encrypt their communications to servers in infrastructure, or to other phones; all those communications must be tunneled through the VPN.
The more I look at mobile security, the more I think a secure tunnel is essential.
Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services.
The Android platform is where the malware action is:
What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications.
[…]
In addition to an increase in the volume, the attackers continue to become more sophisticated in the malware they write. For instance, in the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware. Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90% of Android devices being carried around today.
I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people’s lives—smart phone banking, electronic wallets—they’re simply going to become the most valuable device for criminals to go after. And I don’t believe the iPhone will be more secure because of Apple’s rigid policies for the app store.
EDITED TO ADD (11/26): This article is a good debunking of the data I quoted above. And also this:
“A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t Independence Day, a virus that might work on one device won’t magically spread to the other.”
DiBona is right. While some malware and viruses have tried to make use of Bluetooth and Wi-Fi radios to hop from device to device, it simply doesn’t happen the way security companies want you to think it does.
Of course he’s right. Malware on portable devices isn’t going to look or act the same way as malware on traditional computers. It isn’t going to spread from phone to phone. I’m more worried about Trojans, either on legitimate or illegitimate apps, malware embedded in webpages, fake updates, and so on. A lot of this will involve social engineering the user, but I don’t see that as much of a problem.
But I do see mobile devices as the new target of choice. And I worry much more about privacy violations. Your phone knows your location. Your phone knows who you talk to and—with a recorder—what you say. And when your phone becomes your digital wallet, your phone is going to know a lot more intimate things about you. All of this will be useful to both criminals and marketers, and we’re going to see all sorts of illegal and quasi-legal ways both of those groups will go after that information.
And securing those devices is going to be hard, because we don’t have the same low-level access to these devices we have with computers.
Anti-virus companies are using FUD to sell their products, but there are real risks here. And the time to start figuring out how to solve them is now.
It turns out that “2bon2btitq” is not a strong password.
Google releases statistics:
Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide – a tiny fraction of Google’s more than billion users.
[…]
The highest volume of government demands for user data came from the U.S. (5,950 requests, a 29 percent increase from the previous six-month stretch); India (1,739 requests, up 2 percent); France (1,300 requests, up 27 percent); Britain (1,273 requests, up 10 percent); and Germany (1,060 requests, up 38 percent).
[…]
The company usually complies with at least a portion of most government demands. Google has said that it often has little choice because it must obey laws in the countries where it operates. The alternative is to leave, as it did last year when it shifted its search engine to Hong Kong so it wouldn’t have to follow mainland China’s censorship requirements.
In the U.S., Google gave federal, state and other agencies what they wanted 93 percent of the time. The nearly 6,000 requests affected more than 11,000 user accounts during the January-June period.
In India, Google honored 70 percent of the 1,739 requests, which targeted more than 2,400 users, the second highest totals.
Google, which is based in Mountain View, Calif., rejected the most government demands for user information in Argentina, where 68 percent of the requests were denied. Less than 50 percent of the government requests for user data were complied with in Canada, Chile, France, Hong Kong, Mexico, the Netherlands, Russia, Turkey and South Korea.
I’m sure they have an office full of attorneys versed in the laws of various countries.
Another article.
Nice research:
Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google’s home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of “crowding character together” for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design.
Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization.
Sidebar photo of Bruce Schneier by Joe MacInnis.