Category Archives: Security

A Shark Net for the Insecure

Posted on by
Reply

You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website - the iPad Hack - and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?

Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.

It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.

It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.

Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.

Link

RSA, the manufacturer of ‘Security, Compliance and Risk-Management solutions have discovered a new method of delivering what’s known as an Advanced Persistent Threat:

methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.

In effect assuming a number of compromised computers or devices will be introduced into the targeted corporate network lying in wait like lions at a watering hole for the opportunity to attack.

Link

When you visit a website, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies are already using technology to try to identify individual computers. But how effective would this kind of online tracking be?

EFF is running an experiment to find out. Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users’ configurations.

I guess I can trust Panopticlick from the Electronic Frontier Foundation to track me to see how much I can be tracked, right?

Link

Excellent article from Glenn Fleishman at TidBITS Safe Computing on how Elcomsoft Criticism of iOS Password Apps is Overblown.

The core point I took from the article is that there is a four factor authentication process before you can get to individual passwords:

  • Get the Device (or the data file)
  • Get the Security code on the Device
  • Get the Security code or password for the app
  • Get the Master Password

Which doesn’t preclude a user of an application like 1Password from;

Disclaimer: I user 1Password on my Mac and on iOS and have done since I originally got a free install  about 3 years ago. I have since then purchased both the Mac software (currently 3.8.17) and 1Password Pro for the iPhone. Both of which I use daily on both devices.

Link

The summary of AV Test’s March 2012 Malware Protection for Android Tests includes the following:

Close to two thirds of these scanners are not yet suitable for use as reliable products and identify less than 65% of the 618 types of malware tested”

Though I think the most damning quote was about one of the large number of “free” - mainly ad supported – services:

“…showed no detections in our tests and crashed several times. The advertisements worked properly”

Disclaimer: In my current role I promote Lookout Mobile Security which was in the top 7 tested applications

Ducking out of Google Search

Aside

When Google were just a search company, they made the web one of the most usable things ever. Life was great and everything was a Google away.

Today, as they face the challenges of Facebook, Apple and potentially Microsoft in the turf they made their own, they’ve changed their search algorithms so much that finding a good result can be a challenge at the best of times on a desktop browser. Though surprisingly in the Safari browser on iOStheir results are more like the “good old days”.

So like many other companies who either fail to disrupt themselves or whose attempts at disruption are less successful than expected, they’ll do whatever it takes to maintain their lead. From next week they will make your Google Web history available to it’s other products. A bit like when Microsoft integrated Office into Windows, perhaps?

Because they still have a lot of soul, they at least make it very easy to prevent them from gathering said web history.

Well before the recent discovery Google were compromising, without permission, the privacy setting I had chosen in my browser, I’d already mostly stopped using them for search in the last 6 months. There will still be the odd time what is still the best search engine on the planet has to be used. But, for now, I prefer the growing ability of DuckDuckGo and other services to answer my queries.

DuckDuckGo sounds like they don’t want to be evil after all.