Tag Archives: Security

A Shark Net for the Insecure

Posted on by
Reply

You couldn’t help but read Andrew Auernheimer’s Statement Of Responsibility for his crime of breaking into unsecured API’s on the AT&T website - the iPad Hack - and wonder in what world do we think it is okay for someone to go to jail for potentially many years because they exposed such shoddy security on a Public Internet Site?

Because the article indicates he instead contacted a news publisher, I wondered why Auernheimer didn’t contact AT&T first to show them the flaw but until he responds, can only assume he was simply concerned the security team there would threaten exactly what has since happened to him. Something seen recently in Australia to security researcher Patrick Webster for example.

It’s possible the CFAA law which was used both against Auernheimer and Aaron Swartz formed part of his consideration. For those unfamiliar with what appears to be nothing more than hastily strung barbed wire around badly dug moats, here’s a couple of articles describing what it tries to cover and what it doesn’t.

It seems to me that what we have here is a law which is being used like a shark net on a beach. Fostering a false sense of security and allowing businesses to avoid taking responsibility for their own failures when it becomes clear they have failed to invest adequately in securing critical and personal data.

Just as the shark net does, instead of simply preventing the threat from breaking through it catches everything which falls into it, threat or not. But unlike the shark net, sometimes the collateral damage from someone else to blame when the shortcomings are found out aren’t acceptable to the public.

Link

RSA, the manufacturer of ‘Security, Compliance and Risk-Management solutions have discovered a new method of delivering what’s known as an Advanced Persistent Threat:

methodology relies on “trojanizing” legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.

In effect assuming a number of compromised computers or devices will be introduced into the targeted corporate network lying in wait like lions at a watering hole for the opportunity to attack.

Link

Excellent article from Glenn Fleishman at TidBITS Safe Computing on how Elcomsoft Criticism of iOS Password Apps is Overblown.

The core point I took from the article is that there is a four factor authentication process before you can get to individual passwords:

  • Get the Device (or the data file)
  • Get the Security code on the Device
  • Get the Security code or password for the app
  • Get the Master Password

Which doesn’t preclude a user of an application like 1Password from;

Disclaimer: I user 1Password on my Mac and on iOS and have done since I originally got a free install  about 3 years ago. I have since then purchased both the Mac software (currently 3.8.17) and 1Password Pro for the iPhone. Both of which I use daily on both devices.

Link

The summary of AV Test’s March 2012 Malware Protection for Android Tests includes the following:

Close to two thirds of these scanners are not yet suitable for use as reliable products and identify less than 65% of the 618 types of malware tested”

Though I think the most damning quote was about one of the large number of “free” - mainly ad supported – services:

“…showed no detections in our tests and crashed several times. The advertisements worked properly”

Disclaimer: In my current role I promote Lookout Mobile Security which was in the top 7 tested applications

Ducking out of Google Search

Aside

When Google were just a search company, they made the web one of the most usable things ever. Life was great and everything was a Google away.

Today, as they face the challenges of Facebook, Apple and potentially Microsoft in the turf they made their own, they’ve changed their search algorithms so much that finding a good result can be a challenge at the best of times on a desktop browser. Though surprisingly in the Safari browser on iOStheir results are more like the “good old days”.

So like many other companies who either fail to disrupt themselves or whose attempts at disruption are less successful than expected, they’ll do whatever it takes to maintain their lead. From next week they will make your Google Web history available to it’s other products. A bit like when Microsoft integrated Office into Windows, perhaps?

Because they still have a lot of soul, they at least make it very easy to prevent them from gathering said web history.

Well before the recent discovery Google were compromising, without permission, the privacy setting I had chosen in my browser, I’d already mostly stopped using them for search in the last 6 months. There will still be the odd time what is still the best search engine on the planet has to be used. But, for now, I prefer the growing ability of DuckDuckGo and other services to answer my queries.

DuckDuckGo sounds like they don’t want to be evil after all.

Netbank: taking no risks with your security on the iPhone

Aside

Which Banks iPhone application is, according to their own PR , a very popular way for their customers to access their financials online.

And they’ve generally done a great job. Retaining Security – the key focus in any banking service online – without sacrificing usability throughout the app.

Except in one simple case.

The close button.

At first glance it seems they’ve done the right thing with both the position and the behaviour of the button. In almost every app I use on the iPhone a button in that location signifies going to account settings or going back.

Until you realise any habitual, yet accidental, press will log out the banking session.

The challenge with habitualising yourself NOT to press it is a toss up between wasting a trunkload of time in Facebook figuring out an alternative way to find the kinky photos your friends share or repeatedly logging back in to your banking.

Perhaps they could remove the close button it and just let us use the “Log off” link they’ve helpfully provided instead. Or maybe it’s an undocumented security feature to protect us from ourselves and the HTML session embedded inside application wrapper.

Apple and Charlie Miller, peas missing a security pod

Posted on by
1

Forbes are reporting that security researcher Charlie Miller has had his iOS developer program licence terminated following his decision to submit an application to the AppStore which hid a proof of concept for exploiting a javascript security bug.

Leaving aside the fact Miller deliberately broke his agreement with Apple, and potentially put other AppStore users at risk, you’d like to think that Apple should instead just take the app down, admit the flaw and work with him to help resolve the issue in a future update.

Security researchers seem to like to publicly embarrass companies who don’t admit to or schedule a fix for flaws they have found. And while there is good reason for that happening – keeping the developer on their toes as it were – there are converse reasons why a software company would refuse to admit the flaw and refuse to advise of a fix. Apple, particularly, for real or flawed reasons have been traditionally ostrich like when it comes to admitting they have a ghost in the machine.

Perhaps a bit less of the Head on and little more conversation between both sides of the equation might help resolve this fundamental dichotomy. In other words; get into bed guys, as a user I know I’d appreciate it.