Psst, hey buddy I got some nice Android apps for you cheap! They just fell off the back of a truck ya know.

Subject: General Tech | March 25, 2015 - 12:25 PM |
Tagged: Android, security

If you are running a device with Android 4.3 or earlier you should avoid third-party app stores; arguably all users should but there are times when Google Play does not offer what you need.  A security problem with the way that APK files are authenticated during install can allow a seemingly harmless app to be modified, either at the source or while being transmitted, leading to the installation of an app that may not be entirely honest about what it does.  Palo Alto Network's testing shows versions 4.4+ do not suffer from this particular problem nor do the vetted apps at the Google Play store.  It is unlikely you will encounter this problem unless you usually install things from places like Creepy Ice Cream Van Discount Apps and Malware,  but you should be aware of the existence of this issue.  More at The Inquirer.

index.jpg

"A FRESH VULNERABILITY CALLED Android Installer Hijacking is making itself known as a threat to almost half of all Android users."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Since TLS connections mostly ignore OCSP, Firefox is creating yet another solution

Subject: General Tech | March 5, 2015 - 01:46 PM |
Tagged: security, OneCRL, irony, firefox, CRLSet, chrome

It seems somehow strange that the vast majority of 'secure' connections still completely ignore what were developed as industry standards to ensure security in favour of creating their own solutions but that is the world a security professional lives in.  The basic design of OCSP does carry with it a lot of extra bandwidth usage and while maintaining a time limited local cache, referred to as stapling, would ameliorate this your TLS connection is not likely to support that solution.  Instead of fixing the root cause and utilizing existing standards it would seem that Firefox 37 will start a brand new solution, maintaining a list of revoked certificates ironically called OneCRL which will be pushed out to Firefox users, duplicating the CRLSet which Chrome has already developed and maintains. 

This is good for the end user in that it does add security to their browsing session but for those truly worried about attempting to make the net a safer place it offers yet another list to keep track of and for attackers yet another vector of attack.  At some point we will have to stop referring to standards when referencing networking technology.  Pour through the links on the Slashdot post and read through the comments to share in the frustration or to familiarize yourself with these concepts if the acronyms are unfamiliar.

firefox-crset-onecrl.jpg

"The next version of Firefox will roll out a 'pushed' blocklist of revoked intermediate security certificates, in an effort to avoid using 'live' Online Certificate Status Protocol (OCSP) checks. The 'OneCRL' feature is similar to Google Chrome's CRLSet, but like that older offering, is limited to intermediate certificates, due to size restrictions in the browser."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

SIM card maker Gemalto apparently now holds the world's record for fastest security audit?

Subject: General Tech | February 26, 2015 - 01:02 PM |
Tagged: Gemalto, SIM, encryption, fud, security

In just under a week SIM card maker Gemalto claims to have done a complete security audit of their systems in 85 different countries and reports that "its office networks were compromised, the servers holding the SIM card encryption keys weren't."  This is a  record worthy of Guinness as most security audits take months or years to complete and the findings tend to discuss probabilities, not absolute certainties.  As you might expect The Register and security experts everywhere are doubtful of the claims from a company that did not even know if was compromised less than a week ago that the UK based GCHQ and USA based NSA are unable to compromise your SIM cards encryption when they have the keys in hand.  It has not been a good week for anyone who thinks about security.

17225.jpg

"Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Roll over Superfish, PrivDog is just as bad but doesn't come directly from Comodo

Subject: General Tech | February 25, 2015 - 12:36 PM |
Tagged: SSL, security, PrivDog, idiots, fud, Comodo

This has been a bad week for the secure socket layer and the news just keeps getting worse.  Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.  It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.  Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.  That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site. 

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.  The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.

picarddoublefacepalm.jpg

"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Your aggregate battery consumption isn't Li-On about your location

Subject: General Tech | February 24, 2015 - 12:56 PM |
Tagged: fud, security, smartphone

Tracking your smartphones location via aggregate battery usage is not the most efficient or accurate method but it can be done and Samsung (and others) have not provided a switch which makes that particular data private.  Researchers have shown that by tracking the battery drain of the 3G cellular radio on the battery one can determine distance from the cellular base station the phone is connected to and a coarse location based on interference environmental factors such as buildings which partially block the signal.  It is only a very coarse locator but does give better information than just the base station the phone is connected to and as we are creatures of habit it allows tracking normal patterns of movement.  This is nowhere near as accurate as GPS tracking and does require a bit of work to pull off but as battery usage and levels are sent by the phone in the clear with no method of preventing that it should cause some privacy concerns for users.  You can read the research paper (in PDF) by following the link from The Inquirer.

index.jpg

"SCIENTISTS have warned of a new smartphone risk after discovering that battery power can be used to track a person's movements."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Just wait, blacklisting dangerous root certificates will lead to a legal battle

Subject: General Tech | February 23, 2015 - 01:35 PM |
Tagged: superfish, mozilla, komodia, security

Firefox can remove any threat that Superfish presents with a simple step and 24 hours; indeed they could prevent any similar issue using a questionable or downright poisonous SSL Certificate simply by blacklisting them.  They specifically quote the ability of OneCRL to block even obfuscated certs before the Network Security Services level if the certs are properly recorded on the blacklist in this Register article.  This would lead to a much more secure web, requiring attackers to invest significantly more effort when attempting to create fake or dangerous SSL certs.  There is a flip side to this, for there are those who may attempt to have valid certs added to the Blacklist and so there must be a way of policing the list and a way to remove certs which should not be on the list due to being placed there in error or because of a change in the software associated with that certificate.  It is also likely that there will be court cases attempting to have the blacklist removed if it does come into being as Superfish is not the only business out there whose business model requires phishing or at least a way around proper SSL certification and best practices which will no longer be viable if we are allowed to block their mutant SSL certs.

images.jpg

"Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Of gaps of air and hats of tinfoil

Subject: General Tech | February 12, 2015 - 12:51 PM |
Tagged: security, fud

In networking, an air gap refers to a security measure that separates a network from the public infrastructure, either physically or through the use of extremely secure tunnelling.  This prevents access to that network over the internet or less secure LANs and is used in high security locations as it is generally considered one of the best ways of securing a network.  As with all things silicon, it is not perfect and this article at The Register should not be read by the faint of heart.  They describe several methods which have been developed to overcome air gaps, thankfully most require that the attacker had been able to gain physical access to the air gapped systems to infect them from within and as you have heard many times, once an attacker can gain physical access to your systems all bets are off.

What is interesting is the ways in which the infected systems transmit the stolen data without the need for physical contact and are incredibly difficult to detect.  Some are able to use the FM frequencies generated by GPUs to send data to cellphones up to 7m away while another uses the pixels to transmit hidden data in a way that is invisible to the user of the machine.  Other attacks involve spreading infection via microphones and speakers or a thumbdrive which was attached to an air gapped machine which could transmit data over a radio frequency up to 13 kilometres away.  It is a wild world out there and even though many of the attacks described have only been done in research labs; don't let strangers fondle your equipment without consent!

KiwiconV_c_1600x1200.png

"The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Flustered over Win10's surveillance habits? Have you met Predix?

Subject: General Tech | October 14, 2014 - 06:28 PM |
Tagged: predix, Cisco, Intel, GM, verizon, Privacy, security

GM's Predix asset management platform has been used for a while now, after they came to the realization that they were in the top 20 of the largest software developers on the planet.  They found that by networking the machines in their factories as well as products that have been shipped to customers and are seeing active use that they could increase the efficiency of their factories and their products.  They were aiming for 1% increase, which when you consider the scale of these industries can equate to billions of dollars and in many cases they did see what they had hoped for.

Now Cisco and Intel have signed up to use the Predix platform for the same results, however they will be applying it to the Cloud and edge devices as well as the routers and switches Cisco specializes in.  This should at the very least enhance the ability to monitor network traffic, predict resource shortages and handle outages with a very good possibility of a small increase in performance and efficiency across the board.  This is good news to those who currently deal with the cloud but it is perhaps worth noting that you will be offering up your companies metrics to Predix and you should be aware of any possible security concerns that may raise because of that integration to another system.  You could however argue that once you have moved to the cloud that this is already happening.

img_predix_feature_big_data.jpg

"GE, Intel, Cisco, and Verizon have announced a big data deal to connect Predix — GE’s software platform — to machines, systems, and edge devices regardless of manufacturer."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Symantec starts a non-destructive reformat

Subject: General Tech | October 10, 2014 - 12:30 PM |
Tagged: symantec, security, norton, billions

Symantec is splitting its self down the middle, with one side focusing on their antivirus and security products, which apparently still sell and are not just bundled with new laptops and computers, and the other handling information management.  Considering they made nearly $7 billion last year someone must be buying their software and even more shocking they must be renewing the license which came with the new machine. Those commenting on Slashdot immediately tried to help Norton out by suggesting that one side should create and spread viruses while the other should come in like a white knight and slay them.  That would certainly make it a more interesting read; even so the fact that Symantec is still alive and prospering is enough of a shock for a Friday morning.

Symantec-Logo.jpg

"Symantec announced plans on Thursday to split into two separate, publicly traded companies – one focused on security, the other focused on information management. The company's security business generated $4.2 billion in revenue in fiscal year 2014 while its information management business meanwhile hit revenues of $2.5 billion. "As the security and storage industries continue to change at an accelerating pace, Symante c's security and IM businesses each face unique market opportunities and challenges," Symantec CEO Michael A. Brown, who officially took over as CEO last month, said in a statement."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Rooting your Android in the name of security

Subject: General Tech | August 22, 2014 - 01:30 PM |
Tagged: byod, security, Android

In the new BYOD corporate crapshoot Android devices are frequently connecting to secure resources which raises security concerns for many IT workers.  The OS is not as secure as many would like it to be; good enough for home use but not for those who truly want to keep their data secure.  The majority of the exploits come from insecure apps as opposed to an inherent problem with the OS which has lead to a group proposing an Android Security Module Framework.  Root the phone once to add these to Android and enable the ability to restrict the capability of apps to share unnecessarily while not preventing the apps from running.  The example offered to The Register was the ability to stop Whatsapp from uploading contact information without preventing the app from functioning.  This could also allow you to configure a phone in a way similar to Blackberry's Balance feature, segregating work data from personal.

images.jpg

"An international group of researchers believes Android needs more extensible security, and is offering up a framework they hope either Google or mobe-makers will take for a spin."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register