Don’t assume you’re safe playing in the sandbox

Very basically, sandboxing for those of you that don’t know, tries to control the rights of an application through permissions , or entitlements as Apple calls them, so that they don’t automatically have full control over the whole computer or smartphone. Sandboxing however gives the user a false sense of security “by implying that apps which run in a sandbox are automatically not malicious – which simply is not true.” On top of that the majority of malware dies not get onto a device through applications but rather through “drive by downloads”; again basically- surfing the wrong place. Another downfall of the sandboxing method of “protection” is that most users slide right past the permissions part of installing an application and simply click ‘ok’ to everything. Furthermore in the Andriod market the applications are not curated or vetted (examined by someone to make sure it’s safe) so a developer could install nearly anything within an application. Don’t think you’re safe if you use an iPhone however…even with the scrutiny there are still major holes

You think I’m blowing smoke up your. ..app…then just watch this video.

http://www.youtube.com/watch?v=ynTtuwQYNmk&feature=player_embedded

I could go on with my views about smartphone apps and malware but you’d be better off reading this article for yourself. Honestly I think anyone that either has a smartphone or is interested in security should definitely read it.

http://www.guardian.co.uk/technology/blog/2011/nov/08/sandboxing-malware-failure

Android users-Pay now or pay later

A study by AV Test recently showed that paid for security apps work much better than free apps do. The study was done on the Android but AV Test claims it should be true for all smart phones. The study results showed that Kaspersky’s and F-Secure’s Mobile Security suites worked the best. They both were able to detect 50 percent of active malware samples used. The best free app was Zoner AntiVirus Free, which detected only 32 percent.  Although the paid apps worked better, still 50 percent is not all that good. According to AV Test, a company that tests apps for security issues, suggests that you should avoid using apps from developers without a reputation. Also avoid apps that have no reviews or poor reviews. Also be leery of developers that don’t have a website. There’s a free android app called Lockout which PC WORLD suggests all Andriod users should have. It checks all apps against a malware blacklist and lets you know if it is suspect.

Here is the article and a link to a PC World best practices page.

http://www.techworld.com.au/article/407139/android_paid_mobile_security_better_study/

http://www.pcworld.com/article/221213/keep_malware_off_your_android_phone_5_quick_tips.html

Anti-anti virus malware

The FBI has arrested six eastern European hackers for infecting numerous computers across the world with a sophisticated form on malware. The group known as The Rove Group, was actually hired and paid by advertising companies to increase traffic to specific sites. They did this by using a class of malware called DNSChanger which redirected traffic from legitimate sites to bogus sites instead. Some of the websites were iTunes, Netflix And even NASA and the IRS. The malware worked by redirecting a user that would click on a legitimate link to a site like iTunes to a site that pretended to sell Apple software or music.  Much like an online phishing attack except they would not steal your identity but rather the customer would pay them directly. Sometimes the customer would receive black-market good or pirated software and often they would get nothing at all. The scheme was discovered and brought down by a FBI investigation known as Operation Ghost but not before making 14 million dollars over four years. The rest of the story is here…

http://www.fbi.gov/news/stories/2011/november/malware

Another certificate authority hacked

Not long ago the Dutch company Diginotar was hacked causing that company to lose countless customers eventually forcing them into bankruptcy. The company that picked up most of that business was another Dutch company KPN. Today KPN announced that they have been hacked also and possibly have had issues as far back as four years ago. KPN has begun an internal investigation and replaced all it’s servers.

Although there is no evidence of any fake certificates being issued according to reports at least six certificate authorities have been compromised this year alone.

Here is today’s article.

 

http://www.zdnet.com/blog/london/-8216hacked-server-claims-another-certificate-authority-casualty/596?tag=content;selector-blogs

Hackers 101

I came across this article on the “How Stuff Works” website. It has a lot to do with many of the things we talked about in class. Not a lot more in depth but still it ties things together nicely for anyone that still could use a simple smooth overview.

It goes more into detail about hackers themselves however; history, culture, motivation and things like that. It even has a part about the problems hackers have with the law…or perhaps more accurately the problems the law has with them.

The reasons why I included the article however were the videos that were good to watch, the links to various hacker websites and there was even a simple short quiz at the end regarding computer security. For you more advanced about hackers and computer security the article might seem simplistic but the links were somewhat interesting, including one called “Could hackers devastate the U.S. economy?” ; if you are like me you will end up clicking on links till you look at the clock and realize you need to get to bed.

For those of you that could use a quick overview of many of the things we’ve covered n class there are links at the end that you might find helpful about things like phishing, types of viruses and encryption.

I hope some of you find this helpful.

http://computer.howstuffworks.com/hacker.htm

“Silk” – smooth for id thieves?

The EFF Electronic Frontier Foundation has recently given it’s thumbs up to Silk the new browser for Amazon’s Kindle. Silk uses the cloud accelerator to improve performance. The issue up to this point is that this better performance comes with a negative side; namely security.

The issue at heart is that while using the cloud information is sent to Amazons servers and stored to ‘predict’ what website the user will go to next; therefore speeding things up. That information is store for up to thirty days. While Amazon says the information is kept private (unlike Facebook) there are some doubts. The EFF has approved Silk because the cloud can be turned off and Amazon has claims that secure web page visits (SSL and HTTPS) are not routed through Amazon’s servers therefore no information is stored. Still concerns do exist. Besides storing information about what sites a user visits, their search history is also stored. Sometimes that search history contains personal information.

Although the cloud can be turned off my concern is that the common user will not do it. Most people do not know that their information is being stored; they just happily click away thinking that once they turn off the computer all the information disappears. I also feel that Amazon, while saying all the right things now, will more than likely sell that information in the future. We are talking about a company that makes their profit selling things after all.

http://news.cnet.com/8301-1009_3-20123464-83/amazons-silk-browser-now-eff-approved-really/?tag=mncol;txt

Six Strikes and you’re out!

If you have not heard of the “Six Strikes Plan” yet check out the links below. For all you concerned about file sharing on the internet, no matter what ‘side’ of the issue you are on, it is an interesting read and something you should know.

Obviously sharing of copyrighted material is wrong, so we won’t debate that issue. To me the debate here is whether or not the government should assist private industry in security efforts. Let’s take the recording industry for example…

If the recording industry looses between $7 and $20 billion ¹ annually as they claim, then isn’t it in the best interest of all Americans that those loses be minimized. After all those are numbers that represent taxes not paid (from profits), jobs lost for the record labels, CD’s or MP3’s not being sold/downloaded (legally) which creates jobs for the retailers etc…So it would seem logical it is in all our best interest that the government step in and help out.

But is it that simple? Nobody says that the industry is not losing money, but many say that those numbers are greatly exaggerated. It is in the interest of the record labels to enhance the numbers after all – the bigger the loss the bigger the tax write-off. Some also argue whether the labels themselves aren’t behind much of the sharing, especially when it comes to new artists. A few things happen when a new artist’s music is shared. The obvious thing – exposure. The better the exposure the more interest in the artist. The more interest the more sales for future recordings for an artist that may otherwise have not become popular. Why would the record label do that instead of getting all the sales the first album? The answer is risk. When a label records a new artist there is a monetary risk involved.  If that new artist does not take off, if no one likes the music, it would have never sold which would create a loss for the label. If however the album is being illegally shared then the company can claim the reason for the poor sales is theft and write the loss off on their taxes…not to mention the insurance claim they will undoubtedly make. All this therefore leads doubters to say that the record labels themselves leak most of the (new) music to limit the risk of potential losses.

I’m not here saying I doubt the industries claims. What I am asking is it then in the best interest of Americans to have the government spend our tax money helping out private industry? Those government officials that are involved, get paid from our taxes, the studies of loss cost money which come from our taxes, the programs take tax money, the overseers, the voting, etc…Then there is the tax write offs from the labels that I already mentioned. But if you look further, theft is covered by insurance, all claims on insurance come out of the insurance company’s profits, which are another loss of tax revenue AND the federal government subsidizes insurance companies for those losses- bet you didn’t realize that.

So you can look at this from two different ways. Either the government needs to do something to stop the illegal sharing or else those losses are going to continue to hurt the economy , or,  the government needs to stop helping the industry all together and stop subsidizing losses.

So the question is…should the government be involved at all?

http://arstechnica.com/tech-policy/news/2011/07/major-isps-agree-to-six-strikes-copyright-enforcement-plan.ars

http://www.techdirt.com/articles/20111014/09164516365/worst-kept-secret-now-confirmed-government-was-very-involved-helping-riaampaa-negotiate-six-strikes.shtml

1)      From http://www.riaa.com/faq.php

Your car has been hacked!

Alright so It is highly unlikely you car has really been hacked….so far. But the likelihood of this becoming a reality is increasing by the model. Car manufacturers now use computer software to monitor everything from gas mileage to engine efficiency to all the electronic systems. There are even programs to monitor your brakes and exhaust – and more and more systems are being ‘upgraded’ with computer monitoring that can be remotely accessed.

The initial idea is a good one. It’s nice to be able to get an email telling you when it’s time to have your oil changed, or perhaps a text message reminding you that you are low on gas.  Our car is a huge investment that, depending on how it is driven and maintained, can either cost us a little extra or a ton of extra money to keep up. Most people are too busy, or simply not very good at maintaining their car, so having installed software programs to remind us when to do certain things can save a bundle. There are also programs being installed right now that will give us access to data on our personal driving habits; we can see if we are pushing our accelerator to hard for our engine or if we are breaking to hard, turning too fast etc…for our cars abilities therefore helping us drive safer and improve the life of our vehicle. All this sounds awesome until you think about it from a security standpoint.

Most all newer cars have software to control the antilock brakes, control the fuel injection system and lock or unlock our doors remotely. How far off are we from someone figuring out how to use a smartphone to unlock our cars doors and remotely start it? How about tracking where our car is so they know when we are not home?

Those are the least of our worries however. The real concern is with the braking systems and in-dash controls like speedometer (which is electronically controlled and computer monitored). Sure it isn’t very likely a malicious attack would be struck against a single individual- but all this information is accessible remotely by other computer systems  set to store that information, analyze it for you and make it accessible by you. These other systems are windows into thousands, if not millions, of vehicles and their individual computer systems.   One ill intended individual could therefore in theory send harmful code to all these cars at once.

Maybe its science fiction right now…but how do you feel about the possibility of a ‘denial of service’ attack on millions of breaking systems during rush hour?

http://www.foxbusiness.com/personal-finance/2011/09/29/new-threat-to-your-car-ticked-off-geek/

Without unreasonable delay

Reading this article in the Boston Globe made me think about how often people are actually notified when their personal data is compromised. When customers’ personal data was stolen from Sony (as mentioned in the article) I was only informed by reading a short notice on my PS3 once when I turned it on. That was it…that is all I got. Apparently they also sent out emails but I can’t recall getting one – more than likely it went into my SPAM folder with all the garbage I get trying to sell me more games. So I decided to do a little digging and it seems that the US senate is in the process of enacting a bill to make it a federal law requiring companies to inform consumers whenever there is a security breach that could have possibly compromised personal information. It seems that most all states already have such laws but since the compromised information may be held by a company based in a different state (ie most credit card companies are based in Delaware) a federal law would be more effective.

I also see that while many states have the laws in place…several of them don’t have any penalty for not abiding by it. Here’s what I mean- Let’s compare NY and Indiana…

New York

Breach Notification Law: N.Y. Gen. Bus. Law § 899-aa S3760
Notification Requirement: Most expedient time possible, without unreasonable delay
Other Requirements: Encryption standard mandated
Summary:Civil or criminal penalty for failure to promptly disclose

Indiana

Breach Notification Law: Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq., 2009 H.B. 1121
Notification Requirement: Without unreasonable delay
Summary: No civil or criminal penalty for failure to promptly disclose

The bolded portion above shows that New York will (theoretically) penalize a company for not notifying a person of potential compromised data but Indiana has no penalty what-so-ever. What good is a law that can’t be enforced? And what the heck is “without unreasonable delay?”

I was relieved (for a moment) to read that the penalty is often very severe and can cost a company dearly, but quickly my concern returned as, just a few sentences later, I read that if “the personal information on the stolen device was properly encrypted… notification is not always required.”

So there could be someone out there right now, with a stolen laptop containing all your personal data, with as long as they need to crack the encryption…and you would have no way of knowing because the company doesn’t have to tell you since they had “proper encryption” –whatever that is.

Here’s the article and website where I got the quotes:

http://articles.boston.com/2011-09-21/business/30185263_1_data-breaches-data-thieves-data-leaks

http://www.credant.com/solutions/solutions-for-compliance/state-data-breach-laws.html(keep in mind when reading this the ‘data’ is provided by a company trying to sell something.)

Online security bill vs. pledge to reject cybertheft

I read two articles online recently that brought a question to mind as I read them. It’s not a new question to most of us however- What is the best way to protect private information from being stolen by hackers? More specifically who would be the most effective- based on these two articles; Is it the government or is it the hackers themselves?

My view is that some combination of the two…along with much help from the private sector, would be the most effective. Hackers would have the knowledge and be the quickest to react to new threats; we all know how slow government works. The problem there is that there are always the bad apples. Can we really rely on hackers to effectively police themselves? I don’t think that is possible. Are ethical hackers effective or do they just fuel more competition from ‘the bad guys’?

On the other side is the government with its laws and regulations. While I think that kind of thing is needed to force private corporations to be more responsible with consumer information, I also wonder where the line should be drawn. My fear is that once the government begins to regulate companies, will they stop there. Do we need to protect children and private information…of course we do. Will we soon however have laws limiting the exchange of ideas, limitations on what can be bought and sold, guidelines on what we can discuss in forums? Will we be restricted from selling certain items because a hacker may use them for malicious purposes? Will we not be able to discuss adult topics because a child may wander on a website? Will we no longer be able to discuss security on blogs such as this because it could inform a hacker of certain vulnerabilities?

My view is that while there are obvious holes that need patching, overall we are doing fine with things as things are. In the whole design of time, technology, or more pertinently- cyber security-is still a very new thing. How many people lost fingers and limbs in early industrial machinery? Did we stop using machines because of that? No we continued and made improvements as things progressed. The government didn’t step in right away, mostly the improvements were made by the users themselves. Technology is no different. We need to stay diligent, use caution and protect where we can…we should also be helping our fellow man. The bright side is…we will all have jobs waiting for us when we finish school.

So what do you think? Who is best suited to prevent hackers from stealing private information…the government or ethical hackers?

Sources:  http://www.computerworld.com/s/article/9220097/Pledge_asks_Chinese_hackers_to_reject_cybertheft?taxonomyId=17

http://bits.blogs.nytimes.com/2011/09/08/senator-introduces-new-online-privacy-bill/