Mobile Device Security

Hey everyone,

I am planning on finally getting a smart phone, I feel like I’ve waited long enough surviving off of my ipod touch for mobile browsing and computing needs. I am looking into getting a droid phone over the iphone so I am just now beginning to do some product / consumer research. I thought I’d be a good idea to post on this blog and hopefully have some important questions answer. ( Never owned a smartphone so I am a bit of a noob when it comes to trying to make an educated purchase.)

•  Any suggestions for recommended security / anti malware apps? (i’m not sure really how much malware or security software exists but I do remember professor discuss it briefly)
• I’m looking for a smart phone with a keyboard and an AMOLED screen. These were just some recommendations from friends on a few basic things but I have heard good things about AMOLED.
• What is the risk with using QR code readers? Do some readers offer better security than others?
• Most cost efficient  data plans or any tips for staying under your bandwidth cap?

  I will post more questions if i get some responses and once i’ve done more research.Thanks guys!

Homeland security fears Stuxnet

In a recent article I read they discussed how the US department of homeland security still fears the Stuxnet code. For those who are unfamiliar with stuxnet it is a computer worm that was discovering in 2010. Stuxnet has been used as a weapon; attacking centrifuges in Iran’s nuclear program. The origin of the code is cloudy and slightly unknown, it really just showed up on the internet. Some have reason to believe it was actually the US who developed and release it.The code has been made available on line and shared among the hacker community as an open source style code. Because of this reason the fact remains that Stuxnet is a very powerful piece of code having the ability to morph and refine itself for specialized tasks. After years of exposure to the virus we still don’t have the best understanding of how it works and how to identify / stop it. This has cause many people to criticize DHS for not offering enough information about the worm after years of exposure. As of now only the future will hold the answers we are looking for regarding stuxnet.  Hopefully it can be stopped before a potentially devastating attack is made.

source: http://www.wired.com/threatlevel/2011/07/dhs-fears-stuxnet-attacks/

The Zeus Trojan

The Zeus trojan is malware that has been around since 2007 and it still manages to hide from anti-virus software. Zeus is a very illusive piece of software because it keeps a low minimal profile. Once the victim visits a financial site Zeus acts as a keylogger attempting to record users passwords and other valuable information. The open source architecture of Zeus allows the code to be ever changing; hackers can edit the code so it is customized for certain tasks. This factor makes Zeus difficult for anti-virus software to identify. Zeus targets victims on a large scale by using social engineering style E-mail attacks. The emails might prompt users to “verify” sensitive data by clicking a link and filling out a page. After the link is clicked the code would be installed behind the scenes. Zeus can be especially devastating if it infects a machine that is used to make lots of transactions like a business machine. Larger business have decent protection from Zeus because of the higher budget investment in security. For example a security protocol that scans all incoming emails attachments. At its current state Zeus only exists on windows machines. So one could avoid it by using a linux or mac based OS. Does anyone have any examples of Zeus compromising a valuable system or business?

Shared security flaws of cloud computing

http://www.networkworld.com/news/2011/102611-security-cloud-252406.html?ap1=rcb

This article discusses some recently found security flaws in the Amazon web service cloud computing architecture. Fortunately, these flaws were first found by German researchers and no customers have fell victim to the exploits. Researchers were able to gain administrative status thus giving them access to any and all of the users data. Amazon has since been informed of this issue and has repair all holes they know of. However, researchers believe this issue might be exploitable in many other cloud computing services. These general types of attacks that were used against amazon are called XML signature wrapping attacks and cross site scripting attacks. Amazon has announced that these exploits only exist in a very small percent of AWS authentications that are not using SSL endpoints. Amazon posted a list of strategies for remaining secure; one of which being multi-factor authentication. With cloud computing’s rapidly growing popularity it is a good thing researchers are finding and resolving these general exploits in cloud architecture.

New cyber strategy for the pentagon

“The five strategic initiatives detailed by the Department of Defense (DoD) include:

1. DoD will treat cyberspace as an operational domain to organize, train, and equip so that DoD can take full advantage of cyberspace’s potential.
2. DoD will employ new defense operating concepts to protect DoD networks and systems.
3. DoD will partner with other U.S. government departments and agencies and the private sector to enable a whole-of-government cybersecurity strategy.
4. DoD will build robust relationships with U.S. allies and international partners to strengthen collective cybersecurity.
5. DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.”

http://cybersecuritynews.org/2011/07/15/pentagon-reveals-new-cyber-strategy/#more-1643

This article was posted back in July so it’s slightly dated but still relevant for this blog. In the ever changing and evolving cyber world; defenses are getting smarter and stronger, however, so are the hackers. The five strategic initiatives I posted above are very general strategies but you can read more in depth information on each strategy here: http://www.defense.gov/news/d20110714cyber.pdf
It is interesting to hear about how some of the most significant networks and their data are being protected from malicious activity.

“Our responsibility is to acknowledge this new environment and adapt our security instruments to it.  That is the purpose of the DoD Cyber Strategy.”

On the other hand, I feel that by publicly describing and posting these strategies it slightly comprises their security. Security buffs aren’t the only people reading these articles; but, the hackers are as well. Even though these are extremely vague descriptions it might give the right(or wrong) person the edge he or she needs to exploit a security system.

“We must prepare.  We must recognize the interconnectedness of cyber.  And we must be mindful of the many ways cyberspace is used–as a peaceful instrument of global communications, as a tool for economic growth–and, also, as an instrument to threaten and sometimes cause harm,”

Tactics of a Social Engineer

http://www.informit.com/articles/article.aspx?p=1350956

Lately in class, we have been talking about social engineering tactics. The article i posted above discusses some of the same techniques we talked about coupled with a few new tactics we didn’t go over. The site describes the 10 most common/popular tactics social engineers are deploying today. Some of the basic tactics  discussed are:

Reverse social engineering- Involves three main steps, sabotaging, advertising, and assisting. The social engineer will contact their target by email or other means and inform them that they have problem within their network security(sabotaging). They will then pose as a security professional an offer their assistance(advertising). Finally, the sometimes desperate or ill informed victims will gladly allow the social engineer access to any information he or she may “require”(assisting).

Vishing – This is a technique we didn’t discuss in class but it is similar to phishing. It involves using automated phone messages to attempt to steal users credit card or bank information. Much like phishing, the social engineer will have an automated message which calls a bunch of different numbers posing as a bank or credit card company. Commonly, the message would say that the users account had been compromised and for the user to call a separate number so they can resolve the problem. After calling , the user would be prompt to enter card and pin numbers, or any information the social engineer wants. Messages are sent out in the masses with these types of techniques. So you might say, “no one would ever fall for it” but even if the social engineer only gets a handful its still a win, the message it self cost the engineer next to nothing to send.

“Getting smahed”- Lastly, getting your target drunk at a bar was the top tactic posted in this article. I thought this was an interesting one because I had never really heard of it used. The engineer could use social networking sites to find out where his target would be. He then would arrive at the bar early to plan out his attack. People are a lot more willing to give up valuable information if they are drunk. And social engineers know how to appear as your friend in order to take advantage of you.

Online storage service Dropbox isn’t as secure as they promised

http://www.wired.com/threatlevel/2011/05/dropbox-ftc/
This article discusses the encryption settings that dropbox uses and suggests that your data can in fact be viewed by some employees of the site. The company has made these deceptive claims in order to gain the competitive edge over other similar online services. Dropbox uses hashs to analyse files when they are first uploaded. This technique allows the company to see if another user has uploaded the same file already. If the same file has already been uploaded; dropbox will not upload it again and instead they will simply add the existing file to the new users dropbox folder. The encrypt and decrypt keys are stored on the dropbox server side rather than the clients machine. Hash use allows dropbox to save storage space at the price of security risk.

“Those architecture choices mean that Dropbox employees can see the contents of a user’s storage, and can turn over the nonencrypted files to the government or outside organizations when presented with a subpoena.”

Below is an except from the article that shows dropboxes clever use of wording and how it has changed in response to these accusations…”

Up until April 13, the site promised this:

Dropbox employees aren’t able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents).

Now the site says:

Dropbox employees are prohibited from viewing the content of files you store in your Dropboxaccount, and are only permitted to view file metadata (e.g., file names and locations).

“

The use of the word prohibited suggests that employees aren’t actually restricted from doing so and they are only restricted by policy not technology.

I feel the scenario we discussed in class about a disgruntled employee planning on going rogue is applicable to potentially exploiting user of the site or even the company itself. I have an account registered with the site but I have only used their services once later year with a group  programming project.

Any dropbox users out there? What are your thoughts on this?

 

WebOS vs Android : OS openness

 

 

 

 

I posted an article below discussing the security of android OS mobile devices versus WebOS devices. The article describes how both operating systems are equally as vulnerable yet one comes equip with an easy OS reset tool. WebOS offers that tool and its called webOSdoctor. The tool offers an easy to use step by step procedure for recovering your defective or “bricked” device. All you need is your OS version number and your devices carrier and you can recover a broken OS.

The main flaw of google’s OS is that it is used with so many manufacturers and carriers that a universal recover system like webOS offer just isn’t easily available.

So I was wondering what could google develop and implement in order to prevent “bricked” devices from happening?

Any ideas or suggestions, also has anyone run into this problem before with either OS?

http://www.precentral.net/webos-android-and-hacking-which-more-open

bored employee by passing windows group policy restrictions with only the calculator application

http://www.watchguard.com/infocenter/editorial/18935.asp

The article above describes how a disgruntled or bored employee could by pass the restrictions on his work station set up by the system administrator. More specifically, restrictions of Windows Group Policy software. Windows group policy allows sys. admins. to control what files are accessible, applications available, web browsing settings, and configuration tool use. The hacker is able to by pass the security restrictions and view all system files, directories, access the web.

In this scenario the system administration limits application use to only allow Microsoft word and the calculator. The educated employee knows that internet explorer is highly integrated into the Windows OS and more specifically; the windows help feature cannot run without it. By opening calculator and clicking on help -> help topics -> jump to URL, the hacker has gained access to the web on a machine that was suppose to prohibit this. Next, he moves onto the system files by using his knowledge of URL handlers. Instead of entering “http://google.com/ , he enters “shell:system” and now he is able to view all system files and directories. This scenario illustrates the “why not” and “nothing to lose” principle motives of hackers. The no risk feeling and the ” costing nothing to try” mindset is what drives curious people to hack and break into systems. (as we discussed in class)

The article then goes on to explain a few tips on how these hackers can be stopped.  A layered defense using multiple programs would be your first step in a secured system. Lastly, have a written policy the employees must sign; so if they break the technical rules than at least you have a legitimate on paper reason for firing the employee

 

The secret question guessing game.

http://www.schneier.com/essay-081.html

http://www.schneier.com/blog/archives/2009/05/secret_question.html

I am blogging about the effectiveness of using “Secret questions” as a method to recover ones account on a particular page or web service, or more simply a back up / secondary password for any account. The articles I posted above come from bruce schneier’s website( the author of our book), and it regards this very issue of secret question security. He points out a few different security flaws with this system. The main problem with these questions is that they are much easier to guess than a users primary password. We often see repeates of the same question on multiple websites. Mothers maiden name? First pet? High school or year you graduating in? With the social networking juggernaut that is facebook answers to these questions can be found in a just a few clicks. He mentions that he typically answers these questions with a good keyboard slap or face roll but also brings up the inconvenience if you actually forget your password and calling the company might be your only hope. A user that commented on one of his posts brought up a good point that typically answering secret question only emails the current registered email a new password. So if you received and email like this than you know that a hacker is trying to break in. What do you guys think someone effective or completely flawed. should changes for secondary passwords be made?