Disputing Industry Pundits of How Open Source Devices are Insecure

Chris DiBona wrote a Google Plus post explaining how many industry vendors are touting Open Source to be inherently insecure and in turn this is exactly what makes Android devices insecure. DiBona steps up and says this is all hogwash in this post.

Follow up comments to his posting have excellent and worthy points who bring ideas and honest considerations to the table.  Here are some of them if you are at all interested in educated discussions on the matter. (This is a good follow up to Molly Wood’s rant about Android from earlier in the year…)
In response to Chris DiBona’s recent posting about Android Malware infection rates being overly hyped and working mostly on ignorant fears, Charles Vaz writes a follow up comment:

Charles Vaz – Totally agree – Microsoft Windows is the only OS that people are forced to pay for from Windows 95 to Windows 98 to Windows XP to Windows Me to Windows Vista and all of these mainstream consumer OSes came without Virus protection and Consumers were still forced to buy these OS and install McAfee/Symantec/Norton Anti-Virus because of Microsoft Office being a good quality professional document creation system.

When Linux gets from LibreOffice or OpenOffice to Pro Level – then there would be a definite shift, consumers are already tired of paying double for MS Products on every OS release.

In the mobile arena – this is the primary reason apart from buggy Microsoft products – that consumers have moved away from Windows CE or Windows Mobile or Windows Phone since document viewing is great on open source or Apple IOS or Google Android products.

Why Android lost to Apple IOS was because of:
1. Initial versions of Android were buggy.

2. Android didn’t have well defined policies to security-validate and quality check Apps being uploaded into Android Market. Granted social policy would govern usage and download and rating of an App – but spurious Apps need only 1 chance tobe installed on a naive customer mobile device – and that causes more cost.

3. Android products are confusing – some only support Android version 2.1, some 2.3, some 2.7, some version 3 and many Android phones have custom non-modifiable-unless-rooted layer which makes it hard for customers to make an easy choice.

4. Older Android phones were made from cheaper hardware which turned away customers – that’s changing now.

5. Android mobile device cameras are typically worse than iPhone cameras for the same price points
_______

Peter Sitterly  -  I think many of the warnings by these “virus” protection companies convince the unsuspecting public that all malware are viruses, which just isn’t true.

Furthermore, any malware which might exist for Android give notice up front about what this malware wants access to.

That aside, I do feel there is a tendency to suggest that everything is peachy and that if anything bad happens, it’s the fault of a dumb user who didn’t read the disclaimers. However, consider this… if I install a Tetris game and see that it wants access to my SMS messages, it’s simple enough for the alarm bells to go off and I simply don’t follow through with the install. However, imagine I install an application like JuiceDefender. By its very nature, since it tweaks various settings based on various criteria to maximize the battery potential, it does not surprise me that the application expects to: …receive and process SMS messages. (Malicious applications may monitor your messages or delete them without showing them to you)… view configuration of the local Bluetooth device, and to make and accept connections with paired devices… read from the system’s various log files. (This allows it to discover general information about what you are doing with the device, potentially including personal or private information)… access the phone features of the device. (An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like)… write to the USB storage… write to the SD card… modify the system’s secure settings data. (Not for use by normal applications.)
However, although I trust JuiceDefender now… what happens if one of the developers (or the developer?) goes rogue and on one of the updates decides to do a bunch of malicious stuff with this. On the next update, it won’t need any additional permissions (it already has all of the permissions it needs) and it could delete all of my SMS messages or nuke contents from my SD card or send a text message to everyone in my contacts list.

I think it’s these types of concerns that lead most people to believe that they can’t fully trust their own judgement when installing apps, no matter how careful they think they’re being. So, as a result, these anti-”virus” companies take advantage of this fear and talk about malware and viruses. I think that people envision a bunch of nefarious developers writing perfectly legitimate and useful applications, then pulling a trick on everyone and activating the hidden functionality in the app or updating it with something nefarious.

Years of history of the Internet, however, have shown that this is rarely the case. If an application is useful and installed by many, the publisher will usually find a way to profit from it and will want to protect his investment and will make sure intentionally bad behavior never finds its way into the application. So, most malware truly will be similar to a Tetris game that says it needs access to your SMS messages.
Nov 21, 2011

__________

Andrey Yamshchikov  -  I’m surprised that no one’s explicitly mentioned how flawed Android’s security framework is. Am I the only one who thinks so? Let me elaborate.
While permissions are definitely a step in the right direction, they are currently not granular enough and the end user doesn’t have the amount of control s/he should. Specifically, I believe that as an OWNER (as in I paid for it and it belongs to me) the person should have the right to enjoy a completely unrestricted access to the system. But, currently, the only way to obtain this is to root the phone… at this point the idea of a developer-driven, open-source platform (and I won’t even mention “Java-based,” don’t get me started on the Dalvik VM) begins to deteriorate.
Why is there no support for the user to be able to grant the app some permissions and not others? Every app has a set of features and some features revolve around a particular permission(s) but that doesn’t mean the app should be an all-or-nothing kind of deal… Take an SMS app as an example. Does it ABSOLUTELY need access to my contacts? No. At its core, all it needs to function properly is two parameters: target phone number and the text message I wish to send. Is it NICE to have access to the contacts in order to improve usability? Yes. But why the hell can’t I specify what I want it to look at and where I don’t want it snooping at all? My personal favorite is “Network communication,” described as “full Internet access.” Really? I mean REALLY!? Just like that? How about as the OWNER of the phone, I’d like to have the ability to explicitly specify a list of URLs an app can connect to? How about I’d like to have a firewall on my device without rooting my phone? How’s that for a giant middle finger from Google?
Should I start talking about preloaded apps? You know, the ones I can’t even opt-out of (I won’t even mention about opting-in)? Nah, I think we all get that one…
Anyway, I think I’ve made my point. You can’t rely on developers or blame the end-users for any malware that might plague the market until there’s a robust security API which allows an extremely fine-tuned level of access for Android-enabled devices.
Nov 22, 2011

________

response to Andrey, from Peter Sitterly
+Andrey Yamshchikov I think it boils down to balance. That would be a nightmare for developers. You’d have to code for every possible scenario in which the user has disallowed access to certain things but not others. And, at the end of the day, maybe 1% of the users would actually take the time to tweak these granular controls. The majority of the people just want to install an app and use it, not have to run down a list of 20 checkboxes and then try to figure out if the app sucks because of one of the checkboxes you unchecked, or if the app just sucks.

It would also mean there could be thousands of different possible user experiences for a given app. Imagine the need for a granular review system. Imagine if your comment only applied to how unfriendly an app is when you disable X, Y, and Z. If you don’t specify your settings in the review, the app will sound broken to others reading your review, not realizing it’s only broken when you disable X, Y, and Z. In theory, the concept is sound. In actual practice, it will hardly make a noticeable dent in the ecosystem as a whole and will introduce more problems than it solves.
Nov 22, 2011 (edited)

 

 

Facebook Upgrades News Feeds with Advertising Using Your Pictures

Tony Curtis and Jack Lemon in the Film Some Like It Hot

Facebook announced the new year will bring in a new advertising product; Sponsored Stories. The new product will associate your face as a stock photo for their advertisers. These ads will be posted within their News Feed pages. Facebook Sponsored Stories Ads may look a little weak in tone and design initially, but quickly will camouflage themselves into authentic looking ‘posts’ that are never posted by the users who posted the pictures.

The details of this was written up at The Standard, here.

Facebook will begin adding photos of its users to third-party adverts appearing in users’ news feeds come early next year, and there’s no way out of being featured alongside a tin of baked beans or a pair of knickers on the social network.

The Mark Zuckerberg-run company will set its “Sponsored Stories” feature as default for its 800 million-strong stalkerbase, and there won’t be an option for any individual wanting to opt out of being shown on such ads.

“Starting early next year, we will gradually begin showing Sponsored Stories in News Feed. Our goal is to do this thoughtfully and slowly,” a Facebook spokeswoman told The Register.

Exactly how this will blaze the trail of advertising in the future will be interesting. While almost every End User License Agreement (EULA), from Apple to Zazzle, explains in their fine print that they have the right to use some aspect or even all of your data, they never leverage it in their advertising. Facebook is performing another ‘first’ in social media advertising.   It is in their right, since Facebook has stated in general terms within its EULA that everyone agrees to when signing up – that it owns your content and they can use it any way they want.  Still, there is an unspoken trust between the members and the providers to not use your information for their advertising. If Facebook’s lawyers are good enough, they will fight the issue with the EULA verbiage with some argument like “Members have been warned in the fine print EULA and we have a right to use their posted content data any way we want.”

As of late, a judicial denial was handed to Facebook when Facebook lawyers asked to have the case thrown out. Yay courts!  It is a strange initial argument on the part of the lawyers to try and keep this Sponsored Stories product alive by requesting the courts ‘just drop it’.  The lawyers probably are getting $100,000′s in retainer and seemingly lack the ability to discuss the issue based around the terms of the EULA argument – which seems so much more relevant.

Down the road, Facebook will probably be seen as the leader to a small heard of desperate advertising sheep; that they egregiously leverage personal content without any formal notice or additional consent than the EULA. While Facebook is blazing the trail using their EULA fine print, it represents a sort of desperation on the part of the social media company.  Designing products that cross these lines with their supposed 800 million active members may represent Facebook is closer to decline than negative analysts have claimed here  and here .  It is unclear how to build corporate profit when catering to the advertisers and continuing to alienate the member privacy. From an outsider it looks like you are pissing off the members who drive the site success.  If their previous revenue flow had been working for them for profitability, they may not have designed aggressive ‘products’ like Sponsored Stories.

The best advice is to turn off photo tagging. Here is a quick article about it.

RSA Tokens – Follow Up Investigation

If you read the prior post about the RSA security breach, I wrote about the way many groups have approached the issue. Mostly people were both shocked and dismayed that a security company like RSA – one that designs systems for protecting company confidential information – was broken into. More significantly, the RSA was breached through the Internet in a unique way. The summary of how this was done is they sent a phishing email to a low level employee mail account, infected the machine through an attachment and watched for who their bosses were, what network access their bosses had and worked their way around the company network, slowly finding their way into the corporate servers holding product development information. Eventually these hackers were able to find the special algorithms used inside of their security products, and compromised their entire security product line.

Wired recently published an article discussing recent RSA confession of who performed the attack. The most obvious conclusion is: if someone can figure out the RSA formula to protect computer information, then they could break into any company’s networks that uses RSA’s servers.

Wired’s article said the RSA claims two well known hacker groups who haven ot previously worked together were involved in this breach and were working for an unnamed government.

The article describes the situation”

The attackers gained access to the network after sending two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. Nonetheless, when one of the recipients clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file — a backdoor — onto the recipient’s desktop computer. This gave the attackers a crack they used to burrow farther into the network and gain the access they needed.

“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA wrote on its blog in April.

Heiser revealed this week that the hackers had knowledge of the internal naming conventions that his company used for hosts on its network. They also had knowledge of Active Directory — a Microsoft product used for managing the authentication of users on a network. This knowledge helped them disguise their malicious activity inside the network so that it appeared to be legitimate.

“User names could match workstation names, which could make them a little more difficult to detect if you are not paying attention,” Eddie Schwartz, RSA’s chief security officer, told IDG.

Heiser said the attackers used various pieces of malware to penetrate its system, some of which were compiled just hours before the attackers used them. The attackers also compressed and encrypted the data they stole before they exfiltrated it from the network, making it more difficult to identify as malicious traffic.

The attackers appeared to be after information that would help them penetrate networks belonging to U.S. defense contractors who used SecurID to authenticate their workers.

While many camps of journalism and IT professionals complain that the RSA is a failed company and should have done more to protect their important corporate data, there is another perspective that is being ignored. The consequences prove to everyone, it is not easy to protect computer networks. It is also difficult to maintain IT security within any company even when there are large budgets involved. The fact that RSA – who uses many “enterprise” level security devices to protect themselves – still didn’t have enough protection and tools to stop an attack.

Why this attack happened is arguable, but EMC could have an issue of not updating their laptops (that leave the building) as regularly as updates are available. Yet, if a government-backed hack intends to get into a corporation, a better protection policy will still be subject to many IT network strikes.

While we can place blame on IT employees and management, it may be a more constructive conversation to discuss what allowed these hacking groups into the network. The nature of this attack started with getting the names of low level employes – that have very little knowledge of corporate private information.  The hackers intended to get these employees to open fake email attachments. Variables to this attack include:

1) consistent and publicly advertised corporate email addresses
2) laptops that are potentially not being regularly patched with current flash updates, Microsoft office updates, Microsoft operating system updates and possibly updated and high quality anti-SPAM filters
3) zero day exploits – (an attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer)
4) workforce laptops that are possibly not as protected as necessary
5) a potential lack of IT policies and regular training of employees of ways to get infected.

It is not clear to anyone outside of RSA whether these laptops were updated as quickly as Adobe has offered up Adobe Flash updates to their users (distributed at irregular monthly intervals), Microsoft security updates, Microsoft Office security updates, antivirus definition updates, DNS protection, anti-SPAM protection, spyware protection, VPN client updates, firewall firmware updates, etc.

With this list of IT security variables that we DO KNOW that could have played into this attack, it is easy to see that it may be nearly impossible to claim RSA has been neglectful.  Any company that must keep their mobile workforce up to date and secure is a very difficult mission, and probably much more difficult than what critics and pundits have ever had to deal with in their experience.