Saturday, July 27, 2013

Google's new "Verify Apps" service makes Android more secure

Along with the recent release of a new version of Android, 4.3, Google also rolled out a new service that promises to make Android more secure.

The Verify Apps service was originally rolled out as part of Android 4.2.  But now its been pulled out of Android itself and made part of the Google Play Store service, along side the already existing Bouncer service.  By doing so, all versions of Android can take advantage of this.

I learned about this thru THIS posting at Computerworld.

So, what DOES this new service do?  Its a universal app-scanning system.  It watches for new apps on your system, even those loaded directly from outside the Google Play Store ("sideloaded"), and instantly checks that app for malicious or potentially harmful code.

While I think this is great, I'm not sure I buy into the views of this writer of the blog posting that this somehow eliminates the need of anti-malware apps on Android.  While, yes, there is a bit of fear mongering on the part of the anti-malware field (true of a lot within the security field), the fact is we've seen an increase in Android malware.  Plus, one can get a large number of free anti-malware apps, so its not like you have to pay a lot of money to protect yourself.

On a practice point, we've seen failures with Bouncer.  Who's to say that similar issues won't been seen with Verify Apps?  Plus, like I think most security professionals, I prefer multi-level security measures.  It's a mistake to rely on one or a limited number of tools to protect our systems.  It would be like a company thinking that since they have firewalls, they need not worry about anti-virus or the like.

I do like the idea of "Android deconstruction" mentioned by the writer (further covered in THIS posting), with Google pulling out certain elements from Android itself, and making them available as separate apps, thus avoiding the issue of Android upgrading.  There are limits to this, as not everything can be an app, but maybe this will help make Android be a more core OS, that can be more easily upgraded.


Thursday, July 25, 2013

New version of Android out

I don't think I will surprise anyone by saying that there is a new version of Android out there:  4.3.

And so, we will have everyone all worked up about it, and wondering when they will get this on their phones.  (which I can understand.  Both my phone and tablet are still at 4.1.2).

I guess its a good idea to perhaps review all this.

UPDATE II: Android "Master Key" Security issue

Well, a further update on the Android "Master Key" issue.  See my first posting HERE.

Per THIS article at the BBC, Symantec has found someone using it in the wild.  Here is their ITEM on it, with all the technical details.

Kind of funny when the attitude of some was that there wasn't much chance of it being used.

Right.

Wednesday, July 24, 2013

Commentary: Rumination on GUIs

GUI- Graphic User Interface.

Most people who have used computers for the last couple of decades are used to them.  To the point that most can't understand that we used to have to do everything from the command line (CLI- Command Line Interface).

I like graphical interfaces too.  For a lot of tasks, they make things easy. 

But, I'm a bit "old school".  When I first got into admining Unix systems, we had X Windows, but we still had to do things on the command line.  There were some admin tools, but they were just a layer on top of the command line.  They basically put together the commands you would have used.  You could still go around them.  It could be harder, especially for more tricky tasks or tasks you didn't do to often.  But you could do it.

Further, when a system booted up, you got a lot of text on the screen.  It should you that the system was coming up smoothly.  Or not.  There could be some low level problems that could be shown thru that data, and this helped you resolve that.

Then along came Windows NT.

Soon the bootup information was hidden.  No idea if there were problems.  (you had to hope a system would boot up, and if it didn't, you'd have little info as to why).

Also, all admining was thru graphic interfaces.  Again, this was nice, but you couldn't get around it if there was a problem that could only be solved by doing so.

I have a longtime admin friend who had a particular problem recently with a product that couldn't be solved thru the graphical interface.  And there was no way to get around it and just enter commands.  However, he was able to do so, basically be decompiling the interface.  This is something that your average admin would not be able to do.  But the GUI got in the way.  And the vendor was of little help.

Now, as we move into the "Post-PC" world of smartphones and tablets, I fear we are moving further away from a CLI to a solely GUI world.  For the average user that's fine.  For "power users", this can be an annoyance.  For system administrators (and I include security admins in this), this can be a hindrance if we can't get "under the hood" of what is going on and solve problems. 

I worry about the lack of good deep-level tools for our Post-PC world.

Do any share this concern?

Android Malware jumps 6 fold in last few months

Well, I don't think this is a surprise to anyone.

Per a report by Alcatel-Lucent's Kindsight Security Labs (you can read it HERE.), Android malware has increased 6 fold to over 120,000.  The bulk of these are Trojans of various sorts (the report gives you a breakout of the top ones).

Yesh.

And, sadly, this also shows the weakness of application signing to weed out the malware.  We've already seen issues with Google's Bouncer keeping out the bad stuff, as well as what BlueBox recently found.  (see my prior posts on both of these matters).

Related, they also show an increase in infected home networks.  Again, not a big surprise if you think about it.  Most people who setup home networks have little or no IT (much less IT Security) background.

For a good overview article, read THIS from Ziff-Davis.

Again, what I see here could be addressed by a couple of things.

1. Obviously Bouncer needs to be improved.  BUT people can't rely upon it solely.
2. People need to be encouraged to install anti-malware apps on their smartphones.  Ideally, just as with most PC that come preinstalled with a commercial AV program (usually with a set period of free use), we need to start seeing smartphones come pre-installed with SOME kind of anti-malware app.  AND those people writing and putting out books/magazines on smartphones need to include security apps as part of their recommended installs people should have on their smartphones.

Tuesday, July 16, 2013

Another "micro-PC"

Just learned about this compact, and inexpensive PC: the Utilite.

At this point its just announced, but the company has a prior product line called the "Trim-Slice", so they do have a track record.

For about a $100, you get a small (very small) case with a powerful CPU, 4G Ram, 128G storage, and plenty of connections (USB, Gigabit ethernet, etc).  Can run Linux or Android.

So now yet another power small computer that could be used for some interesting activities.  A possible competition for the Raspberry Pi or Beaglebone.  (tho I don't think so, they are focused on different markets).

Wednesday, July 10, 2013

UPDATE: Android "Master Key" Security issue

Some updates on the Android "Master Key" issue brought up by Bluebox Security.

Per THIS article at TechCrunch, Google has patched the issue.

HOWEVER, before anyone starts to think this is over, keep in mind this means that Google has created a patch and given it to their partners.  THEY then need to test this patch with their released versions of Android for their devices (and realize that this issue goes back to earlier versions of Android which most manufacturers are no longer patching).  And THEN they will release the patch to the carriers so they can test it before its released.  This isn't like Windows Update.

As noted, most of the manufacturers are only maintaining the newer versions of Android they've released (usually just Jelly Bean), so who knows what this means for those stuck at prior versions.

Also, Bluebox has created a scanner that will tell you if you Android device is vulnerable.  I thought THIS article was a pretty good response to that news.

Tuesday, July 9, 2013

Mission Critical's Information Security Technology Showcase South Florida- Sept 19th

One of the local South Florida IT security resellers, Mission Critical Systems hosts several Technology Showcases each year.  These showcases bring together several IT security vendors.  Yes, there is the standard sales pitches from them in the Exhibit hall, but what is great is the series of presentations from each of the vendors that avoids being just a sales pitch.  This puts the event on a different level, in my opinion.

Another ones of these is coming up in the South Florida area on September 19, 2013.  Registration for the event is already open at their website HERE.   This will be held at the Seminole Hard Rock Casino and Hotel in Davie, Florida.

Disclaimer: I am NOT connected in any way with Mission Critical.  I don't work for them, I don't do business with them.  I do know several of the people who work there, that's it.  So I don't gain anything from promoting this event.

Motorola Mobility Smartphone Security issue: "Motorola is listening"

I recently learned of an interesting article:  "Motorola is listening".  Certainly in this times of heightened attitudes about data privacy, I think its important that people be aware of these things.

In a nutshell, the author discovered that his Motorola smartphone (a Droid X2) was sending a LOT of information to Motorola, despite not having Motoblur.

Now, a word about Motoblur.  Motorola Mobility rolled out this program as an enhanced UI for their earlier Android phones.  You initially couldn't use your phone without signing up with the Motoblur service.  You were encouraged to enter all your username and passwords for the various services you used (email accounts, twitter, facebook, etc), and it would give you alerts.  What I think most people didn't know was that this information was actually stored on Motorola's servers.  It's was kind of a cloud service without you realizing it.  I think this was done probably as you moved from phone to phone, you could just log back into your Motoblur account on your new phone and have all your settings there. 

But people hated Motoblur, and later versions were less intrusive.  AFAIK, in their most recent phones (the newest RAZR line), Motoblur is gone.  But they still use Motoblur for some things.  (When I was "dogfooding" new versions of Android on a RAZR M, the updates were sent to my phone via Motoblur).  I had to deal with Motoblur on my original Atrix 4G.  But I don't recall dealing with it on my Droid Bionic, and certainly didn't have it on my RAZR M.

The author's phone, AFAIK, doesn't have Motoblur, BUT it is interesting (and a bit scary) that Motorola Mobility still seems to be gathering information from his phone.  He has asked people with different models of Motorola phones to test them (he provides the tool he used) and report back on their results.  I recommend people take a look at this article for updates.  He has already put up several based on feedback.  Will be interesting to see where this goes.

And what about other companies?  Are Apple, Samsung, HTC, etc doing something similar?


Friday, July 5, 2013

More on TOR

I recently posted on the Onion Pi, using a Raspberry Pi as a TOR (The Onion Router).

As noted, for those wanted to learn more about TOR, check out their site HERE.

If you are one of those people that think only "naughty people" will want to use this device, you should check out their site.

Or better yet, watch this recent video from reason.tv which talks about it and the reasons why some would want privacy on the Internet:

New Android Security hole

So am not the first to bring this to others attention.  I've seen several articles on it over the last week on the Android "Master Key" vulnerability.

Basically, researchers at Bluebox Security have found this security hole that has been present in all version of Android since v1.6.  The firm informed Google about this in February.  The Samsung Galaxy S4 supposedly has been patched for it.  No word on any other Android device.

More information on it will be forthcoming at the Black Hat Security Conference.  But for right now, you can check out their blog posting HERE on it.

Now, a basic thing about this issue is that it is exploited by malicious apps.  And malicious apps, despite tools like Bouncer in the Google Play Store, can still be put up there.  Patching Android is always a tough thing, because the process has to include both the manufactors and the carriers.  According to a recent item on CIO, Google has already updated Play Store to block apps that take advantage of the issue.  But I hope people see that as only a stop gap to getting the Android OS itself patch.

For those interested, here are the articles I've see so far on this:

Bluebox Blog
Techcrunch
Android Central
CIO