Security & Hacking: Android Factory Reset Failures

A somber research paper, "Security Analysis of Android Factory Resets" by Laurent Simon & Ross Anderson, describes multiple security issues for many makes, models, and versions of Android phones.

These issues impact many Android phones, unfortunately there is no single simple solution, though the authors suggest multiple mitigations.

Three security issues that caught my attention:

"In general, we found that devices in our sample logically sanitised all  bytes  requested  through  the ioctl command,  except  for one phone: the Google Nexus 4. This has an 6189744128Bdata partition, fully used by the file system. The last 16KB were  not  sanitised  and  fully  recoverable  about  20%  of  the time after a Factory Reset."

"We  found emails in 80% of our sample devices, but generally only a few per device"

"We recovered Google tokens in all devices with flawed Factory Reset, and the  master token 80% of the time."

The last one, with Google tokens would allow attacker to synchronize email or other accounts.  Enabling access to the current account!  Not limited to old (historical) data recovered on the Android device in attacker's possession.

I strongly recommend reading Security Analysis of Android Factory Resets.

• General audience article from Ars Technica http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/
• Research Paper (PDF) from Laurent Simon and Ross Anderson, University of Cambridge http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf

Nerd News: "Google to launch wireless service this year?"

Rumors, via Ars http://arstechnica.com/gadgets/2015/01/report-google-to-launch-wireless-service-this-year/, that Google is going to be operating a pilot MVNO (http://en.wikipedia.org/wiki/Mobile_virtual_network_operator) combining Sprint & T Mobile networks.

Also Ting, a Sprint MVNO, is adding GSM to it's offerings https://ting.com/blog/ting-to-offer-service-on-a-gsm-network/.

[Wikipedia on GSM & CDMA http://en.wikipedia.org/wiki/Comparison_of_mobile_phone_standards]

Suspect there is some connection here, not necessarily that they are working together, perhaps T Mobile & Sprint are partnering at some level?

Ting has a very interesting pricing structure, you pay for what you use, see https://ting.com/rates for details.

I'm planning on giving Ting a try around March/April 2015, to see how good it is with GSM.

I'll post my thoughts on Ting's GSM here on my Blog.

Lee Hutchinson fed up with AT&T unlock policies

Personal frustration with AT&T from staff member of Ars Technica, Lee Hutchinson arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/

Doesn't surprise me, AT&T was first carrier I used many years ago, won't ever use them again.

There are things Verizon & T Mobile do that frustrate me, but they at least have some things they do well than balance the negatives much better than AT&T IMO.

Devil's Advocate:  I can think of a single reason for AT&T to do this, though one would still have contract, enforcing that on someone who has unlocked device and isn't happy with AT&T is more expensive than using leverage of not unlocking phone.

That could be significant for AT&T's cash flow if many others share my opinion that AT&T is the worst carrier in USA after they become a customer.

Security & Hacking: Ars article "Ancient Linux Servers"

Ars article "Ancient Linux Servers" http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/, worth reading.

They reference Cisco blog post http://blogs.cisco.com/security/mass-compromise-of-the-obsolete/

In addition to the articles, I found many of the comments on the Ars article worth reading, though I suggest reading all of them, I have quoted a few of the best ones IMVHO.

Note I use brackets [] to indicate comments or links I have have inserted in original quote:

"Not updating systems is bad practice that too many admins still go by. When I came onboard with my current employer it took a great culture shift to get everybody to understand why security updates are so important. One year later and are update cycle is nearly perfected.

There is no excuse for this anymore. Virtualize your servers, snapshot VMs before making changes, update and revert if a problem occurs. Clone a VM and build a test environment to check before doing it in production. For every excuse there are established best practices and mitigation techniques to deal with them."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483315#comment-26483315

"I'm a Linux fan. Glad its around.

But, Linux made lots of headway as a cheap secure alternative to Microsoft. If I had a penny for every time someone said, "We'll be fine, it's a Linux box we're deploying on the internet and not a Microsoft server" ....

The thing is, like the Mac, Linux has been viewed as bulletproof. In 2007, I was working through the SANS 560 course and we utilized a publicly available kernel exploit for 2.6 to gain root. It was beautiful, just compile, run and BOOM, you were root. Linux was never bulletproof.

This is simply more (unnecessary) evidence that when we decide a platform is secure, we become complacent and end up in this situation. Anything with software should be treated as vulnerable as long as it has power and network connectivity."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483323#comment-26483323

SunnyD posted:

"Here's the problem when it comes to updating infrastructure systems like these for system administrators:

It's not a matter of security, it's a matter of "If it ain't broke, don't you even dare try to fix it."

If history as sysadmins has taught us nothing it's that the constant cycle of updates, especially on mission-critical machines, puts our job security on the lines. Especially when a lot of these machines are running custom code with dependencies that end up being the very security liabilities that get patched."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483235#comment-26483235

Responding directly to SunnyD's comment:

There is a concept for this, it's called "technical debt"[Cliff: Wikipedia Technical Debt]. I'm not saying it's any one person's fault, but it is a flawed system. Keeping pushing off the problem until you're painted into a corner."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483329#comment-26483329

There are also many comments from people that cover some of the real world limitations with implementing the best practices.

Though I am a long way from being an expert on computer & internet security, at best I'd consider myself an apprentice.

I think these exploits & the comments quoted above clearly illustrate that Linux has vulnerabilities like any OS, something I have been certain was true for some time.

But still felt troubled when I would see the oft repeated "Linux is more secure".

That always felt like simple security through obscurity, which we know is no security at all.

There are certainly different tradeoffs between operating systems, not sure more can be objectively claimed.

Except perhaps, that certain OS tend to be better fit for certain types of applications, but IMO that is just a restatement of the differing tradeoffs.

Should also be realized that smart hackers can certainly look at Best Practices as a starting point for attacks, so defenders certainly should as well.

Some Best Practices resources:

• http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html
• http://www.redhat.com/f/pdf/rhn/WHP0008US_RHN.pdf
• http://technet.microsoft.com/en-us/library/cc750076.aspx
• http://www.seas.upenn.edu/cets/answers/linux-best-practices.html
• http://www.its.virginia.edu/unixsys/sec/
• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf

Cliff's Esport Corner SITREP

As many of you have noticed, I haven't had many posts lately.

IRL stuff, my significant other had some surgery, and needed help 24/7 for some time afterwards.

Very happy to say that everything went very well for her, and that she is recovering quickly, though not quickly enough to make her happy ^_^

Things are to the point where I can start posting regular again, though it will probably start slowly and build back up to normal pace.

I didn't get to follow CES 2014 news very closely, so I would welcome anything of interest or comment about that, either in comment section or on Twitter @CliffsEsport or link https://twitter.com/CliffsEsport

I have been following the Target Credit Card Hack with great interest though, working on blog post about it, but can strongly reccomend Brian Krebs articles on it http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

IIRC Brian was the one that broke the story originally, http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/, I remember seeing his Tweet about his Mom being interviewed about it at Target, while my girlfriend was still in the hospital.

Thanks to all my readers!

And a special thanks to everyone who offered good wishes, support, & prayers for my girlfriend's surgery & recovery, it was greatly appreciated by both of us!

Nerd News: TorGuard VPN with Chutzpah

Amusing and interesting article on Ars (though 4chan party van meme is used incorrectly) http://arstechnica.com/security/2013/11/how-one-site-beat-back-botnets-spammers-and-the-4chan-party-van/ about TorGuard, a VPN provider, http://torguard.net/.

Full disclosure:  I have not received any monetary or other compensation from TorGuard, though I am certainly interested in such, since I really admire their Chutzpah!

http://en.wikipedia.org/wiki/Chutzpah

PSA TrueCrypt Audit project

What an interesting day!

Started with comments about Bruce Schneier's article at Wired http://www.wired.com/opinion/2013/10/149481/ where he mentions some concerns about TrueCrypt:

No, I don’t have any inside knowledge about TrueCrypt, and there’s a lot about it that makes me suspicious. But for Windows full-disk encryption it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more worried about large U.S. corporations being pressured by the NSA than I am about TrueCrypt.

Eventually Matthew Green made the following tweet:

.@kennwhite and I are working on a 'Kickstarter' for a proper review of Truecrypt. The terms are a work in progress. http://www.fundfill.com/fund/4-spzFJdDQk211KJDAUfcOw==# …

Fundfill link from Tweet above http://www.fundfill.com/fund/4-spzFJdDQk211KJDAUfcOw==#

Draft at http://istruecryptauditedyet.com/

You can follow Kenn White & Matthew Green on Twitter:

• Kenn White @kennwhite link https://twitter.com/kennwhite
• Matthew Green @matthew_d_green link https://twitter.com/matthew_d_green

I am still very much a noob when it comes to Crypto, but Matthew Green is one of the people I follow to learn.

If your not into Crypto you probably haven't heard of him, this Ars article would be one place to start http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/

I am sorry to say I don't know much about Kenn White currently, I'd welcome comments or links that correct my ignorance.

Nerd News: iPhone 5S Good, Bad, & Big Brother

Full details at Ars live blog of Apple's event http://live.arstechnica.com/apple-september-10-event/

Apple has updated their website as well, details about iPhone 5S at http://www.apple.com/pr/library/2013/09/10Apple-Announces-iPhone-5s-The-Most-Forward-Thinking-Smartphone-in-the-World.html and front splash page comparing all the iPhones http://www.apple.com/iphone/compare/

I like the fingerprint reader, I just hope it is executed securely!

Apple says fingerprint data stays on device, never leaves it.

They have added a chip that tracks all motion of the phone even when asleep though, "Every iPhone 5s includes the new M7 motion coprocessor that gathers data from the accelerometer, gyroscope and compass..." source

"The M7 motion coprocessor continuously measures your motion data, even when the device is asleep, and saves battery life for pedometer or other fitness apps that use the accelerometer all day."  source

Though Apple says that is for fitness apps & such, it makes me think of http://en.wikipedia.org/wiki/Inertial_navigation_system.

Which would let them map your house, office, and everywhere else you hang out, if the sensors were accurate enough, and I bet that data does go to Apple's servers.

I know Google and Apple have both been working on mapping inside of buildings already.

See http://www.ecommercetimes.com/story/77635.html for more on that.

Nerd News: "Crypto prof asked to remove NSA-related blog post"

Update:  Matthew Green has received a  kind apology http://cliffsesportcorner.blogspot.com/2013/09/update-on-john-hopkins-university-and.html

**** 

Ars article http://arstechnica.com/security/2013/09/crypto-prof-asked-to-remove-nsa-related-blog-post/

This really upsets me, on several levels.

I consider Matthew Green a mentor, in addition to being (IMVHO) one of the most knowledgeable people in cryptography.

His twitter is @matthew_d_green link https://twitter.com/matthew_d_green & his blog is at http://blog.cryptographyengineering.com/

I also strongly recommend the Resource page of his blog http://blog.cryptographyengineering.com/p/useful-cryptography-resources.html

Nerd News: Paypal likes to freeze accounts it seems

Article today at Ars about Paypal freezing Mailpile's account http://arstechnica.com/business/2013/09/paypal-freezes-45000-of-mailpiles-crowdfunded-dollars/

Paypal has frozen Notch's, the Master of Minecraft, Paypal account at least twice before, according to his blog posts: (15 Jun 2009) I wonder why I used paypal.. & (10 Sep 2010) Working on a Friday update, crying over paypal.

If you live in US or Australia you can buy Minecraft Prepaid cards from many stores, I blogged details at http://cliffsesportcorner.blogspot.com/2013/08/minecraft-prepaid-pc-mac-cards-in-usa.html

I am not a fan of Paypal, I have blogged about the reasons before, see Paypal Make It Right!

Just click on Paypal or Minecraft labels to see all my posts on those topics, labels can also be found in cloud at left side of blog, or at bottom left of every post.

Noob Hacking "How I became a password cracker"

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

If you know nothing about Password cracking, or your trying to convince friends & family to use password manager + strong random passwords, this article is useful.

Nerd News: Brian Krebs SWATting & DDoS

http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/

http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked-911-call-that-sent-swat-team-to-his-house/

Brian Krebs, from Krebs on Security, seems to be targeted by some criminal types.

Links above provide story.

Nerd News: EA not altering return policy for SimCity buyers

http://arstechnica.com/gaming/2013/03/ea-not-altering-return-policy-for-furious-simcity-buyers/

I can understand why they don't want to refund digital purchases, but think if that is their stand, then they really should be offering something to make up for the frustration.

Call it Customer Service or Public Relations,  also what I have done many times myself in Customer Service situations.

Also had the pleasure of receiving that level of customer service a few times, tend to stick with businesses that provide that level of service, since they usually don't mess up very often (ie they are reliable) and if something goes wrong, I know they will take care of me.

More Stuxnet 0.5 News

Symantec original detailed paper Stuxnet 0.5: The Missing Link [PDF] http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/stuxnet_0_5_the_missing_link.pdf

Ars article on it Revealed: Stuxnet “beta’s” devious alternate attack on Iran nuke program, http://arstechnica.com/security/2013/02/new-version-of-stuxnet-sheds-light-on-iran-targeting-cyberweapon/

Symantec's main page http://www.symantec.com/index.jsp

Lots of interesting tidbits, including fact that there are now samples dating back to at least 2005, 2 years prior to previously known oldest sample.

Introduction to Encryption: "Locking the bad guys out with asymmetric encryption"

http://arstechnica.com/security/2013/02/lock-robster-keeping-the-bad-guys-out-with-asymmetric-encryption/

If you already know a fair bit about encryption, you could skip to the comments http://arstechnica.com/security/2013/02/lock-robster-keeping-the-bad-guys-out-with-asymmetric-encryption/?comments=1

Peter Bright, the author of the article, knows more about the topic than he wrote, he was trying to keep it readable and understandable for people with no background knowledge.

I know I am going to refer people to this article frequently for some time to come, instead of trying to explain it myself.

Security & Hacking: Why Google Went Down, IP hijacking or oops

Also know as BGP hijacking, prefix hijacking or route hijacking, or woopsie in this case.

http://arstechnica.com/information-technology/2012/11/how-an-indonesian-isp-took-down-the-mighty-google-for-30-minutes/

This is really interesting, a whole new subset of Internet stuff I need to study now, evidently this happens intentionally and maliciously on a regular basis.

Some Resources for further study, only the Wiki link is at non specialist level IMHO:

• http://en.wikipedia.org/wiki/IP_hijacking
• http://www.nanog.org/mailinglist/mailarchives/
• http://chilli.nosignal.org/mailman/listinfo/uknot

Nerd News: More on Hurricane Sandy's effect on Data Centers

Ars link http://arstechnica.com/information-technology/2012/10/hurricane-sandy-takes-data-centers-offline-with-flooding-power-outages/

For a similar post see http://cliffsesportcorner.blogspot.com/2012/10/nerd-news-internet-hubs-hurricane-sandy.html

Security & Hacking: South Carolina's Department of Revenue Hacked

Saw the story at Ars http://arstechnica.com/security/2012/10/hack-of-south-carolina-network-exposes-ssns-for-3-6-million-taxpayers/

Sounds like all, or virtually all, of taxpayers of the state were hit by this hack, based on population of South Carolina http://quickfacts.census.gov/qfd/states/45000.html

This makes the town that got hacked seem insignificant by comparison, http://cliffsesportcorner.blogspot.com/2012/10/security-hacking-hackers-hit-small-us.html

For more posts on these types of topics click on either Security or Hacking Labels, Labels can be found in Label cloud at left side of blog and at bottom left of every post.

I really hope this South Carolina hack is big enough that State and Local governments here in the US start taking cyber or computer security seriously.

Security & Hacking "Backdoor in computer controls opens critical infrastructure to hackers"

http://arstechnica.com/security/2012/10/backdoor-in-computer-controls-opens-critical-infrastructure-to-hackers/

Things are just peachy with infrastructure security, this quote sums it up, "The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering."

This involves power plants and other infrastructure in the US and other parts of the world.

Not only is it frightening, it is really sad, just how big a vulnerability this single issue causes.

Not really even hacking, more like no security at all.

There are more infrastructure security issues out there.

There is a ridiculously bad category called Forever Day Bugs, also know as iDays, or Infinite Days.

Name is similar to Zero Day, only Forever Day/iDays vulnerabilities remain for years even after they are disclosed.

For various reasons iDays don't get patched or fixed.

Bruce Schneier has talked about Forever Day Bugs (vulnerabilities) http://www.schneier.com/blog/archives/2012/04/forever-day_bug.html

Ars has also covered them http://arstechnica.com/business/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure/

ICS=Industrial Control Systems, not Ice Cream Sandwich, in this context.

World of Warcraft (WoW) Hack, WMD in WoW Skeletons Everywhere

Saw the story on Ars, same source for youtube embedded above, found this both funny and sad.

Brought to my mind the Maine Republican attack on Democratic Candidate, that I blogged about the other day Nerd News: Gamer in Politics, Demonized for playing World of Warcraft (WoW)