Archive

Archive for October 2, 2011

The New Theory of Security By Obscurity

October 2, 2011 Leave a comment

“A recent research paper tackles the idea of security by obscurity. The basic idea is that you can improve system security by making it hard to find out how it works…

As a code protection principle, obfuscation has always seemed obvious, but there are two general principles of security that suggests it is probably a waste of time.

  • Kerckhoffs’ Principle that there is no security by obscurity,
  • Fortification Principle that the defender has to defend all attack vectors, whereas the attacker only needs to attack one.

These two principles are more generally applied to systems, and not just software, but it gives us a cause for concern – after all systems are mostly accumulations of software…

The new research suggests that security is a game of incomplete information and you can learn a lot by examining your attacker’s behaviors and algorithms – his “type” and that obscuring your game really does bring an advantage and improves your odds of winning. In short, obfuscation is a good general principle – i.e. make it hard for your attacker to find out how best to attack you.

The paper, which is well worth reading for its presentation of the general security problem, presents a “toy” security game of incomplete information where the best strategy is to try to characterize the attacker’s type while giving away as little as possible about the defender’s type. The idea of logical complexity is also used to characterize the amount and nature of the obscurity involved.”

GM To Introduce “AirToungue” For Side-Impact Crashes?

October 2, 2011 Leave a comment

.

“Front airbags have done wonders for the most common type of collision, which is running into something head first. But 11 percent of car accident fatalities are caused by “far-side impact crashes,” which is where your car gets hit on the opposite side from where you’re sitting, sending you into the passenger seat if you’re behind the wheel.

GM is introducing a new type of airbag in some of its midsize SUVs for 2013 that’s designed to keep you safe in accidents like these by deploying out from the front seats into the center of the car. It’s a tubular design (in form factor, not awesomeness, although it’s also pretty awesome) that pops out of the side of your seat before you can say “I hate bugs”.

The cushion provides restraint to keep your head from ending up in the passenger seat while the rest of your body stays securely belted into the driver’s seat. It’s taken GM three years of research to get it to work, and it should also make a difference in rollovers — which don’t happen so often, yet carry a high mortality rate.”

Massive Security Vulnerability Found In HTC Android Devices

October 2, 2011 1 comment

“In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.

But that’s not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and more

Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
BATTERY_STATS Allows an application to collect battery statistics
DUMP Allows an application to retrieve state dump information from system services.
GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
READ_LOGS Allows an application to read the low-level system log files.
READ_SYNC_SETTINGS Allows applications to read the sync settings
READ_SYNC_STATS Allows applications to read the sync stats

 

 

Update (4th Oct 2011): HTC Confirms Flaw, Promises Patch

 

Spreadsheets Arrive In ODF With Approval of Version 1.2

October 2, 2011 Leave a comment

“The ODF 1.2 specification, which aims to perfect the spreadsheet workflow, has been approved by the members of the Organization for the Advancement of Structured Information Standards (OASIS).

The move that will be formally announced to the organization’s members later on Friday.

“ODF 1.2 is approved as on OASIS standard,” said Chet Ensign, director of standards development and TC administration. The specification itself will be published next week, he added. While OASIS rules require that 49 members vote in favor of a standard, ODF 1.2 drew 76 positive votes, a strong sign of support for the spec, Ensign said.

The new Open Document Format (ODF) specification is a huge improvement over ODF 1.1 which was released in 2006, said Michiel Leenaars, director of the Internet Society Netherlands (ISOC). ISOC is the parent corporation for international organizations that strive to assure the open development, evolution and use of the Internet by developing standards and protocols.

The most important improvement to ODF 1.2 is the newly built spreadsheet support. The old format was buggy and had a lot of legacy problems. Therefore the new spreadsheet module was written from scratch. “A complete clean room implementation of the spreadsheet formula was built,” said Leenaars in a phone interview.”

A Portable RAID Solution

October 2, 2011 Leave a comment

“Do you demand portability from your Redundant Array of Independent Disks?

Then you’ve probably already seen Sonnet’s Fusion F2, with its two 1TB drives and eSATA connector.

Today the company introduces the Fusion F2QR, which also features two 2.5-inch, 1TB hard drives — but now comes with four interface options.

You’ve got your eSATA, of course, but also Firewire 400, Firewire 800 and USB 2.0 connectors.”

Smartbook Can Hot-Switch Between Android, ChromeOS, Ubuntu

October 2, 2011 2 comments

“Several OS on the same machine at the same time? Yes, that’s possible and without any performance loss. You can indeed choose and switch between several OSes installed on the device at runtime.

By just pressing the magic AI button, you get a simple menu, letting you literally switch between several OS running at the same time on the same machine on a single processor.

Instant-play, you can take the most of each OS, which means in our case: our AIOS, Android, Ubuntu, and ChromiumOS. Best of all, you can share your documents between those side-by-side instances.”

Mutewatch Mutely Shakes Your Wrist For Reminders

October 2, 2011 1 comment

“No, the picture above isn’t some modernized Power Ranger’s wrist communicator.

This is the Mutewatch, and we’ve been intrigued since we first laid eyes on it over a year ago.

At a glance, it looks akin to a rubber fashion bracelet, which could make its $260 price tag a shocker. But with the right touch or flick it reveals itself to be much more.

The Stockholm-based start-up behind it, dubbed Mutewatch AB, envisions the device serving as “time management tool” for setting quick wrist-felt vibrating reminders during the course of the day. Think Growl, but on your wrist.

The wristwatch lacks a dial and crystal, and instead has an angled, touch-sensitive section for a face with hidden LEDs, an ambient light sensor, a motion sensor and a vibrating motor for alarms.”