hanicker + analysis   3

DigiNotar: Apple needs to do it
I know I wrote about this yesterday, but I’m really starting to find it irritating and I find I need to hammer on it yet again.  Namely, Apple’s continued lack of action with respect to DigiNotar issue.

Here’s what we know:

The Dutch government has said on record that their own Dutch government websites are no longer to be trusted in light of the issue
Google, Microsoft, Firefox, etc have all revoked trust in the compromised CA
531 certificates are reported compromised to date

Seems like a big deal, don’t you think?  Kind of like an “eleven” on the certificate trust issue.  But yet Apple has not responded in any way.  Seriously.  Radio silence.

Here’s why that irritates me.  Apple markets (heavily) on security (remember the “no viruses” ads?).  They foster a perception in the marketplace of superior security.  Lion was called by some “the most secure consumer platform ever” (emphasis mine).  Now, I question that, and get only flames in response.  But here comes a time for Apple to ante up… and well, there’s nothing.   It’s not about me being right… it’s about looking at the evidence and judging their security profile based on merit: based on the evidence without preconception or bias.

Look, all of the marketing from Apple would lead you to the conclusion that they care about security, right?  So why do they continue to put their users at risk?  Because — make no bones about it — that’s what they’re doing here.  They’re saying, “sure, we have incontrovertible proof that a CA is broken, but we’re choosing to allow users to put full trust in it anyway.  You’re welcome.”

I use Apple products — I had a Mac for years and even on other devices use their software.  In my opinion,  every Apple customer (myself included along with every Mac, iPhone, iTunes, and QuickTime user) — should be paying attention here.  We should be asking if these the actions of a company that actually cares about security?  Or is this someone who cares just enough to use security as advertising, but not enough to actually follow through.

Just sayin’.

Image Source: soberinanightclub.com
Analysis  Apple  from google
september 2011 by hanicker
Is it just me? Or are Android permissions kinda useless?
I came across this article today over on the NetworkWorld about malware and the Android platform.  It’s an interesting read about the continuing saga of McAfee’s threat report, which shows an increase  in Android malware of 75ish percent.  A pretty interesting number — even if you’ve been tracking the reasons for it happening.

So anyway, the article is geared toward users – it’s approachable, probably to help spin the user community down from the news about the malware infestation by giving them some specific actions that they can take if they’re worried about malware on their droid.

But what struck me was this:

Always check app permissions: Whenever you download or update an app, you are given a list of permissions for that app. If an app is asking for things it shouldn’t need, get rid if it.

Which got me thinking about Android permissions — and their relative value (or lack thereof).  Now, I’m an Android user…  and I personally happen to find the permissions useless.  Seriously.  Like, it’s my job to care about security and I could care less about Android permissions on apps.  Why is that?  I’m glad you asked.

It’s because pretty much every app asks for something questionable.

No, seriously.  It’s the rare case where the permissions for the app make sense to me.  Whether it be the bar code scanner that asks for the “MODIFY GLOBAL SYSTEM SETTINGS” permission, the compass that requires “FULL INTERNET ACCESS”, or the “funny jokes for kids” app that wants to turn on the GPS and track location – it’s all creepy.  Like, windowless van kind of creepy.

In fact, it’s the rare case when the apps you install are not asking for the world.  Like, if it were possible for Angry Birds to request the “view my 2010 tax return” and “broadcast my medical records on the Internet” permissions, I’d fully expect them to ask for it and nobody to think that’s strange in slightest.

Kidding aside, it’s already at the point that I for one  personally find it impossible to actually use the permission system as a decision point for whether to install an app or not.  They’re just full-on useless – and until we start giving a fluff about what permissions they ask for (and refusing to run them otherwise), it’s not going to change.
Analysis  Android  from google
august 2011 by hanicker
F-Secure’s file: initially, I thought “shenanigans”. Now, not so sure.
I saw the article on the ThreatPost about how F-Secure claims to have found the Excel file that ultimately lead to the compromise of RSA.  I have to confess that I was pretty skeptical when I first read the headline (ok, so maybe skeptical was an understatement.)  TLDR version: someone at RSA (maybe) uploaded the file to VirusTotal, meaning it got sent around as matter of course to everyone in the AV industry.

Anyway, interesting if true…  Although I for one wonder if this will change how people use VirusTotal.  Like do people care about this?  For example, if you were to use the tool to help find out if a file contained malware or not — and then it turns out that someone uses that data to expose the intimate details of how you were hacked – for example by publishing a play-by-play and giving a talk about the specifics. Would you care?

I’m not sure I would… but then again,  folks can be touchy about this stuff.  So I’m skeptical that everyone involved is thrilled that the intimate details about the specific attack are being published… particularly as a result of an employee using what’s usually a pretty anonymous — and innocuous — tool.  In other words, even if it does say in the EULA that they can share the data, I’m not sure that everyone expects that doing so will give the AV crowd Carte-Blanche to publish the intimate details of how you  were hacked – including the content of emails to/from your organization, with a mapping back to your identity for good measure.    Not sure people would sign up voluntarily for that.  Apparently they did in the past… I guess we’ll find out if they still will going forward.
Analysis  F-Secure  RSA  from google
august 2011 by hanicker

Copy this bookmark: