The video was uploaded on YouTube a week ago as the user name BITcrash44. As the week progressed, the video soon generated well over 800,000 views in just four days and had been mentioned on Web sites like Gizmodo, Gothamist, Salon and NBC New York. New York Times reported that one Web site even listed it as the most popular viral video on Twitter
Some of you may recall the Firesheep Firefox plugin developed last year that used a packet sniffer technique to find unencrypted browser cookies for sites like Facebook and Twitter. The plugin let the Firefox user hijack accounts using these sites in the local network (usually a wireless one). The quick fix was to use the “https” SSL (Secure Sockets Layer) encryption when accessing these sites. However, the vast majority of people either did not know or neglected to do so.
Twitter just made it a little easier to secure your web based sessions from their site (Twitter.com).
Making Twitter more secure: HTTPS
They’ve added a one-time option setting to permanently turn on SSL for your account. If you frequent public hotspot with your netbook, notebook or tablet, you probably want to consider turning this option on.
Apple’s iOS App Store and Google’s Android Market provide two vastly different perspectives on the effects of app gatekeeping controls.
On one hand, Apple keeps such a tight rein on what is allowed into the App Store and how the app functions that many developers and content providers feel frustrated. On the other hand, Google provides no app gatekeeping at all for their Android Market. One result of this approach was malicious malware apps appearing in the Android Market last week Tuesday. The particulars of the malware apps are provided in this Android Market Help item. The malware afflicted Android devices running version 2.2.1 or older.
The official Google Mobile Blog reported over the weekend that the apps have been removed from the Android Market and that the developer accounts associated with the apps have been suspended. Google is also pushing a security update for the Android Market to fix the effects of the malware apps. The blog item notes that Google is working to prevent similar exploits in the future.
An Update on Android Market Security
It will be interesting to see how Amazon’s Android store will deal with the issue of controls when accepting apps and vetting them for end-user safety.
Infoworld reports that Motorola Mobility bought a small company to deal with Android security shortfalls.
Motorola’s big plans to fix Android’s security woes
There are a couple of interesting side notes either directly stated in this article or implied by this news.
1. The article notes: Android devices can’t be managed to meet business-class security needs like a BlackBerry or iPhone can. There are a couple of interesting points raised in this single sentence:
1.1. Apple’s iPhone is considered, at least by the article’s author, to be a business-class device that is on par with the BlackBerry.
1.2.There is no mention of Microsoft’s Windows Phone 7. Its predecesor, Windows Mobile at one time defined much of what we think of as a business class phone. Ironically, the author notes: he management infrastructure created would be similar to that available on Research in Motion’s BlackBerry platform, on Microsoft’s now-defunct Windows Mobile platform, and on Apple’s iOS 4 platform.
2. Motorola plans to provide APIs for their Android security software
2.1. Although other vendors can work with their API, it is not clear that they will
2.2. What happens if Google itself provides what they should have done earlier: A unified and standard way to deal with business class security holes?
This effort, while needed, may end up fragmenting Android even more. Up to now, Google has been fragmenting Android all by themselves so far. They may soon get help in this effort.
9to5Mac reports that:
Apple testing Android-like gesture-based lock screen for iOS
Apple currently provides a PIN numeric lock for the iPhone and iPad. Android phones have the PIN option plus an option to use a finger gesture over a 4 by 4 matrix of dots to secure a phone. Apple will probably have to offer this option just to give potential customers a checkbox to check off when comparing iOS devices to Android devices. However, I hope that most people will decide not to use this feature. Here’s what I learned after using a gesture lock on my Android phones for several months and speaking to other Android users.
1. The smudge mark left by fingers on a screen leave a trail that makes it easy to figure out how to unlock the phone if a very simple gesture is used. My informal discussions indicate that a significant percentage of people use a gesture that can be deciphered from the smudge trail. Frequent screen wiping can help reduce this problem. However, how many clean screens do you see on a daily basis?
2. Using a complex gesture reduces the probability of someone reading your smudge trail. However, it also makes unlocking the phone a slightly longer task that is prone to entry errors.
3. Depending on the quality of your screen, the condition of your fingertip (moist,etc.) and your current state of coordination, it can be a mulitple attempt task to unlock a phone. This can become very annoying.
After a few months, I gave up on gesture locks and went to a PIN security lock for my Android phones. I suspect many iPhone and iPad users will use the gesture lock for a while because of its initial novelty but will revert back to PINs eventually. I also suspect that some system administrators will enforce PIN only security locks for those who use their phones in an enterprise setting.
Solid State Drives (SSD) use solid-state memory instead of spinning disc platters (as in hard disk drives) to store large ammounts of data. SSD prices have been dropping while storage capacities have been increasing in the past few years. SSDs can provide greater realiability and access speed at a higher cost per byte. Perhaps the best known SSD device is Apple’s MacBook Air.
Price is not the only cost involved, however. Security firm Sophos reports that:
SSDs prove difficult to securely erase
They note that ATA and SCSI disk driver controllers’ erase unit feature for secure erasure was only available on 8 of 12 SSD drives tested and worked only on 4 of the 8 supported disks. The degaussing process used for hard drives, which are based on magnetic storage, does not work on SSDs. And, conventional file destruction methods do not work.
Sophos recommends full disk encryption as the only practical form of data protection for SSDs.
To help ensure kids’ Internet safety, parents need to know how to educate their children about staying safe online and manage their kids’ Internet experiences. And although the task may sound challenging, there are some websites that offer some simple solutions or tips that every family can use to help make their kids’ online experiences safe ones.
ZDNet combed through security vendor McAfee’s mobile threat report.
The list of mobile platforms listed in McAfee’s “Mobile Threats by Platform 2009-2010″ puzzles me a lot. It lists:
- Symbian OS
- Java 2 Mobile Edition
- Symbian S60 3rd Edition
- Python
- Android
- WinCE (Windows CE)
- MSIL
- VBS
There’s a couple of oddities in this list as well as a big missing item. The three puzzling items are: Python, MSIL and VBS. None of these are “mobile platforms.” Python is an Open Source programming language, MSIL is Microsoft Intermediate Language, and VBS is presumably Visual Basic Script. Then, there’s the question of the missing 800 pound gorilla: Where is iOS (iPhone and iPad) in this mix? Is it immune to mobile security threats? That would be nice but unlikely.
InfoWorld’s Robert McMillan provides an interesting overview of a new smartphone hacking technique that was presented last week at Black Hat DC 2011.
Coming soon: A new way to hack into smartphones
Cryptologist Ralf-Philipp Weinmann setup a fake GSM base station which uses the OpenBTS Open Source project. OpenBTS provides a way to create a low cost GSM cellular network. It can work with the Asterisk Open Source product to connect to the existing telephone system and route calls. The photo to the left is a from the project site and is able to broadcast a few meters. Weinmann uses firmware flaws he says are found in Qualcomm and Infineon GSM radios to hack into a smartphone.
Network World reported that the demo effectively demonstrated the basics of the techinque last week.
The biggest concern for parents used to be the strange, old man hanging around outside the ice-creamery. Now, with instant access to stranger worldwide, stranger danger has taken on a whole new meaning.
