Access vulnerability on Android tablet

I made my first ever “Black Friday” purchase last week.  Staples (for those outside North America, this is a “big box” office supplies store with a large computer and tech section) had a door-crasher special of a Digital2 brand 7″ tablet, running Android 4.1, marked down from $250 to $70.  We had to go past a Staples on an errand, so I stopped in and got it.

I don’t quite regret getting it: particular at that price it is probably worth it.  I may do a review of its shortcomings at some point.  (Low memory, poor storage management, slow performance, limited battery, incompatible with some apps, poor file management options, many functions irregular.)  However, I came across something this morning that indicates a weakness.

One of the oddities is that there is no indication of charging or battery unless the tablet is on.  So, while charging, I had the tablet on to check the battery level.  The indicator icons are on the lower right of the screen on this model, and, in order to get more details on the charge, I touched that area.  But I had forgotten to unlock the device.

Lo and behold, it brought up the quick indicator list anyway, and, along with it, the notifications.  Prodding at this, I found that I couldn’t get into the settings menu proper, but I could access any of the notification messages.  And, once into any of those apps I had full access.

(This sounds similar to a number of lock-screen vulnerabilities that I’ve heard of on various Android and iOS versions and devices, but it seemed to be simpler and more direct than most.)

Share

CyberSec Tips: Email – Spam – Fraud – example 4

Sometimes it’s pretty easy to tell a fraud.  Some of these guys are just lazy:

> From:               ”PINILLA, KARINA” <pinillak@friscoisd.org>
> Subject:
> Date sent:          Mon, 2 Dec 2013 22:05:05 +0000

> Do you want your X-mas money and bonus for gift,if Yes contact me at this email:
> david.loanfinancialcomany12@gmail.com

You don’t know this person.  No subject for the message.  No explanation of why they are going to give you money.  (Although the name chosen for the email would seem to indicate that they want to emulate a pay-day loan company–which are pretty much rip-offs anyway.)  Poor grammar and spelling.

A while back someone seriously theorized that this lack of care might be deliberate.  Only stupid people would fall for a “come-on” like this, and it would be easier to defraud stupid people.  Unfortunately, as the song says, the world is full of stupid people …

Share

CyberSec Tips: Email – Spam – Phishing – email accounts – example 1

Sometimes phishers are after more than your bank account or credit cards.  These days a lot of them want your email account.  They can use it to send spam, to your friends, and those friends will trust a message from you.  (That’s a more reliable form of social engineering to get them to install malware on their computers.  Or give up their bank accounts and credit card numbers …)

> Dear user
> Your email has exceeded 2 GB, which is created by Webmaster, you are currently
> running at 2.30GB, you can not Send or receive new messages until you check your
> account.Complete the form below to verify your account.

Sometimes the email phishers will send you this “over quota” message.  Other times it may be that you are, supposedly, sending out malware or spam yourself.

> Please complete the details below to confirm your account
>
> (1) E-mail:
> (2) Name:
> (3) Password:
> (4) Confirm Password:

Here they just flat out ask you for your user name and password.

Spam isn’t the only thing they can do with your account.  These days Web based email accounts can be linked to storage space and other functions.  Google accounts are very valuable, since they give the phishers access to Google+ (with lots of personal information about you), YouTube, and Google Drive (which still has Google Docs in it, and can be used to set up phishing Websites).

Again, watch for telltale signs in the headers:

To:                 Recipients <web@epamig.br>
From:               HELP DESK<web@epamig.br>
Date sent:          Sun, 01 Dec 2013 14:01:47 +0100
Send reply to:      647812717@qq.com

It isn’t “to” you, and the “reply” isn’t the same as the “from.”

Share

CyberSec Tips: E-Commerce – tip details 1 – search engines

Our local paper, like just about everyone else, recently published a set of tips for online shopping.  (They got them from Trend Micro Canada.)  The tips are mostly OK, as far as they go, but I figured they could use a little expansion.

“Don’t rely on search engines to find a shopping site.

“Search results can lead to malicious websites that will take your credit card and other confidential data or infect your computer with a virus. Instead, bookmark reliable online shopping sites.”

As a general rule, it’s best to be careful whenever you go to a site that is new or unknown to you.  However, I’d have to take this tip with a grain of salt.  I did a (Google) search on London Drugs, a chain in Western Canada (widely known in the tech community for their computer departments) (about which I have written before), and the first five pages gave results that were all from, or legitimately about, that company.  Quick checks on other retailers got similar results.

It makes sense to bookmark a “known good” link if you shop someplace regularly.  But if you are going to a new site, you can get into just as much trouble by guessing at a domain name, or even just fumbling typing the URL.  Fraudsters will register a number of domain names that are very similar to those of legitimate companies; just a character or so off; knowing that slipping fingers will drive people to their sites.  Some of those malicious sites look very much like the real thing.  (Others, promoting all kinds of questionable services and deals, are obviously false.)

Always be careful, and suspicious.  If anything seems off, get out of there, and maybe do a bit of research before you try again.  But don’t just avoid search engines as a matter of course.

Share

Firewalled

Full details are not out yet, but there was a “police incident” today in NorthVancouver, which resulted in the closure of two bridges from the North Shore.

(No, the cops aren’t looking for me.  Although this is fairly near our home, and only a few blocks up the street from where embroidery and quilting guilds meet.)

If you look at the map, you will see that a) the bridges aren’t that close to each other, and b) the incident was close to neither.

By closing both bridges, the police can completely isolate the North Shore from the rest of the world.  (I assume they put checks out at the Seabus and the road up to Squamish, although whoever they were looking for would have to be pretty stupid to head that way.)  Also, by closing the bridges, the police have probably tied up all traffic everywhere on the North Shore as well, preventing the perp from going very far in any case  :-)

Although we don’t know what happened, IHT indicates a homicide, and the response indicates someone may have been kidnapped, as well.

Share

CyberSec Tips: Email – Spam – Fraud – example 3

This one is slightly interesting, in that it contains elements of both 419 and phishing.  It’s primarily an advance fee fraud message.  First off, the headers:

> Subject: Dear Winner!!!
> From: CHELPT <inf8@hotline.onmicrosoft.com>
> Date: Thu, 28 Nov 2013 17:45:06 +0530
> Reply-To: <morrluke@careceo.com>
> Message-ID: <XXX.eurprd01.prod.exchangelabs.com>

Again, we see different domains, in particular, a different address to reply to, as opposed to where it is supposed to be from.

> Corporate Headquarters
> Technical Office Chevrolet promotion unit
> 43/45 The Promenade…
> Head Office Chevrolet motors
> 43/45 The Promenade Cheltenham
> Ref: UK/9420X2/68
> Batch: 074/05/ZY369
> Chevrolet Canter, London, SE1 7NA – United Kingdom

My, my, my.  With all that addressing and reference numbers, it certainly looks official.  But isn’t.

> Dear Winner,
>
> Congratulations, you have just won a cash prize of £1,000, 000, 00. One million
> Great British Pounds Sterling (GBP) in the satellite software email lottery.
> On-line Sweepstakes International program held on this day Satur day 23rd
> November 2013 @05:42.PM London time. Conducted by CHEVROLET LOTTERY BOARD in
> which your e-mail address was pick randomly by software powered by the Internet
> send data’s to;
> ——————————————————————————–
> Tell: +44 701 423 4661             Email: morrluke@careceo.com Officer Name: Mr.
> Morrison Luke. CHEVROLET LOTTERY BOARD London UK
> ——————————————————————————–

As usual, you have supposedly won something.  If you reply, of course, there will start to be fees or taxes that you have to pay before the money is released to you.  The amounts will start out small (hey, who wouldn’t be willing to pay a hundred pound “processing fee” in order to get a million pounds, right?) but then get larger.  (Once you’ve paid something, then you would tend to be willing to pay more.  Protecting your investment, as it were.)  And, of course you will never see a cent of your winnings, inheritance, charity fund, etc, etc.

> Below is the claims and verifications form. You are expected to fill and return
> it immediately so we can start processing your claims:
>
> 1. Full Names:
> 2. Residential Address:
> 3. Direct Phone No:
> 4. Fax Number
> 5. Occupation:
> 6. Sex:
> 7. Age:
> 8. Nationality:
> 9. Annual Income:
> 10. Won Before:
> 11. Batch number: CHELPT1611201310542PM
> 12: Ticket Numbers: 69475600545-72113
> 13: Lucky numbers: 31-6-26-13-35-7

But here, they are starting to ask you for a lot of personal information.  This could be used for identity theft.  Ultimately, they might ask for your bank account information, in order to transfer your winnings.  Given enough other data on you, they could then empty your account.

> We wish you the best of luck as you spend your good fortune thank you for being
> part of our commemorative yearly Draws.
>
> Sincerely,
> Mrs. Susan Chris.
> CHEVROLET LOTTERY PROMOTION TEAM.

Oh, yeah.  Good luck on ever getting any of this money.

Share

CyberSec Tips: Email – Spam – Phishing – example 2

Some of you may have a BarclayCard credit card.  You might receive a reminder message that looks like the one below.  (Actually, the only credit card company I know that actually sends email reminders is American Express, which I think is a black mark on their security record.)

> Subject: Barclaycard Payment is due
> From: “Barclaycard” <barclaycard@card.com>
> Received: from smtp.alltele.net

If you look at the message headers, you might note that this message doesn’t come from where it says it comes from, and that’s something of which to beware.

> Your barclaycard payment is due
>
> Visit your card service section below to proceed
> hxxp://www.equivalente.it/rss/re.html

You might also note that, it you do have a BarclayCard, it’s probably because you live in the UK.  And the server they want you to visit is in Italy: .it

Share

CyberSec Tips: Email – Spam – Phishing – example 1

Phishing is pretty constant these days.  One of the tips to identify phishing messages is if you don’t have an account at that particular bank.  Unfortunately, a lot of people who are online have accounts with Paypal, so Paypal is becoming a favourite with phishers.  You’ll probably get a message something like this:

Subject: Your account access has been limited
From: service@paypal.co.uk <notice@paypal6.co.uk>

(You might think twice if you have an account with Paypal in the United States, but this domain is in the UK.)

> PayPal is constantly working to ensure security by regularly screening the
>accounts in our system. We recently reviewed your account, and we need more
>information to help us provide you with secure service. Until we can
> collect  this information, your access to sensitive account features will be
> limited. We would like to restore your access as soon as possible, and we
> apologize     for the inconvenience.

>    Why is my account access limited?

>    Your account access has been limited for the following reason(s):

> November 27, 2013: We would like to ensure that your account was not
> accessed by an unauthorized third party. Because protecting the security of
> your account is our primary concern, we have limited access to sensitive
> PayPal account features. We understand that this may be an inconvenience but
> please understand that this temporary limitation is for your protection.

>    Case ID Number: PP-197-849-152

>You must click the link below and enter your password for email on the following page to review your account. hxxp://dponsk.ru/wp-admins/.pay/

> Please visit the hxxp://dponsk.ru/wp-admins/.pay Resolution Center and
> complete the Steps to Remove Limitations.

Sounds official, right?  But notice that the URLs given have nothing to do with Paypal.  Also notice, given the .ru domain, that they are in Russia.  Don’t click on those links.  Neither Paypal of anybody else is going to send you these type of messages these days.

Share

CyberSec Tips: Email – Spam – Fraud – example 2

Another advance fee/419 fraud is the lottery.

> Subject: Dear User
> To: Recipients <info@notizia348.onmicrosoft.com>
> From: Alexander brown <info@notizia348.onmicrosoft.com>

Again, your email address, which supposedly “won” this lottery, is missing: this message is being sent to many people.  (If you really had won millions, don’t you think they’d take a bit more care getting it to you?)

> Dear Internet User,
>  We are pleased to inform you again of the result of the Internet Promotional
>  Draws. All email addresses entered for this promotional draws were randomly
>  inputted from an internet resource database using the Synchronized
> Data Collective Balloting Program.

Sounds impressive.  But it really doesn’t mean anything.  In the first place, you never entered.  And why would anyone set up a lottery based simply on random email sent around the net?  There is no benefit to anyone in that, not even as a promotion.

>  This is our second letter to you. After this automated computer ballot,your
>  email address was selected in Category A with Ref Number: GTL03-2013 and
>  E-Ticket Number: EUB/8974IT,this qualifies you to be the recipient of t
> he grand prize award sum of (US$2,500,000.00) Two Million, Five Hundred Thousand
> United States Dollars.

This is interesting: it presents still more impressive stuff–that really has no meaning.  It starts by saying this is the second message to you, implying that you missed the first.  This is intended to make you anxious, and probably a bit less questioning about things.  Watch out for anything that tries to rush or push you.

The numbers, of course, are meant to sound official, but are meaningless.

>  The payout of this cash prize to you will be subject to the final validations
>  and satisfactory report that you are the bona fide owner of the winning email
>  address. In line with the governing rules of claim, you are requ
> ired to establish contact with your designated claims agent via email or
> telephone with the particulars below:
>  Enquiry Officer: Mr. Samuel Trotti
> Phone: +39 3888146161
> Email: trottioffice@aim.com

Again, note that the person you are to contact is not the one (or even the same domain) as sent the message.

>  You may establish contact with the Enquiry Officer via the e-mail address above
>  with the information’s necessary: Name:, Address:, Phone:, Cell Phone:, Email:,
>  Alternative Email:, Occupation:, Ref Number and E-Ticket Number. All winnings
>  must be claimed within 14 days from today. After this date all unclaimed funds
>  would be included in the next stake. Remember to quote your reference
>  information in all correspondence with your claims agent.

This is interesting: the amount of information they ask from you means that this might not simply be advance fee fraud, but they might be doing phishing and identity theft, as well.

Share

CyberSec Tips: Email – Spam – Fraud – example 1

A lot of the advance fee fraud (also called 419 or Nigerian scams) these days say you’ve been named in a will:

> Subject: WILL EXECUTION!!!
> To: Recipients <clifordchance08@cliffordchance854.onmicrosoft.com>
> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>

Note in this case that the message is sent “to” the person who sent it.  This is often an indication that many people have been sent the same message by being “blind” copied on it.  In any case, it wasn’t sent specifically to you.

> Late Mr.Robert Adler bequeathed US$20,500,000.00 USD, to you in his will.More
> info,contact your attorney(Clifford Chance Esq) via email
> address:clf.chance@hotmail.com  Tell+44-871-974-9198

This message doesn’t tell you very much: sometimes they have a reference to a recent tragic event.

Note also that the email address you are supposed to contact is not the same address that sent the message.  This is always suspicious.  (So is giving a phone number.)

If you look into the headers, there are more oddities:

> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>
> Reply-To: <clf.chance@hotmail.com>
> Message-ID: <XXXX@SINPR02MB153.apcprd02.prod.outlook.com>

There are not only three different email addresses, but three different domains.  Microsoft owns Hotmail, and Hotmail became Outlook, so it’s possible, but it’s still a bit odd.

Share

REVIEW: “Debug It: Find, Repair, and Prevent Bugs in Your Code”, Paul Butcher

BKDEBGIT.RVW   20130122

“Debug It: Find, Repair, and Prevent Bugs in Your Code”, Paul Butcher, 2009, U$34.95/C$43.95, 978-1-93435-628-9
%A   Paul Butcher paul@paulbutcher.com
%C   2831 El Dorado Pkwy, #103-381 Frisco, TX 75033
%D   2009
%G   978-1-93435-628-9 1-93435-628-X
%I   Pragmatic Bookshelf
%O   U$34.95/C$43.95 sales@pragmaticprogrammer.com 800-699-7764
%O  http://www.amazon.com/exec/obidos/ASIN/193435628X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/193435628X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/193435628X/robsladesin03-20
%O   Audience n- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   214 p.
%T   “Debug It: Find, Repair, and Prevent Bugs in Your Code”

The preface states that there are lots of books in the market that teach development and few that teach debugging.  (In my experience, a great many development books include debugging advice, so I’m not sure where the author’s perception comes from.)  The work is structured around a core method for debugging: reproduce, diagnose, fix, and reflect.

Part one presents the basic technique.  Chapter one repeats the description of this core method.  Chapter two encourages the reproduction of the bug.  (This can be more complex than the author lets on.  I have a netbook with some bug in the hibernation function.  Despite constant observation over a period of three and a half years, I’ve yet to find a combination of conditions that reproduces the failure, nor one that prevents it.)  Some of the suggestions given are useful, if pedestrian, while others are pretty pointless.  (Butcher does not address the rather thorny issue of using “real” data for testing.)  In terms of diagnosis, in chapter three, there is limited description of process, but lots of good tips.  The same is true of fixing, in chapter four.  (I most definitely agree with the recommendation to fix underlying causes, rather than effects.)  Reflection, the topic of chapter five, is limited to advice that the problem be considered even after you’ve fixed it.

Part two explores the larger picture.  Chapter six examines bug tracking systems, and eliciting feedback from users and support staff.  Chapter seven advises on trying to address the bugs, but concentrates on “fix early,” with little discussion of priorities or ranking systems.

Part three, entitled “Debug Fu,” turns to related and side issues.  The “Special Cases” in chapter eight seem to be fairly common: software already released, compatibility issues, and “heisenbugs” that disappear when you try to track them.  Chapter nine, on the ideal debugging environment, is about as practical as most such exercises.  “Teach Your Software to Debug Itself” in chapter ten seems confined to a few specific cases.  Chapter eleven notes some common problems in development teams and structures.

The advice in the book is good, and solid, but not surprising to anyone with experience.  Novices who have not considered debugging much will find it useful.

copyright, Robert M. Slade   2013   BKDEBGIT.RVW   20130122

Share

BadBIOS

In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.

 

Share

Risk management and security theatre

Bruce Schneier is often outrageous, these days, but generally worth reading.  In a piece for Forbes in late August, he made the point that, due to fear and the extra trouble casued by TSA regulations, more people were driving rather than flying, and, thus, more people were dying.

“The inconvenience of extra passenger screening and added costs at airports after 9/11 cause many short-haul passengers to drive to their destination instead, and, since airline travel is far safer than car travel, this has led to an increase of 500 U.S. traffic fatalities per year.”

So, by six years after the event, the TSA had killed more US citizens than had the terrorists.  And continues to kill them.

Given the recent NSA revelations, I suppose this will sound like more US-bashing, but I don’t see it that way.  It’s another example of the importance of *real* risk management, taking all factors into account.

Share

“Poor” decisions in management?

I started reading this article just for the social significance.  You’ve probably seen reports of it: it’s been much in the media.

However, I wasn’t very far in before I came across a statement that seems to have a direct implication to all business management, and, in particular, the CISSP:

“The authors gathered evidence … and found that just contemplating a projected financial decision impacted performance on … reasoning tests.”

As soon as I read that, I flashed on the huge stress we place on cost/benefit analysis in the CISSP exam.  And, of course, that extends to all business decisions: everything is based on “the bottom line.”  Which would seem to imply that hugely important corporate and public policy decisions are made on the worst possible basis and in the worst possible situation.

(That *would* explain a lot about modern business, policy, and economics.  And maybe the recent insanity in the US Congress.)

Other results seem to temper that statement, and, unfortunately, seem to support wage inequality and the practice of paying obscene wages to CEOs and directors: “… low-income people asked to ponder an expensive car repair did worse on cognitive-function tests than low-income people asked to consider cheaper repairs or than higher-income people faced with either scenario.”

But it does make you think …

Share

Google’s “Shared Endorsements”

A lot of people are concerned about Google’s new “Shared Endorsements” scheme.

However, one should give credit where credit is due.  This is not one of Facebook’s functions, where, regardless of what you’ve set or unset in the past, every time they add a new feature it defaults to “wide open.”  If you have been careful with your Google account in the past, you will probably find yourself still protected.  I’m pretty paranoid, but when I checked the Shared Endorsements setting page on my accounts, and the “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads” box is unchecked on all of them.  I can only assume that it is because I’ve been circumspect in my settings in the past.

Share

“Identity Theft” of time

I really should know better.

Last night, hoping that, in two hours, Hollywood might provide *some* information on an important topic, even if limited, I watched “Identity Thief,” a movie put out by Universal in 2013, starring Jason Bateman and Melissa McCarthy.

It is important to point out to people that, if someone phones you up and offers you a free service to protect you from identity theft, it is probably not a good idea to give them your name, date of birth, social security/insurance number, credit card and bank account numbers, and basically everything else about you.  This tip is provided in the first thirty seconds of the film.  After that (except for the point that the help law enforcement might be able to give you is limited) it’s all downhill.  The plot is ridiculous (even for a comedy), the characters somewhat uneven, the situations crude, the relationship unlikely, the language profane, and the legalities extremely questionable.

(The best line in the entire movie is: Sandy – “Do you know what a sociopath is?” Diane – “Do they like ribs?”  I know this may not seem funny, but trust me: it gives you a very good idea of how humorous this movie really is.)

Share