Posts by A random security guy

Linus Torvalds dismissed concerns about attacks on Git SHA-1 hashes

Come again?

Cache access problem without authentication?

Nowhere did I see any mention of cache access authentication. I think the problem is way deeper and they are just hoping that using unique ID's will make the problem go away. This is what GDPR and CCPA are slowly but surely addressing. I doubt that if the fix is simple else Google would not have disabled integrations; bugs (and even security bugs) occur frequently and are patched all the time. There must have been something more systemic.

Serious compliance problem

This all comes from the top; they play fast and loose with all personal data. Given their revenue and size, by now Payroll/Accounting and HR should have had multiple levels of security and audit, including alerts on data exports, inability to connect foreign drives, inability to even bulk download data to drives, etc.

I have seen much smaller (and definitely less techie) organizations do a better job controlling access. They must have violated a few California laws. There are also SOX/GLBA issues since these breaches materially impact the company.

Next year will be interesting as CCPA will kick in. FB is, obviously, wanting to gut the law. Happy that I turned down their job offer. Being a security professional is hard enough, being tainted by FB would have made my future bleak.

Surprised that this wasn't caught earlier.

Should be very simple to exploit.

President of the US clueless

First he is clueless about the tech

Next he shows how clueless he is to a foreign head of state

Furthermore the foreign head of state praises him and has him eating out of his hands

Then he gives Ukraine $400m in military aid to attack his competitor's son in exchange for the investigation. $400m of our money.

No one will go to prison

The SEC will settle this for a 1 time fee and 'continued monitoring'.

DLink agreed to make security enhancements with the FTC

https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation

All our agreements, enforcements, and settlements are a joke.

The very fact that they were unreachable for security issues means that they have already flouted the FTC agreement:

Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.

Fixing phones

My observations

Some fixes are easy, some aren’t. For example,

Battery replacement: Easy

Changing lightning connector assembly: very difficult

Finding new original parts: extremely difficult

I had to settle for a used/refurbished lightning assembly.

Glad Apple is being forced to supply these parts.

It makes sense for Apple to require an Apple certified technician as these repairs are hard.

I have repaired countless phones for me and my friends and have always had problems finding parts.

I wonder if I’ll be able to buy these parts. Next step: upgrade the flash.

At least 6 and at most 20 characters long

In this day and age of unstructured data, 20 characters seems like a stupid upper limit. All they have to do is google minimum password strength and out pops 8 characters. For 20 characters to be truly effective, they need to be chosen randomly. A highly unlikely scenario.

Maybe I could start a screening service?

Would it be legal to start a screening service that tells customers if their vehicles are being tracked or not?

Not very profitable.

First you have to find the issues. Then you have to write the proof-of-concept that shows how you can do remote code execution. Then you have to convince MSFT that it is a real bug. Moreover, if it requires chained exploits you have to give up the other exploits.

Thanks MSFT. Will look at your stuff maybe later. When I can convince my engineers to actually use Windows.

It is just password; wait for biometrics related credentials stuffing

When you have to chop off your fingers or get rid of eyes ...

https://www.vpnmentor.com/blog/report-biostar2-leak/

Storing fingerprints in clear-text?

Whoever thought of storing biometrics in clear was smoking something. You have to process them and store only the processed information, not the whole image. Theft of fingerprints mean that anyone can masquerade as you; they can murder someone and leave fingerprints that look like yours.

Physical security

There is a reason why all governments use special couriers to send specially secured documents. One time pads are still being used.

Secure code enforcement issues

Remember: if we don't fix these issues the government will step in. In this case I think this may not be a bad thing.

What I have seen while working with large organizations, especially SoC vendors:

1. Code is considered a money pit.

2. Getting the code out in time is more important than quality.

3. Huge sections of code are zealously guarded. Try getting access to BRC WiFi code for their WiFi chips.

4. A flawed view of Performance trumps integer overflow/underflow, null pointer checks, buffer size checks, return value checks. A good CPU can perform these checks with no measurable impact on performance but ...

5. Static code analysis is generally turned off, especially for kernel and driver level code because software engineers get too many warnings (go figure). In one cellular modem company they turned off Klockwork static code analysis as it was giving too many warnings. In another they would not use it as people were UPSET that their code was being flagged. So it was turned off.

What Google can do is easier said than done:

1. Require all drivers go to through third-party code inspection (Samsung and others may not trust Google).

2. Require all driver vendors to submit static code analysis and other code inspection summaries

3. Provide a timeline for delivering fixes to Google.

4. Go public with the issues if the code is not fixed according to schedule.

5. The cell-phone manufacturers deliver a plan to deliver the fixes on time

6. Stick to the plan.

Then do the same for other critical code.

Problems? Asking Samsung, Qualcomm, and others to do anything is difficult (as in the Japanese way of saying something is difficult). Samsung, after all is the biggest company in S. Korea.

This is strange an frightening.

Worked on critical infrastructure and fully redundant systems for years. The issue is that memory failure, cpu failures, io failures, storage failures, etc. are common.

These idiots didn’t have all this worked out and just slapped two systems to go into master/slave mode.

There will be more issues going forward. Doesn’t make me feel confident about their ability to design redundancy into their computing systems.

$9 engineers can’t do it.

Stalin would be so proud of him

What could go wrong. Cops show up and demand access. If you are honest you should have nothing to hide. </sarcasm>

All the source code open sourced?

Just wondering if ALL the source including the OS, drivers, communication protocols, etc. will be open sourced or just the voting application. This is not a trivial project. If MSFT decides to open source everything, good. Else democracy will be held hostage to a trillion dollar company.

D-Link should have been banned from doing business

A company that claims its routers are secure and does not take any of the generally accepted practices for ensuring security should be banned from doing business.

D-Link got off rather lightly. Maybe we have to depend on our estranged neighbors from across the pond to stuff GDPR down their throats. Our tools and our organizations are too weak.

Facebook’s New App Will Pay You To Give Up Some Of Your Privacy

They promise not to collect anything personal. But they want to do everything you do on the phone.

Target: India and the US currently.

Prior history: They had an app that slurped user information and were kicked out by Apple.

Have they asked the Indian government person to monitor its citizens? Would like to know what they think. Why didn't they start with the UK or Europe? They have more money. Or would GDPR cause them grief.

Cheap as far as bug fixing is concerned

$10K for finding and fixing a bug (or at least finding the root cause) is peanuts. The rule of thumb is around $80K.