According to the post:

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

While the malware bouncer system may be a step in the right direction, there is a more dangerous aspect of apps in the Android market that needs to be fixed and that is the permissions that applications demand before they can be installed. A quick look at the permissions required by some applications on the market immediately shows that security in the Android space will continue to be an issue.

For example, why would a text editor require access to phone records and GPS location information? One can understand needing network (Internet) access to push some ads, but access to phone records and logs? The same goes for any category from  games to business use applications.

It is this permission free-for-all that got Symantec into some controversy recently when the company announced the discovery of apps in the Android Market that it deemed malicious. The apps, according to Symantec, were able to change the default home page in the web browsers of the “infected” devices, add bookmarks, and place shortcuts – actions one could easily associate with browser hijackers, and it is doubtful that users who installed these apps were expecting the applications to perform those actions without “explicit” consent.

And there lies the problem because technically, the user may have “explicitly” given permission when he or she clicked on “OK” or “Install. This issue arises because as in anything that requires clicking through, most users blindly click through messages boxes  without bothering to read through what they are consenting to. A quick browse of apps on the the android market will show several applications that request unnecessary permissions before they are installed.

For example, here is the permission requirement of an app called password notes, which is supposedly meant to “protect your notes with password”:

Permissions
This application has access to the following:

Your location
coarse (network-based) location
Access coarse location sources such as the cellular network database to determine an approximate device location, where available. Malicious applications can use this to determine approximately where you are.
fine (GPS) location
Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.
Network communication
full Internet access
Allows an application to create network sockets.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

Really? Access to GPS and phone records etc. for a note app?

Granted, Google does give this warning about permissions:

Permissions: Android provides a permission system to help you understand the capabilities of the apps you install, and manage your own preferences. That way, if you see a game unnecessarily requests permission to send SMS, for example, you don’t need to install it.

But the company needs to remove the onus from users and demand to know from the developers why “a game unnecessarily requests permission to send SMS”. After all, it is the Android name and the integrity of Google that is at stake here.

Some of the names in the list of bogus certificates generated by the attackers include Comodo, Google, Thawte, Microsoft, Mozilla, WindoswUpdate, WordPress’ MI6, the CIA, Facebook and Twitter.

For three whole months ( June to August), the attacker camped out on DigiNotar’s servers and did his/her work and cleaned up.  S/He was even kind enough to leave a message in a script file that was used to generate the rogue certificates.

The question now is, how much trust should we place on these providers of digital certificates? A few months ago (March 2011), a subsidiary of Comodo was hacked apparently by the same person. Here’s why I am concerned, and I’ll quote from page 9 of the report:

• The successful hack implies that the current network setup and/or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.
• The most critical servers contain malicious software that can normally be detected by anti-virus software
• The separation of critical components was not functioning or was not in place
• The CA (Certificate Authority) servers were accessible over the network from the management LAN
• All CA servers were members of the same Windows domain (and they all apparently used the same user/password combination)
• The password was not very strong and could easily be brute-forced
• The software installed on the public web servers was outdated and not patched
• No antivirus protection was present on the investigated servers
• No secure central network logging was in place

The breach has led to the revocation of a lot of digital certificates – over 500 so far and the breach prompted Mozilla to take measures so “that all DigiNotar certificates will be untrusted by Mozilla products,” which includes the Firefox browser. Google’s Chrome browser also placed DigiNotar certificates on a permanent block list.

It is inexplicable that after the attention that the Comodo breach garnered and the recent spate of hacks against RSA, Barracuda, Citigroup and a host of other high profile targets, that the management at DigiNotar did not deem it wise to do due diligence and execute some element of due care.

This is even more depressing because from this F-Secure blog, the company has been hacked before, back in May of 2009.

Look at the bullet points above again and tell me if those are not things that could have been fixed. And beyond that, what role has their auditor play in this mess? It will be ridiculous to assume that they were not paying an external party to audit their environment. Why did an auditing firm not raise a red flag over these lapses? Is this another case of check box auditing that has come to bite DigiNotar in the ass?

The larger concern is how can we continue to trust DigiNotar and other certificate authorities to help ensure that there is no eavesdropping on secure communications between users and the sites they visit? After all, anyone armed with a rogue certificate for a web firm or service can impersonate that organization and get at communications that would otherwise be impossible to read because they are encrypted.

Update:

As Russ Bellew posted, DigiNotar filed for bankruptcy and their fate should be a wake-up call to other Certificate Authorities and indeed all companies with an internet presence. After all, the DigiNotar hacker did say that four other major CA’s were on the chopping block.

A lot of the accolades are warranted, but my focus in this write-up is on the area of user data privacy and how the Chrome browser seems to have built-in tools that are a reg-flag for privacy violations in spite of Google’s Privacy Policy.

Our position is that the Chrome browser is “chatty”,  and acts as a keystroke logger in the area of search. In fact, the folks at Scroogle characterized Google Chrome as a browser that tends to “phone home a lot”.  And here’s why:

• It is common knowledge now that when a user conducts a search using a search engine, Google stores three main types of information in a log file: the user’s IP address (a unique network address given by an Internet service provider), the words the user searched for, and a cookie identifier (unique value given to every Web-browser that visits a web page). See here for more details.

• According to Google, the Omnibox (which combines search with the address bar) is supposed to automatically suggest websites as you type and you “can disable Omnibox suggestions by unchecking the box in the “Privacy” section of Goggle Chrome’s options. As it turns out, you can disable Omnibox suggestions, but the browser conveniently ignores your choice and uses auto-suggest anyway.

• The Chrome browser uses a client_id variable which is unique for every Chrome user, and which can be used to create exact user profiles of a user’s actions while using Google Chrome. According to Google’s Privacy Policy:
  “The client ID is used for the user metrics service. This is an opt-in service that lets users send usage statistics to Google so that we can learn how Google Chrome is being used for the sake of making improvements. It helps us answer questions like, “Are people using the back button?” and “How common is it that people click the back button repeatedly?” Users can always update their preference about sending usage statistics.”

• Apparently, there is no option to prevent Chrome from recording History and downloads, options which  are available in Firefox, Opera and Internet Explorer 9. I found it really annoying that Google deliberately removed the option to disable history, especially since it was tied to the search engine a user may be using at any point.
  For example, here’s how Firefox does it:
  

Auto-complete and “predictive” search may have their uses, but the fact that a user’s keystrokes are sent to a search engine in real-time and are tied to the user’s IP address does not look like protecting privacy. This is doubly worrisome since we learned a long time ago that Google was uploading the history data in Chrome offsite – to its data centers.

• Google Update does more than update your Chrome browser to the latest version. It “periodically sends information to Google about how you obtained the browser, how often you use the Chrome browser, and specifically, “whether you used Google Chrome in the last day, the number of days since the last time you used it, and the total number of days that Google Chrome has been installed”

Here’s how to lock down Google’s Chrome browser:

There are some tools available that you can install to help you remove the client_id that Google tags you with in order to track your usage of the browser. See Unchrome,  Chrome Privacy Protector  and Chrome Privacy Guard. Ultimately, I prefer not having to deal with yet another software for a feature Google should have made available or not included in the first place. So we will fix this at the source.

• First thing is to resolve the privacy issue by making Chrome open up in private browsing or incognito mode permanently. To do this, right-click on a Chrome shortcut, select properties. The “Shortcut” tab will open up. On the “Target” address, add –incognito at the end so it will look like this:
  \google\Chrome\Application\chrome.exe — incognito

To address the history palava, make the relevant files in the default folder read-only. These files are “Archived History”, “History” and “Visited Links” and can be found in the “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default” folder in Windows Vista and 7.  XP users can find the folder here: …\Local Settings\Application Data\Google\Chrome\User Data

1. Create a blank home page by going to options and setting the home page to about:blank
2. Close the Chrome browser and navigate to “Users\<profile>\AppData\Local\Google\Chrome\User Data\Default”. Delete the files called “Archived History”, “History” and “Visited Links”. Do not close the folder.
3. Open Chrome, but do not visit any site. This will allow the browser to recreate the files you just deleted. The big difference now is that those files are empty and you want to keep them that way by doing the next step.
4. Locate the new archived history, history and visited links files and make them read-only by right-clicking, selecting properties and checking the “Read-only” box.
5. Open Chrome and enjoy

The next hurdle is the search engine spying that is built into the Chrome browser. While this knowledge is not new, it is still disturbing that the browser tracks every keystroke you type while using the location bar. A quick check with Wireshark will educate you on this.

The ability of browsers to tie your search to your IP address is troubling. To prevent this, create your own “search engine” by doing this:

• On the “Basics” section of the Options page, select “Manage search engines”.
  In the “Other search engines” section, click on the “Add a new search engine” box and type in a name. Call it anything you want, like “Private”.
  Enter a keyword in the Keyword box and http://%s in the URL box. This prevents Chrome from piping every URL you type in the location bar to a search engine. Unfortunately, this also messes up searching.
  If you must set up a default search engine, I recommend Scroogle at www.scroogle.org and you can use this on the URL box – https://ssl.scroogle.org/cgi-bin/nbbwssl.cgi?Gw=%s

A little paranoid? I don’t think so. It’s all about choices. There are things we must do online and it is inevitable that some of our private information will be exchanged. But users need to know that they have the option of turning something off, if they do not need it. If a “malicious” software installed a keylogger on a user’s computer, we would cry blue murder. How is the keystroke tracking behavior by search engines different?

Next we need to disable the automatic opening of files.

You cannot control the setting to automatically open certain downloaded files in the browser – a practice you should stay away from as much as possible. It is preferable to download and scan before opening a file. Drive-by downloads use this vector to drop stuff on your computer.
The option to manage this feature tends to be grayed-out on first use, unless you allow Chrome to open a file – see the complaints here. Thankfully, exe files are not allowed.

Again, in contrast, here’s how applications are managed in Firefox:

Notice the options to “Always ask”, “Save File” etc.

To fix this annoyance, open a blank tab and type in chrome://plugins/ or about:plugins to pull up the settings for the plug-ins installed with Chrome and turn off what you do not want.

For those not afraid of looking under the hood:
Close Chrome. Browse to: Users\<profile>\AppData\Local\Google\Chrome\User Data\Defaul (Windows Vista/7) or In Linux it is usually $HOME/.config/google-chrome/Default/Preferences.

Open the Preferences file in a text editor. Look for these lines:

“download”: {
“directory_upgrade”: true,
“extensions_to_open”: “flv”,   [ change this to ]    “extensions_to_open”: “”,
“prompt_for_download”: false
}

For those who are interested, here’s a link on customizing chrome.

Final thoughts are that Google’s Chrome browser may be a good fit for many users, but given the subtle and sometimes aggressive data gathering tools built into the browser, there is a lot to be worried about in the area of user data privacy. While data breach and hacking seem to be a daily occurrence these days, it won’t hurt a user to take some precautions in limiting the amount of information unwittingly sent to vendors just because you installed their software on your computer.

Here are some other things you could do:

Set the browser to automatically delete cookies every time you close it.

Whenever possible, use the private browsing feature built into most modern browsers.

Use specific browsers for specific purposes – general browsing, search, online banking etc. and customize each browser accordingly.

You can also get an alternative Chrome-like browser called Iron that is based on the free Source code “Chromium” – without the problems of privacy and security baggage of Google Chrome.

Linux tried it, it did not work, Google has taken its shot, Apple has been at it for decades with no luck. And it actually abandoned that fight. It is 2011 and the world still runs on Microsoft Windows with a dose of UNIX/Linux helpings. The problem here is that people seem too fixated on the result of user access rather than the origin of such access. Yes, we have the cloud, yes, almost everyone has an isomething, but at the end of the day, many of us will still plug our ithingy into our computers to sync or do whatever, and we will still access that “cloud” with a “PC”. And the last time I checked, the “PC” was still overwhelmingly running Windows.

Many users will still need their desktops/laptops/netbooks/servers to access that “hub” of their digital life that resides in the “cloud”. So we now have folks who gloat that “our data is the computer” as if that data is just floating on it’s own out on the ether. The bad news for these “cloud as an independent existence” folks is that the data centers where that hold our digital life still run an operating system, and most run, you guessed it, Windows.

What these Apple worshipers who perpetually pray for the demise of Windows seem to forget or fail to understand is that not everyone is happy or willing to shell out $500-$800 for a piece of plastic shell from a manufacturer too greedy to even include a miserable $5 charger with their product. For those people, the iCloud will not kill Windows. Does anyone really believe the drivel that “Jobs is going to sacrifice the Macintosh in order to kill Windows. He isn’t beating Windows, he’s making Windows inconsequential”?

How is Apple’s spin on a concept that has been around for quite a while suddenly mean the making of Windows inconsequential? We said the same about Linux, did we not? About how the emergence of Linux was surely going to be the end of Windows? Wasn’t the ChromeOS going to banish Windows to irrelevance? The iPhone was going to destroy the Windows desktop;  and the iPad? Oh, Windows was surely going to be wiped out.

The predictors of the demise of Windows and proponents of cloud everything seem to be making the assumption that the world has low-cost Internet access, which it does not; that everyone has or cares about an iSomething, which is totally not true; that we all have fiber-optic pipes into our offices, and that our mobile devices have speed-of-light broadband always – wishful thinking at best, at least for now in the “developed” world, and definitely not any time soon in the “developing” world.

Even here in the U.S., we still have areas that are untouched by broadband and/or are heavily reliant on VSAT. I do not know how much productivity you would get from a 256 Kbps modem.

When Apple claims that with the iCloud there is “No syncing required. No management required. In fact, no anything required. iCloud does it all for you”, are we really to believe that?

From my reading on the announcement, the iCloud is no different from offerings from Microsoft’s Mesh (now Skydrive), Dropbox or several other syncing tools out there which allows you to access and manipulate files anywhere from anything that has an internet access. When you make changes offline, the folders are synchronized the next time you are online. The Mesh from Microsoft did this a long time ago, although on a limited level.

Apple’s idea of the cloud is a variant of the push  or publish/subscribe technology. A clearing house if you will, where the iCloud acts as a hub or repository for everything Apple- apps, music, video, calendar and “wirelessly pushes them out to all your devices”. This is merely a revival of an Apple v Microsoft rivalry about the PC a “hub of our digital life”. Just that now, Apple has replaced the PC with the iCloud.

The hope is that we will all move our data to the cloud, but that is not going to happen any time soon. It is like banking where a lot of people feel comfortable banking online and some prefer going to the bank and yet others prefer keeping their cash under their mattresses. In some cases, the cost of using the cloud may far outweigh the benefits especially in a highly regulated industry.

With the constant threat of privacy invasion and data breach, what are the odds that users would warm up to the idea of their data constantly streaming 24/7? As more cloud storage snafus are exposed, what effect will that have on the willingness of users and businesses to “trust” the cloud?

What we have here are two viewpoints about how users will access their data: Apple believes we are moving to the device as the central point of access and Microsoft still works on the premise that the “PC” will be with us for a while. One tends to cater more to consumers (home users) and the other leans heavily toward the business user. One has a target market of hipsters, the other caters more to the masses.

Plus, the biggest gloss-over of all by the “Windows is Doomed” crowd is that there are folks out there that just plain do not like Apple and will never use their product.

I have my issues with Microsoft but we should commend the effort the company has made in recent years to get its act together. So all this talk about “killing Windows” is becoming annoying.

I don’t think Windows is going anywhere soon in Asia, Africa, Latin America and Europe. In addition, the “PC” is not going away anytime soon for the same reason many of us still pick up a book even though we have an eBook reader. There is so much you can do on a small screen, and you can have so much patience with pecking at a tiny keyboard, especially a virtual keyboard.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can get cloud services without upfront or out-of-pocket cost here.

Most of us will recall that on March 17 2011,  RSA Security admitted that cyber-attackers had breached its network and obtained “information relating to the SecurID technology.” SecurID generates security tokens by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password (a process commonly known as two-factor authentication in access control systems).

Since that RSA announcement, several Department of Defense contractors or their subsidiaries have disclosed that their networks were targets of cyber-attacks apparently using information stolen from RSA.

Big players in the military industrial complex like Northrop Grumman Corp, Lockheed Martin, L-3 Communications pretty much have the military technology secrets of the United States. They provide command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Since the RSA breach, they have all reported intrusion attacks that involved the use of information stolen from remote-access security tokens which according to RSA executive chairman Art Coviello, “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

That broader attack seem to be under way because on of the seemingly random but targeted attacks against contractors with ties to the nation’s defense systems:

• On May 21, it was reported that Lockheed Martin shut down remote access to its internal network after a “significant and tenacious attack on its information network”.
• On May 26, Northrop Grumman shut down remote access to its network without warning, forcing the company to go through a domain name and password reset across the entire organization.
• On May 27, an attack on L-3 Communications Holdings using spoofed pass codes from a cloned RSA SecurID token was reported by Reuters.

There are speculations that the RSA breach may have occurred through a remote device or VPN client or with the help of an insider since an attacker would need at least one employee’s user name and pass code as well as have some idea of which services that employee had access to in order to break into a SecurID-protected network.

Anush Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) argues that the RSA attack was very sophisticated, and was probably executed by people who had plans for what to do with the keys.

Wired goes further to opine that “the attacks suggest the RSA intruders obtained crucial information — possibly the encryption seeds for SecurID tokens — that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets”.

Even RSA characterized the breach as an “advanced persistent threat,” or APT – an unusually sophisticated attack in which intruders use social engineering coupled with undisclosed or so-called zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property.

Now that those plans seem to be in full motion, the big question is, is it time for RSA to break its silence on the matter and tell the American public what actually happened. It may not be pretty, but at least we will know what is coming. After all, most IT security folks have a thing or two against security by obscurity.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can secure your network and data without upfront or out-of-pocket cost here.