Saturday, December 17, 2016

Profit Angle

I have read that Android's success is a direct result of Apple's iOS being a walled garden. Let's look at this statement now from two different angles. First, is the walled garden really bad? Second, is this the real reason that Google and Microsoft are actively developing their own hardware?

Is the walled garden really bad?

Apple curates the apps that are allowed into the App Store. This has demonstrably reduced malware compared with Android. Recently, a form of malware, called Gooligan, was found to be present in about 100 apps. It is present in about one million phones in the wild, and increasing at a staggering rate of about 13,000 smartphones per day. I would actually say curation is a plus. So, what is it that people prefer about the Android operating system?

Let's look at what makes Google's Android shine over Apple's iOS.

This article points to three main reasons: Android...
  1. can be rooted
  2. uses non-proprietary software formats
  3. interface can be customized
Rooting

Talk about dubious value. Being able to root Android means (in hacker parlance) the phone can be rootkit'd. In plain English, it means that apps can enter superuser mode and obtain administrative privileges on your smartphone. Once that happens, they can reconfigure your device, redirect its output, and install their own choice of apps. In other words, you are exposed to malware that can steal your passwords, the money in your bank accounts, access your email, snapchat photos, microphone, track your location, keep logs of your text messages, listen in on your phone calls, and essentially every bad thing you can imagine. Malware on Android is a critical problem right now.

Your average consumer should never, ever root their phone. It's only for hackers, spies, and criminals to take advantage of you. What this represents is Google not looking out for you.

Now let's look at how pleasant rooting is on Android. Why should you root your phone? This article spells it out perfectly (while detailing how complicated, dangerous, and potentially undesirable the rooting process can be). The main reason that people want to root their phones is to get rid of the bloatware that's typically installed by the manufacturer (Samsung, for instance). Welcome to the same problem we had in the last millennium with PCs: shovelware. This is how they differentiate their phones from each other in the Android ecosystem -- the same way vendors used to differentiate their PCs in the Wintel ecosystem. But, in comparison, it's a fact that Apple now allows you do delete the pre-installed apps you don't want on iOS 10, without rooting your phone.

Many users want to bypass the complexity of using Terminal to obtain superuser mode on the phone's Linux kernel to change various privileges. Hey: what consumer would want to do that? So they buy rooting software to do it. Can you trust that software? No. In July 2016, rooting software was reported to have installed malware on 10 million Android handsets.

And, by the way, each manufacturer's phone has a different rooting process due to the security bloatware they've installed. Joy.

Non-proprietary software formats

This means that, unlike iOS apps, which are available only through Apple's own App Store, Android apps are available from several sources. The Google Play Store is not the only place you can buy and install Android apps. There are many alternatives, including Amazon Appstore for Android, SlideME, 1Mobile Market, Samsung Galaxy Apps, Mobile9, Opera Mobile Store, etc.

Is this a good thing? It does open up multiple sources for Android apps that run on various smartphones.

But what are the downsides of multiple app stores?

The first problem is fragmentation. Each Android smartphone has a different hardware configuration, which turns out to make the app developer's life hell. Each smartphone has a different screen configuration, for instance. Before buying an app with a specialized purpose, like using the GPS, or a game app with high demands, it's important to decide if that app will run properly on your phone. This is precisely why smartphone manufacturers have been building their own app stores -- not all apps in the Android ecosystem run on every phone.

The second problem is trust. Can you trust the app you download to be free of malware? You would like to know that the App Store you are using is checking for malware. Fundamentally, if they do not have access to the app's code, app stores cannot protect you from malware. What happens is this: you download an app, as it runs, it loads and install malware from some server somewhere. This installs Gooligan.

Nowyou find new apps simply appearing on your phone. This happens because ratings are actually steered by app companies through the use of the Gooligan software. Gooligan installs itself, initially, for the purpose of buying apps it wants you to buy, forging your approval to buy them (and possibly spend money on them) and then rating them highly. These apps can be installed because Gooligan can obtain system privileges. Usually this happens because you enter the admin password for your machine. Perhaps it's to give the app privileges to install some fontware or customization feature. These new apps it installs potentially contain the real malware, because you do not have a choice nor can you control where they come from.

Customizable interface

Really? Can't you customize the interface of an iPhone? You can customize the wallpaper and the lock screen photo. If you want to go further, you can use customization apps like Pimp Your Screen, Call Screen Maker, iCandy Shelves & Skins, Pimp Your Keyboard, and so forth.

On Android, you should ask yourself how much you want customization. After all, it might come with malware.

Oh, cost!

One of the main reasons that people prefer Android is the cost of the phone. Which really has nothing to do with Android. Actually, cost is normalizing because deals with carriers are being made that pay for the phone up front, in exchange for locking you into the carrier for two years (usually). But this applies to all phones now. So, cost is not as much a reason as it used to be. But the plain fact is that, without a carrier deal, Apple's iPhones do cost more.

Why Google and Microsoft are developing their own hardware

Second, is that even the reason that Google and Microsoft are developing their own hardware? No, it isn't. The real reason is profit envy. The price of software has been dropping quickly since the App Store was created. This means it's harder for software-only companies to keep operating margins high. Think Microsoft, who has gone to subscription software to guarantee upgrade revenues, amidst unpopular OS upgrades, like Vista. The profitable niche, mobile devices, must look pretty good to them. Should they merely license OS to hardware manufacturers, like Windows? Will that work? No. Google gives Android away for free: upgrades don't cost anything. So nobody will buy Windows Phone if it costs money. Also, hardware and software both need to be upgraded.

The real reason is that, given that software is becoming essentially free, to make the profit you must make your own hardware. Also to make the hardware work best, you must develop custom software. In fact, the best features require both hardware and software to make them work.

This tight vertical integration is why Apple reaps well over 90% of the profits in the smartphone industry year after year. They sell their own hardware. That, and their profit margin is about 40%.

Value proposition

So, why are people willing to pay a premium price for iPhones?

As always, the price is paid based on the value perceived. The value of better user experience on iOS, easier installs, significantly better privacy and security, and great design is huge. It leads to unprecedented user satisfaction ratings and loyalty. People pay for this, and enjoy the rewards.

Apple devices, on the whole, are more up to date than Android devices. Here is a chart of Android OS versions as of September 13, 2016 and their share on smartphones. It clearly shows the latest version, Marshmallow, at 18.7% installs. And on iOS? As of November 27, 2016, 63% of iOS devices have upgraded to iOS10, 29% are running iOS 9, and 8% are running earlier versions. Get the latest stats on Apple's App Store page.

Clearly Apple's customer base upgrades significantly faster.

General comparison

Consider this article on iPhone vs. Android as a near-complete analysis of the subject.

Tuesday, November 8, 2016

Analysts: What Are These?

Analysts are not always a savvy breed. In fact, sometimes they are downright stupid. Their general types of stupidity can be broken down into classes. I'll just name a few.

The first class, show offs, often throw around terms like disruption, logistics, zero-inventory and so forth without actually knowing their implications. Showing off is a pointless pretense of prowess, unless it shows valuable insight. Usually this class misses the forest for the trees.

The complainers just have axes to grind about their specific issues. They consider their beefs to be of paramount importance while ignoring the majority of users. A specific kind of complainer is the port complainer. They have whined about their disappearing serial port, FireWire port, headphone jack, and old-style USB port. But, hey, things change. It's disruption in action. Old media becomes obsolete, like vinyl records, cassette tapes, and CDs: this is because media is now delivered online. Cords disappear and wireless connections dominate: this is because virtually all updates are now accomplished over-the-air (OTA).

Then there are trolls. They know that the generation of disinformation creates knee jerk reactions that budge stock price. Close your eyes and imagine for a minute that many of them are simply Russians from the St. Petersburg Troll Factory and you will be just about right!

The feature creatures are typically Windows people who just care about feature lists and spec bullet points. They count ports, processors, gigaHertz, and keys on the keyboard. They are the ones that think shovelware makes for good workflow. If they actually use the features that they write about then they would know better. It's the user experience that leads to user satisfaction and commands user loyalty.

I don't want to forget the price people. To them price is everything. Forget about surprise and delight, user experience, or even quality! I can't tell you how annoying these people are. Their inevitable assertion is that the cheapest product always wins, which as we know already is totally wrong. Even if you're selling refrigerators! It's the product that gives the best value that wins. If you get into a price war, you've already lost.

The market share obsessors are yet another class of flawed analysts. To them, it's only about units, no matter if these units are only used for limited purposes, left in a drawer, or even if they are catching fire. They totally avoid the issue of who is actually profiting and thus who will see the consistent growth. For instance, Apple has 12.1% of the smartphone market yet makes 104% of the profit. Yet Android has 87.5% market share. How can this be? The Android hardware makers' profit is largely negative. Yep - they are losing money.

The software profiteers subscribe to the 90s Microsoft model: just build the software and let other idiots kill each other making cheaper and cheaper hardware; there's no profit in hardware, right? Wrong! If there's no profit in hardware then who is going to make it? By the way, the hardware makers often want their own unique look, defeating the standardized software. Also consider that software prices are plummeting. With the introduction of the App Store, Apple has turned software into a $2 commodity. This has forced the software profiteer into the subscription model.

Finally I give you the walled garden haters. These are descended from the people who like to build their own computers and hack them. They want freedom from carriers, authoritarian systems, and so forth. They want to pwn their hardware. In their minds all software is free, regardless of the time and effort expended by software developers. This class doesn't fundamentally grok the concept of an ecosystem, along with why ecosystems are essential to the survival of modern hardware. The hubris of these haters is in ignoring that hacking, device security, and identity theft has become the defining crucial problem of our time. All this for one reason: walled gardens are inherently more secure. IT people have long ago figured this out.


It's disappointing to find that so many analysts are last-millennium-thinkers, and they have themselves become disrupted. They're still betting on Microsoft for God's sake! Don't let their investment firms get ahold of your portfolio!

Sunday, September 25, 2016

Security Researcher Hit

While we were being distracted by the Yahoo half-billion-user data breach, within the last few days, Krebs On Security, a blog which I often reference here was slammed with a distributed denial-of-service (DDoS) attack of gargantuan proportions, literally silencing the blog. This was after the venerable Brian Krebs published papers on the vDOS owners. vDOS is an attack-for-hire service hosted in Israel.

Hey, what a surprise, after Krebs, a well-known security blogger (and researcher) made the people behind the attack-for-hire service also well-known, he was himself targeted by the world's largest DDoS attack! These are rich teenagers - they earned more than $600,000 (well, in Bitcoin!) in two years. Apparently their service is in great demand.

How do we know this? Oh it figures - vDOS got hacked and their client base was fully extracted and published (this is known as being "doxed", a term which I sometimes use). And Krebs obtained the information in July. This, and the fact that the FBI took notice, is why those cyber-criminal-teenagers Itay Huri and Yarden Bidani (known as AppleJ4ck) were arrested in Israel.

It's possible that these teenagers, after being arrested in Israel, were simply drafted into the Israeli Defense Forces (IDF), because they are both 18 years old (my speculation). Now they can't use the internet for 30 days.

Wow! I was sure it was just going to be a slap on the hand for these two.

Seriously, I hope they can be extradited to the US for prosecution.

The curious thing is that the documents Krebs found indicated that vDOS was literally responsible for the majority of the DDoS attacks on the web, and that the number of packets and data sent might indeed have been Internet-crippling. Apparently DDoS attackers are now taking over personal home routers and using them to accomplish their attacks, which can result on a MUCH larger number of packets being sent because literally anybody can be sending them.

When a security blog gets hit and you are temporarily in the dark about a current threat, you will need to refer to some other security blogs. Here is a decent list.

If you get hacked, you can find out if your data was included in a recent massive breach at haveibeenpwned.com.

If you have more serious concerns, there is a company, terbiumlabs.com, that can persistently search the dark web for your personal info. The info you enter is encrypted on the client side (open your computer) so even they don't know what you are searching for. This is particularly useful for corporate customers, when they're breached, and also for companies monitoring their information security (infoSec).

Monday, August 15, 2016

Data Compromise: The Next Chapter

Updated: The Equation Group hack has been verified.

It seems the Oracle MICROS malware insertion hack went a bit deeper and had a suspicious purpose. Several hotels in the US, run by HEI hotels and resorts, that run the MICROS points-of-sale and hospitality software, have been breached. This means the credit card info for lots of people has been compromised. The list of dates affected by the breach indicate that the MICROS hack went in as early as March, 2015!

It is curious that the Westin City Center in Washington D.C. was included in the list, and was compromised for more than 9 months following September, 2015. This amounts to total operational awareness for whoever is running the breach. Let's admit it: if you wanted to know what is happening in US politics, what better way than to own than the comings and goings in Washington D.C.? I suspect FSB, the entity that has replaced the infamous Russian KGB.

I doubt we have seen a complete list of breaches with MICROS. If you are an IT person, visit Krebs on Security for a good list of IOCs (indicators of compromise). If you use MICROS, then change your passwords immediately.

Recently we saw the DCCC hack and the dox'ing of a huge amount of congress, on Guccifer 2.0's site.

This, once again, speaks of a state actor attempting to disrupt American politics.

But there are still a few hacks that can't be assigned easily to state actors. The recent data breach of Sage software, based in the UK, used for accounts and payroll processing, indicates that hackers are still largely following the money.

My sense is that data compromise is perpetrated on an agenda rather than simply because "people have the right to know", the tired axiom used by the media to depict crusading whistleblowers.

More often than not we are seeing criminals looking for ways to pry money out of rich people. Or directly from banking systems. But that might simply be a cover for state actors, who are building a database much deeper than Google's. And for much darker purposes.

And Now For Something Completely Disastrous

In today's news is another story that strongly correlates to the awful scenario in which the NSA's reputed-to-exist Equation Group has been hacked. This group is responsible for Stuxnet, Duqu, Gauss, and other famous modular virus architectures used to hack, among other victims, the Iranian uranium centrifuges.

This story is developing as I write, but an analysis of the example data provided by the hackers, the Shadow Brokers, by Matt Suiche appears to confirm the hack. Just read that source to see how desperate the situation is.

Here is an example of a state actor being hacked. My fears for the Gauss modular virus architecture used to be that it would get reverse engineered and modified by less scrupulous hackers. Now my fears are that essentially every hacker will possess this toolkit. Some eastern European hacking consortium will productize it, make it easy to use, and disseminate it for bitcoins. It's a virtual Pandora's Box.

Update: The Equation Group hack appears to heavily utilize RC5 and RC6 encryption. Comparison of the code by Kaspersky's GReAT team shows it matches the Equation Group's signature. It's all wrapped up in the magical P and Q constants used by Rivest's RC5/6.

Tuesday, August 9, 2016

Big Time Infosec Issue!

Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.

Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).

Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.

One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.

Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.

What Happened?

According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.

The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.

Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.

Who Did It?

This is a very sophisticated hack. This was no script kiddie.

Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.

It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?

It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.

Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.

It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.

Update: Carbanak is sometimes also known as Anunak.

Where Was I Most Likely Compromised?

This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?

You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.

Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.

The Big Android Hack

Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.

On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.



Sunday, July 24, 2016

State Actors Up The Ante?

One of the fastest changing landscapes on the planet isn't even a tangible one. It's more of a concept: security. Before we go on, for dear readers confused by modern hacker security terms, check out Kaspersky.

I'm a proponent of good encryption. The reason is simple: everybody needs security. You need to keep your banking passwords secure. You don't want malicious actors (trolls) taking over your Facebook account and somehow ruining your life.

You especially don't want anyone to rootkit your computers! Once that's done, they can steal your identity, install malware for collecting passwords and account names, and so forth. Now go to the next level: your computer might then be used as part of a DDoS attack against Homeland Security. Your computer could wind up as the storage location for the malicious actors' illegal data ... without your knowledge. You become their fall guy.

Yes, there are plenty of good reasons for all of us to keep our passwords safe and distinct.

But encryption is not all black and white, is it? And that's the rub. Enter the relativistic observer, to tell you some of the latest. Things are changing too fast to blink, after all.

It's long been known that people outside the law use the Dark Web to organize, proliferate, distribute, and communicate. And the Dark Web is run using the Tor network. Tor, short for The Onion Router, is a volunteer network of servers running special protocols that relay your browsing history and other data through virtual tunnels.

To be fair, the Tor project has lofty goals. And gets used by "family & friends, businesses, activists, media, and military & Law Enforcement", according to their web site. The US Navy uses Tor for open source intelligence gathering, for instance. The EFF suggests using Tor for maintaining secure correspondence and keeping our civil liberties intact.

For people operating outside the law, the Tor network also maintains their OpSec. The Dark Net is called this because the communication within it has "gone dark". Surveillance doesn't work there.

The Tor network and the Dark Web must be a real pain to law enforcement. Given enough desperation, it might be something they would seek to infiltrate.

So what law enforcement would do is this: create their own honeypot counterfeit Tor server (or relay). But put in their own undetectable flavor of malware. Then they can watch the criminal's Dark Net traffic. And watch the crime happening. Collect the privileged conversations.

These really exist, as doctored Tor relays. There are over 100 malicious relays that have been detected. And who could they be? My guess is state actors like the US, China and Russia. If not them, then who? The criminals themselves? This is a game of spy vs. spy, updated for the 21st century. Could the FBI be doing this? Their arrest of child pornography criminals in January 2016 was supposedly accomplished by cracking Tor.

There is a question as to how invasive such investigations should be allowed to be. I'm not saying that the FBI shouldn't go after child pornographers; they totally should. I just think that *everybody* is too broad a target for law enforcement. Privacy is a basic human right.