STE WILLIAMS

RSA USA Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs.

Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed.

It was a similar story for the MasterKey vulnerability that was spotted in 2013, he said. In that case, 99 per cent of Android devices were vulnerable, but exploits abusing the security blunder peaked at less than eight infections per million users. And there were no exploits for the hole before details of the flaw were made public.

He also cited the 2014 FakeID flaw, disclosed at Black Hat that year. This affected 82 per cent of Android users but exploits peaked at one infection per million users after the details were released, and none before that.

Ludwig said he was sure of his figures, thanks to malware-detection routines, dubbed Verify Apps, in Google Play services, which is installed on more than 1.4 billion Android handhelds. So, basically, Ludwig’s claims and figures cover devices with Google Play services installed – Chinese and Amazon Android-based gadgets don’t include this software and thus aren’t part of the Googler’s numbers.

It also fitted a pattern he had noticed, that there isn’t really any complex malware out there in the wild infecting Android devices. Software nasties tend to be sleazy apps, installed by punters, that do unpleasant things in the background, rather than malicious code that silently infects devices via webpages, text messages, and so on.

“Most of the abuse we get isn’t interesting from a security perspective,” he said. “We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.”

The same thing seems to be happening in Apple’s iOS world, too, he said. One reason could be that mobile operating systems are fairly well locked down, and present a restrictive environment to applications, benefiting from lessons learned from the PC industry.

Basically, mobile OSes are too much of a PITA to develop exploits for. They have hardened kernels, app marketplaces patrolled or vetted by full-time staff, and mechanisms such as ASLR and strict sandboxing that hackers struggle to defeat.

With more than a billion Android users out there, Ludwig’s happy that Android’s various security slip-ups seem to be getting headed off at the pass. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/google_stagefright_android_bug_zero_success/

RSA USA Every year, the RSA Conference in San Francisco brings out the best and the brightest for its crypto panel, and the view from the floor was simple. Ignore the fads and hyped technology, and concentrate on the basics: good, clean, secure programming.

The panelists were unimpressed with recent moves to build artificially intelligent security systems – despite the success of programs like the DARPA Cyber challenge – saying it was too early to consider such systems reliable and warning that some may never be.

“I’m skeptical of AI on security,” said Ronald Rivest, MIT Institute professor and the ‘R’ in RSA. “Where we are seeing it becoming a wedge issue with the recent election is with AI bots in chat rooms. In 10 or 15 years you’ll be competing to find a real human in a sea of chat bots.”

His former colleague at RSA, Adi Shamir, currently the Borman professor of computer science at the Weizmann Institute, was similarly skeptical about AI systems in security. Attempting to train such a device could lead to interesting problems.

“Fifteen years from now we will give all data to AI systems, it will think, and [then] say that in order to save the internet I’ll have to kill it,” he semi-joked. “The internet is beyond salvaging; we need to start over with something better.”

Some AI systems might be useful for IT defense, Shamir said, given the ability for computers to handle large volumes of data and check for anomalies. But you need a human touch to find zero-day flaws and attack using them, he opined.

Shamir was equally as dismissive of quantum computing systems and quantum cryptography, saying it was “not on my list of worries.” He was far more concerned about using large-scale computing to hack existing encryption algorithms.

Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute, said she was worried about quantum systems. There hasn’t been enough research into building quantum computing-proof algorithms and the industry was missing a tick, she insisted.

Meanwhile Whitfield Diffie, one of the inventors of public key encryption, said that the issues facing the industry weren’t going to be fixed by a magic AI or quantum bullet. Instead the industry needs to go back to fundamentals, he suggested.

“If the resources spent on interactive security, such as firewalls and antivirus and the like, were spent on improvements in the logical functioning of devices and a big improvement in quality of programming, we would get much better results,” Diffie said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/15/rsa_crypto_panel/

If you didn’t get to go to San Francisco yourself to attend the RSA Conference 2017, don’t worry…

…our roving reporter and man-on-the-spot, Bill Brenner, has agreed to call home each day.

Bill will give us a feel for what’s happening in the conference, on the trade show floor and around the corridors of the giant-sized Moscone Center in downtown San Francisco.

In this first podcast from RSA 2017, Paul Ducklin talks to Bill about the vibe of this year’s event, where the trade show part opened with a splash on Monday evening:

If you enjoy the podcast, please share it with other people interested in security and privacy and give us a vote on iTunes and other podcasting directories.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5qT96I6xQhQ/

OSLS The Open Source Leadership Summit began on Tuesday amid roads closed by a landslide: held in The Resort at Squaw Creek near Lake Tahoe, California, it was not easily accessible to attendees traveling Highway 80 from the San Francisco Bay Area.

During his opening keynote, Jim Zemlin, executive director of the Linux Foundation, made light of the mudslides that brought traffic to a crawl near Donner Pass on Monday evening. The trip at least was less arduous than it was last year, he said.

Zemlin’s remarks amounted to an open-source victory lap. Some 99.4 per cent of the world’s high performance computing systems, 90 per cent of the world’s stock exchanges, and 64 per cent of mobile devices run on Linux, he said, adding that the foundation’s projects have created $14.5 billion worth of value, as measured in cost per line of code.

The foundation’s mission, to create the largest shared technology resource in the world, is accomplished, more or less. Open source has won.

But the road ahead for open source, and for software development in general, looks much like it was for conference attendees: if not closed then littered with obstacles.

Security expert and doomsayer Bruce Schneier – speaking by video owing to RSA Conference commitments in San Francisco and perhaps prescience with regard to seasonal travel challenges – predicted that the government is coming to handcuff coders.

“We all had this special right to code the world as we saw fit,” said Schneier. “My guess is we’re going to lose that right, because it’s too dangerous to give to a bunch of techies.”

‘What we’re going to see is increased government involvement’

Schneier’s argument follows from accepting Marc Andreessen’s observation in 2011 that software is eating the world. “As everything turns into a computer, computer security becomes everything security,” said Schneier.

Schneier likened the internet to a giant robot, one capable of affecting not just the virtual world but the physical world, too. “As our internet affects the world, the threats become much more real,” he said.

Software flaws that may once have been capable of crashing applications have the potential to crash cars, planes, medical devices, appliances, and other connected infrastructure. As a result, Schneier contends, the restrictions and regulations that attempt to defend against real world risks will be placed on the tech world.

“What we’re going to see is increased government involvement,” Schneier said. “Because that’s what happens in the world of dangerous things.”

The physical threats arising from connected things will spur regulators to act, not to mention actual robots walking down the street, Schneier said. “Nothing motivates the US government like fear,” he added, pointing to 9/11 and creation of the Department of Homeland Security.

Schneier said at the RSA Conference he plans to call for the creation of a new US government agency to sort through the issues arising from putting software in everything. It’s not good enough to leave these decisions to the Federal Trade Commission, or those regulating cars or medicine, he said.

The choice is between smart and stupid government involvement, Schneier insisted, warning that it would be easy to imagine a liability regime that would kill open source software.

“We’re in the process of screwing a lot of this up,” said Schneier, who urged technologists to get involved in government and the legislative process in order to shape the debate. “We need to start making more ethical and political decisions about how technology should work.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/the_government_is_coming_for_your_code/

RSA USA In 1949, the world’s nations came together to sign the Geneva Conventions, according respect in times of war to civilians, soldiers incapable of fighting, and prisoners of war. Now we need to go back and do the same for civilians caught up in online conflict, according to Microsoft.

In a keynote at this year’s RSA USA Conference, Redmond’s president Brad Smith called on the technology industry to cooperate and form a “Digital Switzerland” for the world. That doesn’t mean fondue for all or caching Nazi gold, but rather that the tech industry needs to insist on being an impartial operator that shields its users from unwarranted state spying and attack.

Protecting people online is good for business, after all, we note. It’s not a great advert for your software and online services when the Feds can just siphon off your customers’ emails seemingly at will. Trust equals money, and Microsoft wants your trust and money.

“We will not aid attacking customers anywhere, regardless of whether governments ask us to do so,” Smith told the RSA audience in San Francisco today. “We need to make the case that the world needs to retain its trust in technology; we need to maintain the world’s trust.”

Smith suggested new Geneva conventions that require governments to not attack technology companies; to disclose to developers all security vulnerabilities so they can be fixed rather than hoarding them to use to attack; to defend the tech sector when dealing with hackers running amok; to sign up to the non-proliferation of weaponized exploits; and “exercising restraint” when using them.

The technology backbone of the world is privately owned and run, and the world’s governments need to commit to using it responsibly, he said. If they can’t, the technology community needs to stand up and ensure that no one runs wild online. Apropos of nothing, have you checked your Windows 10 privacy settings recently?

Smith’s rules for online life – but don’t hold your breath for them

The technology industry is an international one, Smith said, and Microsoft employs people from 157 nations. More than any other sector, the technology field is all about bringing in people from around the world to get the best solutions, rather than falling into petty nationalism.

Smith said that the recent US election should act as a warning sign of how bad things can get. The claimed Russian hacking of the Democrats’ computers, and subsequent email leaks, had an unprecedented effect on American democracy, Smith opined.

That’s not that unusual though, said Adi Shamir, Borman professor of computer science at the Weizmann Institute in Israel and co-inventor of the RSA algorithm. He said political meddling is an old-school practice, and the Russians are used to being screwed around with in this way.

In 1956, US and UK intelligence agencies recorded a speech given in private by the Soviet premier Nikita Khrushchev which decried the excesses of Stalin’s regime. They leaked the speech to “the WikiLeaks of its day,” The New York Times, he said, and the news led directly to the Hungarian uprising that year.

“While I’m shocked, shocked, by these attacks,” he joked, “they are not alone in history.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/microsoft_president_calls_for_new_geneva_convention_to_protect_citizens_online/

Apple says a newly patched hole in its GarageBand music tool could allow for remote code execution on the Mac.

The GarageBand 10.1.6 update is being pushed out to all Macs running OS X Yosemite and later. Because GarageBand is installed by default on OS X systems, all Mac owners should install the patch, but those who regularly use the music composing software should pay particular attention.

The lone flaw addressed in the update, CVE-2017-2374, allows an attack to remotely execute simply by running a malformed .band file. Apple uses the .band format for all GarageBand project files.

In theory, a crook could exploit the bug by convincing the user to run the specially crafted .band file that would target the bug.

CVE-2017-2374 was one of two GarageBand flaws discovered by Cisco Talos researcher Tyler Bohan. Apple addressed the other vulnerability, CVE-2017-2372, with an earlier update.

“This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band,” explains Talos.

“The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition.”

Neither Apple nor Talos reported any attacks on the vulnerability in the wild.

Apple users should already be looking to update their Macs today, thanks to this morning’s monthly patch release by Adobe for Flash Player on OS X. That update addresses a total of 13 security holes in the internet’s screen door, all of which can be exploited for remote code execution. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/14/macs_can_get_pwned_thru_garageband/