Wednesday 28 September 2011

Quick Post - Samsung vs MS

Refer to this article

More or less, the article is just another article on this now stupid mobile patent war between Microsoft, Samsung (Google?), and Apple. It seems MS have settled an agreement with Samsung on it's patents and Samsung will pay MS for every Android system it sells.

No one really knows how much MS will be handed per phone sold, but there's just 1 small point that annoyed the hell out of me.

Microsoft is on a winning streak with this strategy. Casio and numerous other companies that use Linux in their hardware have paid off rather than face a Microsoft lawsuit. While Microsoft has claimed for years that Linux violates over 200 of the company’s patents, Microsoft has also never said what these patents were.

First, Amanda McPherson, vice president of marketing and developer programs at The Linux Foundation, points out that you need to keep in mind that, “Patent licensing agreements are done every day in this industry. Unfortunately, this is business as usual. It’s not surprising that in these cases, in particular, one of the parties is choosing to publicize them.” In other words, it’s business as usual, but in the interest of anti-Linux FUD, Microsoft wants to frighten companies.

As a tech reporter and just cause I have an Android, I like to know things, I want to get the facts and not the bull MS seem to give everyone, stop dancing round the questions MS and just answer them for fuck sakes. Well anyway just quickly to my point.

MS are more than happy to sue companies using Linux for patent infringement but wont tell us what these patents are? it seems MS can't man up when people actually want information on the subject; way to go MS, another nail in your coffin - no wonder everyone hates you.

That is all.

Monday 26 September 2011

W8 Secure Boot System

I was reading this article on ZDNet this afternoon, followed by a quick read of this article.

Both articles concerning the "Secure Boot" system of W8, blocking the use of Linux. I was talking to a colleague about this a few days back, he said MS are trying to protect their "customers" by not allowing unsigned code.

Fair enough I can see his point, but using a system like that, I just can't agree with it. You may want to keep me safe, but at the same time your going to tell me the ability to use Linux is there - but the risk of malware also exists, so therefore I'm not allowed to have control over my own computer? Supposedly, your customers are "kept safe" under this system as long as they agree to play by your rules? frankly MS, you piss me off.

Hey MS, who are you to decide this? I'll do what I want with *MY* computer thank you very much, you need to take a leaf out of Google's book. My Android gives me the option to run unsigned code - yes the warning is shown but they give me the option, the exact opposite of what your doing.

Shame on you MS - this kind of thing I would expect from Sony. I can't help but think your screwing with the wrong people MS, has no one learned what happened to Sony when they removed Linux from the PS3, or is it just me? Oh well, you lost me as a Windows user.

So, who's still going to Windows 8 now?

Friday 23 September 2011

ISP's To Cut Internet To Infected Machines?

An interesting article posted this evening over at Naked Security by Chester Wisniewski. A proposal to cut internet access to machines under a botnet control.

I read through the article and it got me thinking about this, how would I feel if ISP's did cut peoples internet access of infected machines?

Machines under a bot masters control is quite dangerous, don't get me wrong, but the idea of cutting their internet access straight away isn't something I agree with. As a person who works in the malware removal field across several online forums, internet access to infected machines is actually quite important.

1. Some of our tools need internet access, I wont name the tool I'm refering to, but it needs internet access to be able to install the Microsoft Windows Recovery Console, and Microsoft are all about making things easier for the end user right? Sure we can install the Recovery Console another way, but the way we do it through internet connection makes it so the process is automatic, much easier on the user and me helping them.

2. We also need internet access to submit malware samples to security researchers to make our tools better; cutting internet access to infected machines stops us doing that, or are these top government guys happy so long as they get their way?

So really, all your doing in cutting internet access is making our jobs harder and frankly annoying me in the process, I see this as more ISP censorship, that they can do this without really giving the user chance to sort the issue out.

However, I don't want to just say I'm all for one side of the coin without thinking about the positives. Right now, this is just an idea of the DHS and NIST, but this idea is far from bulletproof.

Yes cutting internet access to infected machines would solve some of the problems, stops the bot master using the users infected machines for malicious purposes; stops the end user making things worse, but just suddenly deciding to call/email the end user and giving them the "oh hai your machine is infected, were cutting your internet access now and you don't have any say in it, kthxbi" isn't the right way to do this.

Really if ISP's want to go with this method, I personally think they should give the infected end user X amount of time to clean the machine up before cutting internet access. That way governments get what they want, and we get what we want, right?

Thursday 22 September 2011

Google+ - Think Twice

I read NakedSecurity's article on Google+ this morning, warning users about the dangers of privacy when joining Google+.

Hopefully I aren't just repeating their article, but I wanna post my own here.

1. When joining Google+, you can't join anonymously, you have to provide your real name and may be asked to provide evidence that you are who you say you are, in the form of a government document such as passport or birth certificate.

Sorry, but everyday, security experts tell people to not give out personal information online, hell, even Google themself usually give us options to be able to hide our indentity, but all that goes out the window with G+ it seems.

But this rule it seems goes out the window as well if your a celebrity or just any person in general that brings in good SEO. William James Adams of the Black Eyed Peas is now a member of G+ using the name "Will.i.am" as his first name, and "." as his second name.

Hey Google, I think you need to suspend that account - it breaks the rules right? oh wait that probably wont happen, although your more than welcome to prove me wrong Google. A warning to the public - Information entered on Google+ may be shared with Google and other 3rd party outside sources for Google's own SEO purposes.

To say Google hyped this to be a Facebook killer, right now I can't see that happening. Honestly Google, if you want to be able to challenge Facebook, you need to sort your shit out and fast, cause Google+ is set for failure. Sure Google+ might grow and be quite popular, it will only be popular to those who choose to give up their personal information to you, but I wont be one of them.

A last note from me. Hey Google - My G+ account uses my pseudo online name.... whatcha gonna do about it?

Monday 19 September 2011

Phones Without AV Software - Shocking

I got a tweet from another mobile phone security expert this morning, research by car phone warehouse about the number of people who DON'T use antivirus software on their smart phones. I knew some people don't, but the numbers are beyond shocking to say the least.

You can read the article here.

I read the article myself and I only really needed to read half of it to get the idea of the article.

More than half (54 percent) of mobile phone owners believe their data would be secure if their handset was lost or stolen, says the Carphone Warehouse.

However, research by the mobile phone retailer of more than 2,000 Brits, revealed that of these 86 percent don't have security software installed on their handset leaving them wide open to nosey thieves that may want to trawl through their personal data.

86% WITHOUT AV software? excuse me but that is just pure stupid, it crosses the line quite frankly. There is already banking malware for Android smart phones like Zeus and SpyEye that steal your personal data and run up your bills, and 86% go without AV software? the threat towards mobile phones is growing everyday and the level malware takes is getting worse. How much more malware do we need to see before people start to take notice and install some prevention software?

Frankly from my perspective, people just don't have the respect for smart phones that they demand. Many people are attracted to Android because of the fact it's open source - they can change what they want on it. While this is true and it's the #1 reason that attracted me to Android, open source has it's bad sides and people just don't respect that.

Smart phones nowadays are no different from your laptop or desktop machine - they are a computer that sits in your hand and they should be treated as so, they need prevention from the internets dark sides too. Just because it's a phone and it's open source doesn't mean your safe.

Furthermore, 65 percent of mobile phone owners they don't have a password on their voicemail, despite the fact nearly a third (32 percent) claim they worry their handsets aren't that secure.

Honestly, it's not hard to set a god damn voice mail password on Android systems, I've done it myself for my phone. People wonder why we keep seeing things being leaked online - Look at the Rupert Murdoch stories, sure I don't agree that phone hacking should be done but look at how easy it is to do it, and things like this can be prevented by just taking 5mins to set a 4 digit PIN code - are people really that lazy, or just plain stupid?

Thursday 15 September 2011

Sony's new TOS - Hey Sony, You Suck

I posted PDF document to my Twitter but I'll post here as well, Sony changed their TOS today to include even tighter and more restrictive rules on it's customers.

PDF Document of new T.O.S

With this new TOS, as a customer, you have to agree that you lose your right to sue Sony no matter what, they've gone through this in quite some depth.

What is arbitration?

Arbitration is an alternative method of resolving disputes in which two parties present their individual sides of a complaint to a arbitrator or panel of arbitrators. The arbitrator, who is supposed to be neutral, then weighs the facts and arguments of both parties and decides the dispute. Arbitration may be voluntary or mandatory.

What is mandatory binding arbitration?

In mandatory binding arbitration, a company requires a consumer to agree to submit any dispute that may arise to binding arbitration prior to completing a transaction with the company. The consumer is required to waive their right to sue, to participate in a class action lawsuit, or to appeal.

Quote from PS3Hax:
Throughout most of the T.O.S, you will see loads of red text and red lines running through text, one thing that caught my eye was the striking out of key words like purchasing and owning, that were replaced with “licensing”, so what that basically means, that any product you “buy”, is no longer yours as you are only licensing it, or in other words renting it, until such times Sony removes that service/feature.

It's been said before that Sony try and claim anything you buy from them still belongs to them, but honestly, screw what Sony think, my PS3 is legally and rightfully mine, I paid for it.

Sony are an evil company. The facts are on the internet, look at their history. The DRM rootkit (malware) that their CD's installed on victims machines that they were sued for. Took Linux away from us on PS3, when they advertised the PS3 for it's Linux ability, hacked by LulzSec and other hackers, and rightfully so, I can't stand Sony and I refuse to side with them, even if they get hacked, I wont defend Sony at all.

This new TOS is complete bullshit, I haven't updated my PS3 since OFW 3.55 because I refuse to agree to their TOS/TOC and I hope more people jump ship away from Sony and the PS3, I hope people actually read the TOS before agreeing to it, it's just 1 big trap.

Wednesday 14 September 2011

Facebook Subscriptions

For a long time, I've been a lover of Twitter and never really liked Facebook, and today Facebook introduced another feature, subscriptions. To me, they are kind of pointless and I don't see the use in them.

Facebook say it is so I can see others posts without being their friend and I can control what I see from them. But really, I aren't friends with anyone who I don't need to be friends with, let me be a bit more specific. I'm only friends with people that are close and matter to me, I don't want to see other crap from people that I don't really care about.

Sure I have 'liked' a few pages to get updates from them, but only a certain few make that list, security companies feed like Sophos.

Subscribers can see only the things you share publicly.

There's no point in people subscribing to me neither, I don't share ANYTHING publicly, my privacy settings are set to friends only and again, only people important in my life are on my friends list so unless I know you, you don't need to see what I've posted on Facebook.

It seems like Facebook keep pushing for social-ness and open-ness and surely there is always the security risk of it, it's so easy to stalk people via Facebook now, but I aren't one of these people who like to share everything I do, I keep myself to myself and I'm happy with the way I am.

Windows 8 - Part 1

So since yesterday, there is a lot of buzz online of Windows 8, people downloading the dev preview, and they aren't alone, I've downloaded it, just not got round to trying it yet, but I will soon.

Anyway, main point of this blog post. I was watching the live webcast yesterday, and I do like some of the features they have in Windows 8, one being protection against autorun malware, they tested a USB pen drive infected with a rootkit and the machine refused to boot with that active - good defence.

One thing that bothers me though, this built in antivirus they are hyping so much. I can't see it ending nicely, take note from what happened with Internet Explorer, MS were forced into making Browser Choice for the end users, and I know I aren't the only one sat thinking MS are gonna get sued into making "Antivirus Choice".

But anyway, that's not for me to worry about. What is to worry about, is if this is going to be good or bad. Built-in protection is good, but if everyone used Windows 8 and everyone used this new built-in antivirus, then everyone would be at risk. I never tried it, but I heard good things about MSE, good detections and isn't a resource hog on the system, but a built in antivirus is going to have to be an all-in-one detections and protection against the likes of TDL4 and these fake HDD rogues that keep spreading around. Also, there is a fine between good detections and false positives - I work in the security community and no matter what version it is, I see AVG falsely detecting our malware removal tools, and I hope MS can keep good on their word.

Whatever their plan is for this built in antivirus, I hope it's light weight and doesn't drain the systems resource and has decent detection ratings. I just can't imagine Mcafee & Norton/Symantec are too happy about this though - we'll see how it plays out, but I honestly expect some lawsuits flying MS's way.

Expect another blog post soon, I'll grab some malware from MDL later when I've got W8 installed and see what happens.

Sunday 11 September 2011

The Next Step In TDL Development

A few days ago, Norman reported of this newest piece of crap released by the TDL4 guys. So far they have pwned infecting Windows file, pwned infecting the MBR, now they are after the BIOS.

This new infection boots itself when the BIOS is loaded and uses several new nasty techniques. They still infect the MBR with TDL4, but this new infection checks that the MBR infection is not damaged by malware removal tools, and if it is, will re-write the malicious code into the MBR. Symantec did an awesome write up on it, here.

http://i26.lulzimg.com/8720bf.jpg

I knew these guys were serious when we started seeing these dangerous MBR modifications by the infection but targeting the BIOS takes it to a whole new level.

But, lets look on the good side. A few days ago, Brian Krebs wrote this awesome article on tracking one person who might be involved with the upkeep of the TDSS botnet, the person was traced back to somewhere in Russia (why does Russia not suprise me?).

A day after Brian posted his findings on his blog, his site and his provider suffered a DDOS attacks, which took him and his site offline for a little while. Luckily his site wasn't down long and he got it back up and running fairly quickly, but it shows they are scared of being caught - to me the attack was in retaliation of his findings.

Shame DDOS attacks are useless nowadays - fair enough they knock the site offline for a while but no permenant damage was done to Brians site.

Keep up the awesome work Brian!

Thursday 8 September 2011

The World of Android

Catching up with some evening reading online, and two somewhat older articles posted on ZDNet at the end of August caught my attention. Article 1 & Article 2

Give article 1 a read first. This mobile patent war is getting more stupid by the day, the amount of companies suing other companies all over mobile patents. Now with Steve Jobs stepping down as company CEO, will Apple ever be the same? in terms of how strong the name Apple is, without Steve, can they maintain that name?

To me, Apple are such an ego based company, suing Android makers for patent infringement, HTC, Motorola & Samsung, but now these companies are all counter suing Apple.

I'm sure you all saw the news recently of an Apple employee losing the iPhone 4 prototype in a bar, but lets look at it this way. There is a chance they did this on purpose - look at the attention they got from it, and as a prototype, it could of been nothing more than a "leak" to see what people thought of it before actually releasing it fully around the world.

Recent news also showing Apple hiring for a new job as Product Security Manager, someone to look after Apples new hardware product without risk of losing them, but from here (to me), Apple are going down hill.

Now on article 2, carrying on with the theme of Apple and Android. Reasons why I chose Android over other phones/OS's. Reading article 2, I agree mostly with the David Gewirtz, I hate Apple products, the iPhone layout was just so hard to grasp.

David, your second reason on the insecurity of Android. I can see your reasoning, but that is just one risk that comes with open source software - people reverse engineer it and look for holes to abuse and push malware through, and the malicious apps that subscribe the phone to premium rate numbers and reading text messages and listen to voice mails, but with Android slowly taking over the market share, again, it's just one side effect, the malware authors follow the largest crowd. There is good reason to go with the closed source more secure iPhone over Android, but my open source freedom is not something I want to give up. The malware problem nowadays, 99% of it is the end user - installing things that are too good to be true or don't read what apps they install are accessing - a lot of the problem would be avoided if they did.

Next, yeah Google's way of naming the Android version is a bit weird, how they jumped from 2.2 to 3.0 can be a little confusing when your looking for one version specifically, but that's one that I suppose I like about Google, the unexpectedness of it, keep people guessing!

I suppose it is a downside of Google releasing newer Android OS's that can't run on whatever phone you purchase, but again, I'll run the risk. Making tweaks to the phone is just like any software I install, going through the options to finetune it to how I want to run it.

Other that what I've posted above, I agree completely with everything else.

Saturday 3 September 2011

Prey Project

I was sat watching this weeks BBC Click episode, you can find it here, as many security companies are bringing out apps for smart phones not only to keep them safe from malware, but to find missing devices, well now we have that for our laptops and desktops.

I decided to give it a go, see what I make of it and it's really really simple to use, so I'm gonna do my own review of this, as the BBC Click review really looked rush and wasn't given much time to go through it and show you people how it works, so I'll do it here.

Let me introduce you to the Prey Project. This program allows you to remotely track your laptop or desktop the first time they make an internet connect when stolen.

How does it work?

I've installed this on my laptop, it uses tracking it via the nearest WiFi AP or GPS to pin point where your stolen device is. Just like any remote access program, Prey also allows you to remotely lock the device with a password so it can't be used, and sound an alert if needed.

This is just the software side of things, there is a few more things I'll go through in this blog post as well, but here is 3 screenshots of my settings on the Prey website.

http://i26.lulzimg.com/9b642d.png
http://i26.lulzimg.com/6b6ccc.png
http://i26.lulzimg.com/61443c.png

When a device is stolen, you switch the "Missing?" option to 'Yes' so Prey knows to track it and there is your settings for locking the device with a password and setting an alert to let the thief know they are being tracked.

Now, Prey also monitors your machines hardware and alerts you to any change, see screenshot I took below, but it's monitoring my motherboard, how much RAM I have, how many RAM sticks are in my machine, what my BIOS is including version number, and my processor, how fast it is and how many cores are in it.

http://i26.lulzimg.com/729331.png

Another thing I haven't said but I'll cover it anyway. You can have it monitor upto 3 devices all at one time. So far, I'm only monitoring one device, my desktop machine, so I'm gonna add my laptop into that when I get a chance to.

http://i26.lulzimg.com/edd018.png

I recommend giving them a try, upgrade to premium for just $5 a month and take advantage of all the premium features they offer, totally worth it. Here is another blog about a success case of using Prey software, check it out:Why You Don't Steal From A Hacker

Follow Greg, Prey and me on Twitter for loads more updates.

Friday 2 September 2011

Chromebooks AREN'T dead.

I was reading another article on ZDNet a few days back about the Chromebook being dead before it's even begun to reach big popularity.

I want to make a blog post about this, I don't think the Chromebook is dead by any means, I want to get a Chromebook some day. While I do agree with the last paragraph there about it being more economic to just have an Android tablet, it's cheaper and isn't any different to the Chromebook really aside from maybe a slight hardware difference.

Let me just quickly run through my thought on this. Things like my Android phone and the tablet are just devices I use and carry around with me while I'm on the move, devices that I can just quickly jump onto Facebook and Twitter and check out my daily news feeds for things, where as the Chromebook like any laptop based device is something I can sit down with, plug in my USB mouse and compile blog posts and such.

Secondly, in terms of security and reliability, I've been a very happy Google product consumer for a while now and Google have made me proud with how quick they jump on vulnerabilities. It's a fair point to say if Chromebook's do become the more popular laptop device in the coming years, yes we will see malware for Chromebook's, we've already seen a test of that at Blackhat 2011, but compared to Microsoft, lets just say I trust Google way more.

Lastly, Chromebook is just something different that I want to try personally. Windows has ruled for many years and still will do but it has too many extra features for me, I don't use them all and as we have seen, Chromebook is just much lighter on resources as it's just a browser, that's all people really want to do nowadays.

It seems another member of ZDNet agree's with me, a new article concerning the article I linked to at the top appeared 3 days back.

Facebook Bounty Program

Just wanted to make a quick post about this. Read this article today that was on Threatpost a few days back about the Facebook bounty program and it looks like it's working.

Facebook have so far paid out $40,000 to white hat hackers who reported security vulnerabilities. I'm glad to see it working as well, for a long time Facebook has been the #1 way to spread malware and along with these crappy Facebook scams, I've posted about this issue before and it's about time something is done and I'm glad to see this looks like a good start to making Facebook safer.

Wireless Tethering

So today I watched the latest BBC Click episode on wireless tethering and also read the worded version of this story/article.

See the article here: http://www.bbc.co.uk/programmes/b006m9ry




Some say it's "stealing" from carriers as it costs extra and tethering wasn't supposed to be included in the data plan.

I'm an Android user personally, my phone comes with "Mobile AP" which is a mobile access point, that allows me to tether other devices over wifi to my phone and uses my phones 3g network as the hotspot. I however don't use this and went with rooting to allow me to use Wireless Tether app from the Android store.

The two biggest networks in the US have clamped down on what they say is "illegal" tethering.
Instead of allowing users to install unofficial apps to workaround any barriers, operators are now re-directing them to a page indicating the cost of upgrading to a tethering plan.

AT&T says its aim is "fairness for all of our customers" by making all users pay the additional fee. But even analysts are divided as to whether it can legally justify charging more.

"The simple truth is that those who go the unofficial tethering route are stealing service from the carrier, with the exception of those lucky customers whose plans allow tethering as part of the basic service,"

Good thing I'm UK based on Vodafone network who have allowed it this year in the more updated smartphones, and I agree with Martin Hocking on this when he said it's our data and we should be able to use it as we want to - we should. But what gets me here is how tethering is illegal? if whoever wants to suggest that I'm stealing, then go ahead, I don't care, I'll admit I'm stealing then, screw what you think.

For those other carriers who think it's right to charge more for tethering, honestly your wrong. We pay for data, it's ours to use as we see fit, I pay for my 500mb of data on my phone and it's no one elses business but my own what I use it for, tethering included.

Some carriers want to ban tethering by detecting large spikes in data usage. Sorry, but from my stand point, doing this will only result in law suits. You as a carrier gave us 500mb/1gb of data and we'll do what we want with it, when we want to.