Also, making an image of a Windows installation with Ghost, Acronis or another program of your choice is not the "correct" way to image multiple machines.
Actually it works pretty dam well if you know what you're doing. Some of the cloning software supports restoring to dissimilar hardware. The MS deployment toolkit doesn't work real well for installing a lot of software. In many cases, it really is simpler to build and customize one machine, do a sysprep, and them clone it out. If you're cloning, you should probably look at enterprise.volume licensing or have a KMS server just to avoid the licensing and activation headaches.
All this is (going by the summary - article's still loading) is notification. "Hey, we noticed your machine seems to be infected with a virus and is part of a spam-spewing botnet. Here's some links to antimalware that'll clear that right up". "Hey, we noticed a lot of traffic from spyware sending every keystroke back to totally-a-legit-site,cn, you might want to scan for that". "Hey, you seem to be torrenting massive files 24/7, here's some MAFIAA propaganda telling you to stop copying those floppies".
The ISPs are really the only ones positioned to thwart attacks as well. For example, blocking an IP that appears to be port scanning or sending high rates of email. Or rate-limiting icmp packets to reduce the effectiveness of DOS attacks. Or perhaps help in backtracking and notify their clients that seem to be participating in DOS attacks or spamming. The slippery slope of course is that if we expect the ISPs to start inspecting and throttling traffic for good reasons, it's not much of a leap to start snooping and throttling for reasons less advantageous to the customers. Not much of a leap from, "Hey that web site you're visiting is hosting a zero-day driveby attack" to "Hey you shouldn't be looking at neekid girls".
How is the average relevant at all? Just because most people have slow internet speeds doesn't mean faster are not available, it just means you have to pay more for it.
Here, a local ISP (Zon) does offer 1Gbps for residential connections. Of course, since it costs 250 Euros ($320) per month and is only available in few parts of the country, very few people will actually contract it, so it won't move the average. But it certainly exists.
It's very relevant since a vast majority of home users can't get anything faster than 1-meg DSL. Sure satellite solutions are available, but they tend to be very expensive, high latency, capped, and usually not much better than DSL. Maybe it becomes irrelevant if all you data resides online and it doesn't need to come down to your computer. Certainly corporations like Google like the idea that they can peruse you data any time they want.
More specifically, doesn't every Abode program have a splash screen and don't they take a loooong time to load?
They don't take quite as long to load as they used to. Instead of cutting the bloat, they started installing a startup program that keeps portions of the Adobe product loaded at all times. Adobe products are a freaking hogs. I got tired of updating our corp environment every few weeks and migrated to other cleaner, faster solutions. Still stuck with crappy and vulnerable flash, but at least we've automated the update process.
I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.
I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.
They also got the author, Mark Russinovich, who knew the ins and out of some of the MS internals better then Microsoft themselves.
Because 99.9999% of the users never have any desire to mount anything other than read/write.
I wrote a little app that toggles this registry setting back-n-forth. It's in the startup on all our machines containing sensitive data. By default all the usb stuff gets mounted read-only. If you want to write to it, you need to run the app prior to plugging it in to temporarily allow read-write mounting. (Yes I realize it's not a foolproof solution, but it does add some protection against accidental data spillage and virus propagation via thumb drives). The registry setting only comes into play at the time the device is mounted. Changing it after something is mounted only affects how future devices are mounted.
half is both an exagerrated and self-serving number.
The way they stated it is exaggerating, but the numbers are plausible. They said they found at least 1 infected computer in half of the Fortune 500 companies, plus one in 27 out of 55 govt agencies. That's a whole whopping 277 computers. Entirely possible. They probably just looked at the logs from the DNS servers.
Prior to the new meters, 55 percent of the revenue came from payments drivers used to buy time and 45 percent from fines. After the new meters went in, the amount from payments increased to 70 percent and the amount from fines plummeted to 30 percent.
The reduction in fines is because "In addition, the new meters have less restrictive time limits, generally allowing drivers to park for four hours or more." So people can actually put enough money in the meters to cover the length of their visit now.
The point is I think the suggestion that SMD assembly is outside the reach of hobbyists is total ignorant bullshit.
I think the point is that reliably mounting such fine pitched SMD parts (stacked no less) work is beyond the reach of a significant portion of their customers. Certainly enough that they made the safe decision to just pre-mount them. Otherwise, they'd be knee deep in people calling to complain that their board didn't work after they eyeballed the placement and reflowed them with a hairdryer.
It sounds like what he wants is wireless, bluetooth, or RFID readable sensors. If the lab employee is near the sensor it can display the data from the sensor on the tablet. Still doesn't address reliable recording of that data, although they are likely manually recording this data on notebooks already.
Leaky, though, as are all apps which use root permissions. During boot, everything has access until DroidWall has loaded, been granted Su permissions, and applied rules.
It's possible to block things better, but it requires custom ROMs or modifications to the stock ROM.
True, but i also watch what has permissions to start at boot (only two trusted apps in my case) PermissionDenied is nice for reigning in permissions although many apps FC when they cant read the phone state or open a net connection (even though they shouldnt need the capability)
At least i dont have to worry that a wallpaper app is getting remote command and changing my browser bookmarks
Which app did you look at? Like I said, they all have different permissions listed.
I looked at several from iApps7.
Here's what Hit Counter Terrorist wants for permissions.
This application has access to the following:
coarse (network-based) location Access coarse location sources such as the cellular network database to determine an approximate device location, where available. Malicious applications can use this to determine approximately where you are.
fine (GPS) location: Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.
full Internet access
Allows an application to create network sockets.
read Browser's history and bookmarks
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
write Browser's history and bookmarks
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
discover known accounts
Allows an application to get the list of accounts known by the device.
control vibrator
Allows the application to control the vibrator.
view network state
Allows an application to view the state of all networks.
view Wi-Fi state
Allows an application to view the information about the state of Wi-Fi.
System tools: automatically start at boot
Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the application to slow down the overall device by always running.
It's hard to take anything Symantec says seriously as regards security. They have every incentive to make things seem far worse than they really are. Does Symantec offer an antivirus for Android?
Yes they have a number of products for Android, so yes they aren't exactly non-biased.
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
I'd like to see just plain simple color coding added. The permission prompt would be red if the app was asking for permissions that include things like sending sms messages. Green would be for something that only asked for minimal or no permissions.
I like the idea of tiered costs based on permissions, but it's probably not going to be much of an obstacle for the guys that really want the permissions to do shit like hijacking your browser to point to click-through sites.
Yes, I did. Did you bother looking at the apps themselves on the Market after that?
The problem is that each of those app contain only a fraction of the permissions mentioned in the symantec description. And perhaps cumulatively, they may contain all the permissions mentioned, but still that's a very different picture from the one that Symantec is trying to paint.
I just did, and yes the Symantec article is accurate, even though it overstates the threat. It runs at phone boot, and has permissions to monitor your calls to see who you're calling and read/change your browser bookmarks and history. There are reports that it changes your book marks to point to click-through sites. The portion of the app that does this is not part of the game, but something else added to it for the purpose of spying on the user and redirecting their browser (eg Alexa). This capability is not disclosed to the user, other than showing the permissions required. If a PC app did that, we'd call it spyware or browser hijacking. Why call it anything different when it's on an android device?
stealing the imei and imsi (sufficient info to clone your sim card)
"stealing"? What a loaded word? It's not theft if you gave the application the permission to read the phone identity. Plus, it's a unique number that uniquely identifies your phone. It's not meant to be the secure element. It's meant to be the public one.
We complain loudly about browsers which allow persistent browser cookies and flash cookies, etc. We complain that they ad companies have figured out how to track us across different sites. We complained that our Intel CPUs had serial numbers that were accessible to the OS and software to the point that even the bios makers put he option to disable this in the bios config. Why are we not complaining that Android allows access to a permanent, non-changeable, cookie?
Why does this permission even exist when it's only possible use is for user/device tracking? I guarantee that the average user doesn't realize the implications. I
Perhaps Symantec are flagging it as malware because it is using permissions that the app clearly does not need, and it is just some rookie developer that has permission code copied in from some other site?
To be fair, this does not look like Malware at all.
Hijacking your browser homepage, adding shortcuts to the desktop,stealing the imei and imsi (sufficient info to clone your sim card),copying your contacts,etc certainly counts as a trojan. Did you bother to read the symantec description?
Sure a smart user might notice the excessive permissions but the average user just hits okay and doesnt even read the list.
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high.
Of course Symantec totally ignored that the download totals do not translate into the number of infected users. How many devices have multiple apps? That estimate could easily be 10x too high.
Did the author run scripts to pump up the numbers to gain visibility? Many app authors do this
It doesn't go "directly in their pockets," but what happens is that the extra money is brought to the attention of the people who allocate budgets. Those people then allocate more to whoever brought in the money in the hope that there is more where that came from and extra staff will better be able suck that cash out of the economy and into the government budget without anything so politically unacceptable as "tax increases."
Exactly. Also the reason such a large amount of the average law force is dedicated to catching speeders which generates income rather than putting murderers in jail which costs money.
500 million is petty chump change for the US federal government. You could define the Planck time in terms of how long 500 million dollars would keep the US government in operation.
500 million is a huge windfall for the small agency that conducted the sting. Unfortunately it gives them the resources to setup and entrap other large companies. This happens all the time. Another example is the Michigan State agency that figured out how to go after people buying cigarettes over the internet and not paying state taxes - they got enough cash from the first round of lawsuits to triple the number of people working in that dept.
If you read the article, it details just how much effort the govt put into convincing and tricking Google execs into accepting the ads. It's important to note that Google initially refused the ads entirely until they changed the website so that you had to contact the company directly (which makes the website an advertisement for services and not a store, btw). Then the feds had to keep nagging and begging to get the ads released in the US. This is a classic case of entrapment.
I think Google just paid the $500 million because it's chump change to them and they want this to quietly go away as a long trial could have cost more in lawyers fees and damage to their reputation..
Is the next target going to be eBay because they knowingly allow counterfeit items to be sold? They've already tried zinging them for this before.
What if you don't care that you are purchasing a counterfeit or stolen legit component?
Because the problem is that the counterfeit part is often of a lower quality or spec. You would probably care if that 2.8GHz QuadCore cpu you just bought was really a remarked 2.2HGz chip.
Except that they found a symptom, and not the actual problem. Someone has unauthorized access to their servers. Until they figure out how they've gotten in and closed the door, it's pointless to scramble passwords. This also wasn't a "quick response" as people have been complaining about their accounts getting hacked and their WP configus and.htaccess files getting modified for months.
Slashdot Mirror
Also, making an image of a Windows installation with Ghost, Acronis or another program of your choice is not the "correct" way to image multiple machines.
Actually it works pretty dam well if you know what you're doing. Some of the cloning software supports restoring to dissimilar hardware. The MS deployment toolkit doesn't work real well for installing a lot of software. In many cases, it really is simpler to build and customize one machine, do a sysprep, and them clone it out. If you're cloning, you should probably look at enterprise.volume licensing or have a KMS server just to avoid the licensing and activation headaches.
Even if so, it's not problematic.
All this is (going by the summary - article's still loading) is notification. "Hey, we noticed your machine seems to be infected with a virus and is part of a spam-spewing botnet. Here's some links to antimalware that'll clear that right up". "Hey, we noticed a lot of traffic from spyware sending every keystroke back to totally-a-legit-site,cn, you might want to scan for that". "Hey, you seem to be torrenting massive files 24/7, here's some MAFIAA propaganda telling you to stop copying those floppies".
The ISPs are really the only ones positioned to thwart attacks as well. For example, blocking an IP that appears to be port scanning or sending high rates of email. Or rate-limiting icmp packets to reduce the effectiveness of DOS attacks. Or perhaps help in backtracking and notify their clients that seem to be participating in DOS attacks or spamming. The slippery slope of course is that if we expect the ISPs to start inspecting and throttling traffic for good reasons, it's not much of a leap to start snooping and throttling for reasons less advantageous to the customers. Not much of a leap from, "Hey that web site you're visiting is hosting a zero-day driveby attack" to "Hey you shouldn't be looking at neekid girls".
How is the average relevant at all? Just because most people have slow internet speeds doesn't mean faster are not available, it just means you have to pay more for it.
Here, a local ISP (Zon) does offer 1Gbps for residential connections. Of course, since it costs 250 Euros ($320) per month and is only available in few parts of the country, very few people will actually contract it, so it won't move the average. But it certainly exists.
It's very relevant since a vast majority of home users can't get anything faster than 1-meg DSL. Sure satellite solutions are available, but they tend to be very expensive, high latency, capped, and usually not much better than DSL. Maybe it becomes irrelevant if all you data resides online and it doesn't need to come down to your computer. Certainly corporations like Google like the idea that they can peruse you data any time they want.
More specifically, doesn't every Abode program have a splash screen and don't they take a loooong time to load?
They don't take quite as long to load as they used to. Instead of cutting the bloat, they started installing a startup program that keeps portions of the Adobe product loaded at all times. Adobe products are a freaking hogs. I got tired of updating our corp environment every few weeks and migrated to other cleaner, faster solutions. Still stuck with crappy and vulnerable flash, but at least we've automated the update process.
I always used to say "These are so useful, MS should buy them and make them official." Well, they did. They are top notch for when you need to do some finer diagnosis on what is going on with a system.
I also pull them out when I have some old software that refuses to run without being an admin. By monitoring file access, registry access, and so on I have always been able to find out what it needs to run deprivileged.
They also got the author, Mark Russinovich, who knew the ins and out of some of the MS internals better then Microsoft themselves.
Yes, the sysinternals stuff really kicks butt.
True, but why does mounting a USB hard drive read-only require modifying the registry?
Because 99.9999% of the users never have any desire to mount anything other than read/write.
I wrote a little app that toggles this registry setting back-n-forth. It's in the startup on all our machines containing sensitive data. By default all the usb stuff gets mounted read-only. If you want to write to it, you need to run the app prior to plugging it in to temporarily allow read-write mounting. (Yes I realize it's not a foolproof solution, but it does add some protection against accidental data spillage and virus propagation via thumb drives). The registry setting only comes into play at the time the device is mounted. Changing it after something is mounted only affects how future devices are mounted.
half is both an exagerrated and self-serving number.
The way they stated it is exaggerating, but the numbers are plausible. They said they found at least 1 infected computer in half of the Fortune 500 companies, plus one in 27 out of 55 govt agencies. That's a whole whopping 277 computers. Entirely possible. They probably just looked at the logs from the DNS servers.
Actually, they've found the opposite to be true:
The reduction in fines is because "In addition, the new meters have less restrictive time limits, generally allowing drivers to park for four hours or more." So people can actually put enough money in the meters to cover the length of their visit now.
The point is I think the suggestion that SMD assembly is outside the reach of hobbyists is total ignorant bullshit.
I think the point is that reliably mounting such fine pitched SMD parts (stacked no less) work is beyond the reach of a significant portion of their customers. Certainly enough that they made the safe decision to just pre-mount them. Otherwise, they'd be knee deep in people calling to complain that their board didn't work after they eyeballed the placement and reflowed them with a hairdryer.
It sounds like what he wants is wireless, bluetooth, or RFID readable sensors. If the lab employee is near the sensor it can display the data from the sensor on the tablet. Still doesn't address reliable recording of that data, although they are likely manually recording this data on notebooks already.
Yeah, we're all going to create Excel spreadsheets by randomly waving our hands in front of the screen.
No that's how you create PowerPoint presentations!
Leaky, though, as are all apps which use root permissions. During boot, everything has access until DroidWall has loaded, been granted Su permissions, and applied rules.
It's possible to block things better, but it requires custom ROMs or modifications to the stock ROM.
True, but i also watch what has permissions to start at boot (only two trusted apps in my case) PermissionDenied is nice for reigning in permissions although many apps FC when they cant read the phone state or open a net connection (even though they shouldnt need the capability)
At least i dont have to worry that a wallpaper app is getting remote command and changing my browser bookmarks
Just noticed that iAPPS7 apps seem to be disappearing from the Market.
Which app did you look at? Like I said, they all have different permissions listed.
I looked at several from iApps7.
Here's what Hit Counter Terrorist wants for permissions.
This application has access to the following:
coarse (network-based) location
Access coarse location sources such as the cellular network database to determine an approximate device location, where available. Malicious applications can use this to determine approximately where you are.
fine (GPS) location:
Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.
full Internet access
Allows an application to create network sockets.
read Browser's history and bookmarks
Allows the application to read all the URLs that the Browser has visited, and all of the Browser's bookmarks.
write Browser's history and bookmarks
Allows an application to modify the Browser's history or bookmarks stored on your device. Malicious applications can use this to erase or modify your Browser's data.
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.
discover known accounts
Allows an application to get the list of accounts known by the device.
control vibrator
Allows the application to control the vibrator.
view network state
Allows an application to view the state of all networks.
view Wi-Fi state
Allows an application to view the information about the state of Wi-Fi.
System tools: automatically start at boot
Allows an application to have itself started as soon as the system has finished booting. This can make it take longer to start the device and allow the application to slow down the overall device by always running.
It's hard to take anything Symantec says seriously as regards security. They have every incentive to make things seem far worse than they really are. Does Symantec offer an antivirus for Android?
Yes they have a number of products for Android, so yes they aren't exactly non-biased.
http://us.norton.com/mobile-security/
I'm not sure how, but you've hit the crux of it. With Windows, we expect this "blame the user" scenario because we've been trained to expect it. We were hoping for better with Android. But there are just so darned many apps now to vet.
Maybe a second level of "hey, these permissions are really loose and align with known malware. Are you really sure you want to enable this app to upload all your files and your contacts list to any random website and dial 1-900 numbers to run up your phone bill?" consent might be required.
Or maybe just triggers for additional inspection of apps based on required permissions. But that costs money, and somebody has to pay for that. Maybe a permissions cost matrix for uploading your app, to pay for the code inspection. That would encourage developers to require the minimum necessary permissions.
I'd like to see just plain simple color coding added. The permission prompt would be red if the app was asking for permissions that include things like sending sms messages. Green would be for something that only asked for minimal or no permissions.
I like the idea of tiered costs based on permissions, but it's probably not going to be much of an obstacle for the guys that really want the permissions to do shit like hijacking your browser to point to click-through sites.
Did you bother to read the symantec description?
Yes, I did. Did you bother looking at the apps themselves on the Market after that?
The problem is that each of those app contain only a fraction of the permissions mentioned in the symantec description. And perhaps cumulatively, they may contain all the permissions mentioned, but still that's a very different picture from the one that Symantec is trying to paint.
I just did, and yes the Symantec article is accurate, even though it overstates the threat. It runs at phone boot, and has permissions to monitor your calls to see who you're calling and read/change your browser bookmarks and history. There are reports that it changes your book marks to point to click-through sites. The portion of the app that does this is not part of the game, but something else added to it for the purpose of spying on the user and redirecting their browser (eg Alexa). This capability is not disclosed to the user, other than showing the permissions required. If a PC app did that, we'd call it spyware or browser hijacking. Why call it anything different when it's on an android device?
stealing the imei and imsi (sufficient info to clone your sim card)
"stealing"? What a loaded word? It's not theft if you gave the application the permission to read the phone identity. Plus, it's a unique number that uniquely identifies your phone. It's not meant to be the secure element. It's meant to be the public one.
We complain loudly about browsers which allow persistent browser cookies and flash cookies, etc. We complain that they ad companies have figured out how to track us across different sites. We complained that our Intel CPUs had serial numbers that were accessible to the OS and software to the point that even the bios makers put he option to disable this in the bios config. Why are we not complaining that Android allows access to a permanent, non-changeable, cookie?
Why does this permission even exist when it's only possible use is for user/device tracking? I guarantee that the average user doesn't realize the implications. I
Perhaps Symantec are flagging it as malware because it is using permissions that the app clearly does not need, and it is just some rookie developer that has permission code copied in from some other site?
You could try clicking the link in the article and see why. http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99&tabid=2
Or just be lazy like the rest of the slashdot heard.
To be fair, this does not look like Malware at all.
Hijacking your browser homepage, adding shortcuts to the desktop,stealing the imei and imsi (sufficient info to clone your sim card) ,copying your contacts,etc certainly counts as a trojan. Did you bother to read the symantec description?
Sure a smart user might notice the excessive permissions but the average user just hits okay and doesnt even read the list.
'Symantec estimated the impact by combining the download totals -- which the Android Market shows as ranges -- of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high.
Of course Symantec totally ignored that the download totals do not translate into the number of infected users. How many devices have multiple apps? That estimate could easily be 10x too high.
Did the author run scripts to pump up the numbers to gain visibility? Many app authors do this
It doesn't go "directly in their pockets," but what happens is that the extra money is brought to the attention of the people who allocate budgets. Those people then allocate more to whoever brought in the money in the hope that there is more where that came from and extra staff will better be able suck that cash out of the economy and into the government budget without anything so politically unacceptable as "tax increases."
Exactly. Also the reason such a large amount of the average law force is dedicated to catching speeders which generates income rather than putting murderers in jail which costs money.
Sounds like a good cash grab for the government.
500 million is petty chump change for the US federal government. You could define the Planck time in terms of how long 500 million dollars would keep the US government in operation.
500 million is a huge windfall for the small agency that conducted the sting. Unfortunately it gives them the resources to setup and entrap other large companies. This happens all the time. Another example is the Michigan State agency that figured out how to go after people buying cigarettes over the internet and not paying state taxes - they got enough cash from the first round of lawsuits to triple the number of people working in that dept.
If you read the article, it details just how much effort the govt put into convincing and tricking Google execs into accepting the ads. It's important to note that Google initially refused the ads entirely until they changed the website so that you had to contact the company directly (which makes the website an advertisement for services and not a store, btw). Then the feds had to keep nagging and begging to get the ads released in the US. This is a classic case of entrapment.
I think Google just paid the $500 million because it's chump change to them and they want this to quietly go away as a long trial could have cost more in lawyers fees and damage to their reputation..
Is the next target going to be eBay because they knowingly allow counterfeit items to be sold? They've already tried zinging them for this before.
I understood the concept. Just pointing out that they need to have your contact info somewhere which would naturally include your email address
What if you don't care that you are purchasing a counterfeit or stolen legit component?
Because the problem is that the counterfeit part is often of a lower quality or spec. You would probably care if that 2.8GHz QuadCore cpu you just bought was really a remarked 2.2HGz chip.
Except that they found a symptom, and not the actual problem. Someone has unauthorized access to their servers. Until they figure out how they've gotten in and closed the door, it's pointless to scramble passwords. This also wasn't a "quick response" as people have been complaining about their accounts getting hacked and their WP configus and .htaccess files getting modified for months.