Slatedroid info

Everything about android tablet pc [slatedroid]

ARM’s built-in security and how it might just get rid of the password

Posted by wicked October - 15 - 2014 - Wednesday Comments Off

TrustZone graphic

In the increasingly connected world in which we live the security of our information is paramount. Not only are government agencies trying to tap all our communications, but so are cyber-criminals so they can sell our data to make money. Unlike any other time in history how our data is protected is vital, not only to businesses, but also to individuals.

Built into every Cortex-A based processor is a clever piece of technology called TrustZone.

ARM processors can be found at the heart of most smartphones and tablets, as well as in a range of other popular consumer devices. And these very same ARM chips have a built-in weapon that help every smartphone user protect themselves.

Built into every Cortex-A based processor is a clever piece of technology called TrustZone. It provides a small, certifiable Trusted Execution Environment (TEE) that is isolated from the main operating system (e.g. Android) and as such is completely immune to software level attacks.

The TrustZone runs its own bespoke operating system. When the processor switches to the trusted environment then Android has no interaction with what is running there, in fact Android doesn’t even know that the secure environment is running. Complete hardware isolation.

Processors with TrustZone can execute instructions in one of two modes: the normal world, where untrusted code executes, and the secure world, where secure services run. Both modes have independent memory address spaces and different privileges.

TrustZone_Hardware_Architecture

The Normal world mode cannot access the secure world address space, but code running in the secure world can access the normal world address space. The processors support a special address bit, the NS bit, that indicates which world the processor is currently using.

Because the processor can only be in one mode or the other, there is a mechanism which tells the CPU to switch modes. This is done via a special instruction called the Secure Monitor Call (smc). When the CPU executes the smc instruction, the hardware switches and performs a secure context switch.

Real World

So what does that mean for the average user. Imagine that you need to connect to your online banking. At the moment there are a variety of two step authentication methods that can be used to ensure that you sign in securely. Some banks send SMS messages to your phone, while others issue their customers with bespoke bits of hardware which generate special authentication codes. The idea is that even if a cyber thief gets your username and password, they won’t have access to the secondary bits of information.

What TrustZone provides is a way for service providers (like banks) to integrate the secondary step, in the two part authentication process, in the phone itself. Since the TrustZone is completely isolated then there is no danger of any malware, other nefarious attack vectors, being used to get the authentication codes.

TrustZone web payment example

For example, a user might want to pay for some goods from their smartphone. An Android app on the smartphone is used to process the initial part of the payment. Then the processor switches to the secure OS. This OS can control the display and asks the user to tap in their PIN number. It is then encrypted and passed back to Android. While the secure OS was running Android had no interaction with the screen and knows nothing about what happened. This isolation is done at the hardware level. Finally the Android app takes the encrypted PIN number and uses it to authenticate with the payment service. Any spying that occurs will only be able to capture encrypted data, even if the spying happens on the smartphone itself.

Since the TrustZone OS is custom built and can’t be installed via a general installation method (like via the Play Store) then each service provider would need to create a special smartphone with its trusted software on it. This itself isn’t feasible. However it is possible to create a general Trusted Execution Environment kernel which has the capability to install certified trust apps.

ARM is also working on its own Trusted Firmware.

To make this trusted execution environment more accessible to secure service providers then companies like Trustonic and Samsung (with its Knox 2.0 platform) are creating systems to allow trusted apps to be installed in the TrustZone. These trusted apps will be able to handle a wide range of authentication tasks from secure sign-in to payment processing.

ARM is also working on its own Trusted Firmware. Designed for 64-bit ARMv8 based processors, the open source project is released under a BSD-style license and the source code is available on Github. Due to its open source nature ARM hopes that handsets  OEM’s can take the code and use it in their products. The goal of the project is to provide a reference implementation and as far as possible the code is designed for reuse or porting to other ARMv8 hardware platforms.

Secure boot

For a trusted execution environment to be truly trustworthy then the device’s boot process must be secure. To that end ARM is working with its partners to bring a secure boot process to Android handsets. Android boots by running a bootloader that prevents unauthorized secondary bootloaders and operating systems from loading. This Secure Boot process is implemented cryptographically verifying each step of the boot process. The certificate chain has its trusted root certificate stored in the TrustZone, isolated by the hardware.

Samsung’s implementation of the secure boot processes also verifies the Android firmware. Although this isn’t something that will delight users who like to install custom firmware, it is essential for enterprise (business) users which need to ensure that the security aspects of Android (like those provided by SE for Android) haven’t been disabled.

Samsung KNOX 2.0 measures certain key aspects of the bootloader and records them in secure memory. At runtime the trusted OS can verify those measurements and verify the validity of the Android firmware running. If the bootloader is unable to verify the Android kernel, a one-time programmable memory area (often known as a fuse) is used to indicate the suspected tampering.

Say goodbye to passwords

One organization which is using ARM’s TrustZone is the FIDO (Fast Identity Online) alliance. The mission of the alliance is to change the nature of online authentication by defining a set of mechanisms that reduce our reliance on passwords. ARM joined FIDO’s Board of Directors earlier this year where it works with the some of the world’s most influential corporations including Microsoft, Google, Bank of America and Samsung.

Samsung, ARM and FIDO have worked with PayPal to give customers a way to use their fingerprint for authentication when paying for goods or services from a Samsung Galaxy S5.

TrustZone FIDO passwordless

Its passwordless specification allows a user to register their device with an online service by selecting a local authentication method (such as swiping, facial recognition, entering a PIN, etc.). Once registered, the user repeats the same authentication action whenever they need to sign in to the service. TrustZone is used to provide the secure authentication action which is isolated from Android and any apps running. The result is some encrypted authentication data which is used to perform the sign-in process. As a result the user no longer needs to use a password when authenticating from that device. The user can even combine multiple authentication methods such as fingerprint + PIN etc.

Samsung, ARM and FIDO have worked with PayPal to give customers a way to use their fingerprint for authentication when paying for goods or services from a Samsung Galaxy S5. The FIDO Ready software on the S5 securely communicates between the fingerprint reader and PayPal’s servers. The only information the device shares with PayPal is a unique cryptographic code that allows PayPal to verify the owner’s identity, without having to store any biometric information on its servers.

With smartphone ubiquity increasing daily then the potential for Trusted Execution Environments, and the corresponding benefits for users, is huge. As it often the case, ARM is leading the way and the technology needed to get rid of passwords is probably already in your phone!

Dropbox usernames and passwords leak online, Denies responsibility and says passwords expired

Posted by wicked October - 14 - 2014 - Tuesday Comments Off

dropbox_app_icon

It seems like just about every day there is some sort of hack involving an online service. Today’s hack is from Dropbox.

A user posted files on Reddit that contained a bunch of usernames and passwords for Dropbox accounts. The poster said there were close to 7,000,000 more, but asked for Bitcoin donations to reveal them.

Later, Dropbox made a statement to The Next Web saying that they are not to be blamed, and they were stolen from other third party services……

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

Dropbox also said they performed password resets when it detected any suspicious activity on these accounts, which was a few months ago.

source: TheNextWeb

Come comment on this article: Dropbox usernames and passwords leak online, Denies responsibility and says passwords expired

Snapchat images may have been breached through third-party service

Posted by wicked October - 10 - 2014 - Friday Comments Off

snapsaved_logo

According to reports, some 4chan users are claiming that a a third-party app used to access the Snapchat service has been breached giving access to over 200,000 images matched with usernames. The app in question is named SnapSaved and is used to get around Snapchat’s system that alerts users when someone grabs a screenshot of an image that has been posted. Apparently SnapSaved was using a cloud architecture to save the images being grabbed from Snapchat, along with everything else that was being passed to a user, like usernames. According to posters on 4chan, the image database will be posted online by this Sunday, October 12th.

Original reports claimed the service that was hacked was Snapsave, which does the same thing as SnapSaved – grab Snapchat images without the sender being notified. However, a representative for Snapsave, Georgie Casey, says Snapsave “had nothing to do with it and we’ve never logged username/passwords.” Casey also indicated Snapsave does not use a cloud system to save images.

Snapchat itself has also issued a statement regarding the claimed breach:

“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The SnapSaved web site is currently down and reports indicate that it has been for a while. The web site was the portal to the service and there are some suspicions that it was setup for the sole purpose of collecting the images for eventual “leaking” by hackers. A report also indicates that the image database file was initially made available through viralpop.com which was installing malicious software on the computers of users who were trying to access the file.

snapsaved_login_page_archive

sources: Engadget, Business Insider

Come comment on this article: Snapchat images may have been breached through third-party service

AT&T issues apology for customer data breach

Posted by wicked October - 6 - 2014 - Monday Comments Off

AT&T_Logo_01_TA

AT&T has revealed that an employee inappropriately accessed customer data, including Social Security numbers and other account data. It is not clear whether the employee may have done anything beyond accessing data that was off limits, but the company is offering to reverse any unauthorized charges incurred by customers. AT&T is also offering a free year of credit monitoring services to affected customers.

AT&T is currently in the process of directly contacting customers who were affected and they have posted a sample letter regarding the breach with the Vermont attorney general’s office. In the letter, AT&T indicates the person responsible for the data breach is no longer working for AT&T. The incident has been turned over to law enforcement for possible action.

In a statement, spokesman Mark Siegel with AT&T said, “we recently learned that one of our employees did not follow our strict privacy rules and inappropriately obtained personal information for a limited number of customers.”

source: Re/code

Come comment on this article: AT&T issues apology for customer data breach

Eric Schmidt fires back at Tim Cook on Google’s security and privacy practices

Posted by wicked October - 2 - 2014 - Thursday Comments Off

google-vs-apple-boxing_gloves_02

Recently, Apple CEO Tim Cook was on Charlie Rose and questioned Google’s data collection practices. He said, “When an online service is free, you’re not the customer, you’re the product.” Now it’s Eric Schmidt’s turn as he appeared on CNN Money and obviously had some things to say about Tim Cook’s comments.

Schmidt said…

“Someone didn’t brief him correctly on Google’s policies. It’s unfortunate for him. In the first place, in Google’s case, we have always been the leader in security and encryption. Our systems are far more secure and encrypted than anyone else, including Apple. They’re catching up, which is great.”

There is no question that Apple is further behind in security. Didn’t they just start offering two factor authentication?

We have the full interview below…

Click here to view the embedded video.

source: BGR

 

Come comment on this article: Eric Schmidt fires back at Tim Cook on Google’s security and privacy practices

CM Security app updated, now with Intruder Selfie

Posted by wicked September - 26 - 2014 - Friday Comments Off

Reports of phones getting hacked and contents being leaked on the Internet can be quite scary. I don’t agree with taking photos ‘NSFW’ because anyone could see them even if you’re being to careful. You can lock all the photo albums you want but the phone can be stolen, right?

How about your social media apps installed on your tablet or device? You think it’s safe even when you’re with family and friends but you know some people can be nosy, snooping on your accounts, checking what’s on your inbox, etc. That’s why using locks for the app is highly recommended. There are many similar apps available for Android but one of them is the CM Security AppLock & AntiVirus.

Cheetah Mobile, developer of the app, recently released an update to include a new feature of the AppLock — Intruder Selfie. The feature now allows the phone to automatically and discreetly take a photo of someone who entered the wrong password twice. Now you’ll know who’s been snooping on your Facebook and Whatsapp. Gotcha.

The CM Security is more popular for being an antivirus engine but it can also lock apps you don’t want other people checking out on your device. With the App Lock function, you can lock apps, photos, files, privacy, and settings. The Locate Family feature lets you know where friends and family are located. The app also turns into a “find my phone” tool whenever it’s stolen so you can say it’s an anti-theft feature. Locate the phone on a map easily and track the thief.

Download CM Security AppLock &AntiVirus from the Google Play Store

Researchers claim that mobile data can predict future crimes

Posted by wicked September - 22 - 2014 - Monday Comments Off

minority_report SpinOff

Scientists in London are claiming that mobile phone data can predict future crime hotspots with 70% accuracy. The findings provide evidence that aggregated and anonymized data collected by a carrier’s mobile infrastructure can contain relevant information to describe a geographical area in order to predict its crime level.

According to work done in Italy, Spain and at the Massachusetts Institute of Technology (MIT), daily data from mobile phones significantly improved the accuracy of crime predictions.

Unlike current systems that use crime statistics and local demographics which can be difficult and expensive to gather and not regularly updated, mobile phones can collect data about their owners gender, age and location of the phone in real time.

The proposed approach could have clear practical implications by informing police departments and city governments on how and where to invest their efforts and on how to react to criminal events with quicker response times. From a proactive perspective, the ability to predict the safety of a geographical area may provide information on explanatory variables that can be used to identify underlying causes of these crime occurrence areas and hence enable officers to intervene in very narrowly defined geographic areas. - “Once Upon a Crime: Towards Crime Prediction from Demographics and Mobile Data”

The scientists used data obtained from Telefonica, a European mobile phone company which owns the O2 service in the UK, to piece together an algorithm to predict crime rates in the next period of time. Included in this algorithm was information from the London Borough Profiles Dataset showing an area’s housing market, political affiliation, transportation, homelessness, life expectancy and other factors.

The study of the impact on behavioral development of factors like exposure to specific peer networks, neighborhood characteristics (e.g. presence/absence of recreational/educational facilities) and poverty indexes, has provided a wealth of knowledge from both individual and collective standpoints. Existing works in the fields of criminology, sociology, psychology and economics tend to mainly explore relationships between criminal activity and socio-economic variables such as education, ethnicity, income level, and unemployment.” - “Once Upon a Crime: Towards Crime Prediction from Demographics and Mobile Data” 

The author’s came up with predicted crime maps of London, UK:

LondonCrimeMap Source url LondonCrimeMap2 Source url

A negative aspect of this study showed how “anonymous” data really isn’t “anonymous” as information given to these scientists was used to track specific individuals. The scientists also admit to needing significantly more data and time to refine such a system for public use.

The methods found in this study really aren’t that much different from from those found in the movie, The Minority Report. Therefore, expect Tom Cruise to come and grab you in the middle of the night if you plan on committing a crime.


Source: Report;

Google updates security section in Account settings

Posted by wicked September - 11 - 2014 - Thursday Comments Off

google_account_security_settings_02

As Google continues to deal with the fallout from the posting of Gmail account information on a Russian forum, Google has added a new Security tab for Google accounts to help make it a little easier for users to update and maintain their security settings. It is likely a coincidence that this change has occurred on the heels of yesterday’s events, which Google says is not as bad as initially reported. However, it could be in response to what happened as Google would be a company that has the resources to throw at the issue and rollout a change quickly.

As far as the new Security tab, the primary change is to group a bunch of settings that were already available to users in one place. This includes settings like recovery phone numbers and email addresses, access for less secure apps, the ability to review recent activity on an account, and even removal of permissions. With the settings all in one place now, Google also makes the interface a bit simpler and easier to use.

google_account_security_settings_01

source: Google System Blog

Come comment on this article: Google updates security section in Account settings

California finalizes its kill switch bill, comes into effect July 1st 2015

Posted by wicked August - 26 - 2014 - Tuesday Comments Off

big red button kill switch stop

Smartphone theft lends itself to some ugly looking crime statistics, and US lawmakers are determined to do something about it. After months of U-turns and political grandstanding, California has finally decided to pass a bill requiring that future smartphones sold in the state come with “kill switch” features included.

According to the bill, named SB-962, any smartphone manufactured on or after July 1st 2015 that is sold in California will have to include a software or hardware kill switch solution, to be provided by either the hardware manufacturer or the operating system provider. California joins Minnesota, which passed a bill back in May stipulating that it will be illegal to sell smartphones without anti-theft software pre-installed from July 1st 2015. Although Minnesota’s legislation is much more vague than California’s.

The specifics of the “kill switch” appear to be left up to third parties, so we will have to see how well manufacturers can agree upon the design specifics, and whether or not lawmakers will be pleased by the results. Interestingly, California’s kill switch has to be reversible, leaving questions over how secure the system will be from hackers and the most resourceful thieves.

Google, HTC, Motorola, Samsung, and others, have already signed up to a voluntary initiative with the CTIA. This initiative aims to give owners the option to lock down and remotely wipe their smartphones, and was also scheduled to go live in July 2015.

Of course there is a trade off with mandatory kill switches, as manufacturers and software developers pass the additional development costs of meeting state-by-state or national regulations on to consumers. By making it illegal to sell new phones without a kill switch, California has effectively eliminated the choice of cheaper, security feature-less smartphones for consumers. This sentiment was echoed in a statement by the CTIA:

“Today’s action was unnecessary given the breadth of action the industry has taken,”

“Uniformity in the wireless industry created tremendous benefits for wireless consumers, including lower costs and phenomenal innovation. State by state technology mandates, such as this one, stifle those benefits and are detrimental to wireless consumers.” Jamie Hastings – CTIA

Time will tell if California’s bill has the effect that lawmakers are hoping for. Is phone theft a major concern for you, and do you think that this bill will help prevent phone thefts?


Via: The Verge;
Source: SB-962;

iOS is losing enterprise marketshare, but Android still can’t beat it

Posted by wicked August - 13 - 2014 - Wednesday Comments Off

android vs apple ios Credit: laihiu/Flickr

While the Android platform is #1 in the consumer market (and the world), some would say you haven’t won unless you can take over enterprise. This is a market Android hasn’t been able to successfully penetrate without getting some classic fighting from the competition. Once BlackBerry’s territory, the enterprise market now belongs to Apple, a situation that is slowly changing.

Good Technology’s Q2 2014 reports show iOS on top, but their percentage in the enterprise market has dropped by 5% (down to 67%). On the other hand, Android’s influence in this niche market has grown by the same amount – 5% (up to 32%). Meanwhile, Windows Phone is staying at 1%.

BlackBerry does continue to be fairly important in enterprise, even if not for long. The forgotten platform is not included because BlackBerry devices use their own servers for email access, meaning Good Technology can’t access their numbers. Of course, it’s not like they matter much anymore.

enterprise-ios-android

Android’s slow entrance into business seems to be followed by a bad reputation that has preceded the platform since its genesis. The idea that our favorite mobile operating system is less secure no longer holds true, and the latest improvements have moved mountains to ensure Google’s devices are ready for the working businessman.

The announcement of Android for Work and Samsung Knox are important factors to consider next time a business is ready to offer some new devices to its workers. This is a topic we recently discussed in our “Apple vs Google in the enterprise” opinion piece.

Android is ready for enterprise, and it is only a matter of time before Google’s mobile OS takes over suited users. Last quarter’s results are only corroborating our predictions.


Via: The Next Web;
Source: Good Technology;