Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Phys Org2)   In addition to giving access to the NSA and any business with a checkbook, at this point Gmail (and other apps) is pretty much handing out your data to anything with a pulse   (phys.org) divider line 28
    More: Scary, Gmail, r block, UC Riverside, engineering department, credit card numbers, H&R Block, newegg, SSN  
•       •       •

2482 clicks; posted to Geek » on 21 Aug 2014 at 10:35 AM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



28 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2014-08-21 08:29:59 AM  
This...could end badly.
 
2014-08-21 10:38:12 AM  
Using Android apps.
 
2014-08-21 10:41:33 AM  
um... at this point? wasn't the explicit trade off of (for example) gmail from its very inception that you pay for the service by allowing google to read every email you send and use it for advertising?
 
2014-08-21 10:43:19 AM  
Yeah. They mention Windows Phone and iOS at the top of the article, but the rest of the article is basically, "Hey Android - in case the other million times it's been mentioned - is a security nightmare."
 
2014-08-21 10:43:24 AM  
To be fair, once you have loaded a malicious app on your device it is pretty much game over as far as security goes anyway. There's just so many ways it can steal your info
 
2014-08-21 10:48:17 AM  

xsarien: Yeah. They mention Windows Phone and iOS at the top of the article, but the rest of the article is basically, "Hey Android - in case the other million times it's been mentioned - is a security nightmare."


Windows Phone is pretty strict, to the point where it is a huge PITA for a lot of developers to create apps because the OS really restricts what apps are allowed to do. They are kept in a really strict sandbox with some pretty locked down APIs for communicating with other apps.
 
2014-08-21 10:49:20 AM  
The researchers started working on the method because they believed there was a security risk with so many apps being created by some many developers.

Ignoring the typo, I don't really follow their logic. Are they concerned about literally every platform, ever? Actually that's not a bad position to have, but to act like Android is unique because there's a bunch of authors seems odd.

The attack works by getting a user to download a seemingly benign, but actually malicious, app, such as one for background wallpaper on a phone.

OK, so the headline lies blatantly (surprise!). Making someone download an app for an attack to work is the least-useful attack vector.

Once that app is installed, the researchers are able to exploit a newly discovered public side channel-the shared memory statistics of a process, which can be accessed without any privileges. (Shared memory is a common operating system feature to efficiently allow processes share data.)
The researchers monitor changes in shared memory and are able to correlate changes to what they call an "activity transition event," which includes such things as a user logging into Gmail or H&R Block or a user taking a picture of a check so it can be deposited online, without going to a physical CHASE Bank. Augmented with a few other side channels, the authors show that it is possible to fairly accurately track in real time which activity a victim app is in.


That's an interesting approach to discover when there is something worth getting. I'm guessing this is the part that doesn't succeed every time due to false positives.

There are two keys to the attack. One, the attack needs to take place at the exact moment the user is logging into the app or taking the picture. Two, the attack needs to be done in an inconspicuous way. The researchers did this by carefully calculating the attack timing.

I want to hear the rest of the details after they present their paper, because a lot of things are missing. This article just assumes it's easy to read the memory of another application as long as you do it at the right time. What is the "right time" and why does it need to be done in an inconspicuous way? It's not as if the user is going to notice, are they (there's no dialog box)? Are they somehow reading the memory of another process (signed by another key), but that only works during a moment of vulnerability due to a bug?

Also, can I complain about the headline? Google is one of the companies (along with Yahoo) that's actively resisting the NSA by encrypting everything between servers. And if you think requiring someone to install a malicious app is "handing out data to anyone with a pulse", you might not understand computers.
 
2014-08-21 11:01:04 AM  

tlchwi02: um... at this point? wasn't the explicit trade off of (for example) gmail from its very inception that you pay for the service by allowing google to read every email you send and use it for advertising?


Apparently some people need to be reminded that *they* are the product.
 
2014-08-21 11:04:03 AM  
Is it really a security problem if you essentially tossed a virus no your phone?
 
2014-08-21 11:24:53 AM  
The parent company where I work just made us switch (against my advice) from our standard POP3 server-based e-mail to Gmail, because it was more "secure".  Um.... yeah.
 
2014-08-21 11:26:19 AM  
FTFA: The researchers tested the method and found it was successful between 82 percent and 92 percent of the time

So... that would be 87 percent, then...?

Photo of head researcher:

www.angelfire.com
 
2014-08-21 11:30:31 AM  

styckx: Is it really a security problem if you essentially tossed a virus no your phone?


The larger point - and to be fair, you have one too - is that Android apparently is the easiest place for this to happen. As far as I'm aware, the amount of legwork involved in sideloading on Windows Phone is just not worth it (or impossible? I really don't know), and on the iOS side, unless you want some fundamental, system level hack, there's little reason to jailbreak since there's probably a free app for just about anything you can think of doing.

But sideloading on an Android is (apparently, relatively) easy. Which is great if you're Supernerd. But if you're just someone's who all HURF DURF SCREW THE MAN AND HIS APP STORE you're much more likely to do something stupid.
 
2014-08-21 11:31:00 AM  
2 words: Deity Bounce
 
2014-08-21 11:50:01 AM  

LZeitgeist: FTFA: The researchers tested the method and found it was successful between 82 percent and 92 percent of the time

So... that would be 87 percent, then...?

Photo of head researcher:

[www.angelfire.com image 445x294]


No, some of the apps average a success rate of 82% and others averaged 92%. The success rate was different for each app so stating a single success rate would be inappropriate.
 
2014-08-21 11:55:48 AM  
This is why my g-mail has slowly become my new hotmail style spam dumping ground.
 
2014-08-21 12:11:56 PM  

Tobin_Lam: LZeitgeist: FTFA: The researchers tested the method and found it was successful between 82 percent and 92 percent of the time

So... that would be 87 percent, then...?

Photo of head researcher:

[www.angelfire.com image 445x294]

No, some of the apps average a success rate of 82% and others averaged 92%. The success rate was different for each app so stating a single success rate would be inappropriate.


They've done studies, you know. 60% of the time, it works - every time...
 
2014-08-21 12:54:12 PM  
Did you know if someone just drives by your house, then they'll know your address.
 
2014-08-21 01:16:03 PM  

Shakin_Haitian: Did you know if someone just drives by your house, then they'll know your address.


Not if I don't install the numbers.  And they'll only know it's my house if my mom's in the yard or something.
 
2014-08-21 01:20:29 PM  

serial arseonist: Shakin_Haitian: Did you know if someone just drives by your house, then they'll know your address.

Not if I don't install the numbers.  And they'll only know it's my house if my mom's in the yard or something.


Some places have really jacked up addresses. I've seen addresses go up by 4 or 6 instead of 2 even though the houses were clearly on single lots and were single residences. Sometimes they skip a number for no apparent reason.
 
2014-08-21 01:24:38 PM  

Space Station Wagon: 2 words: Deity Bounce


So what is a diety bounce?
 
2014-08-21 01:38:58 PM  
Ehhh. This is a fundamental problem with Android and yet also it's strength. The android appstore is the wild west of places to get infected. As other have said, ios is better protected because Apple has that walled garden. Amazon too.

Basically, if you are using Android you need to be as careful as you are on a Windows pc on the internet. Don't download apps from the app store unless you know exactly what you are installing and that the person who developed the app is legit.
Generally speaking a verified whitelist source will protect you. As will intelligence and not being a foolish rube.
 
2014-08-21 01:47:00 PM  

Sim Tree: Space Station Wagon: 2 words: Deity Bounce

So what is a diety bounce?


I am imagining it as a bad woad experience as described by The Who.
 
2014-08-21 02:47:36 PM  

Sim Tree: Space Station Wagon: 2 words: Deity Bounce

So what is a diety bounce?


looks like I spelled in wrong. Diety Bounce

http://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-mal wa re-deitybounce/
 
2014-08-21 03:11:08 PM  

HMS_Blinkin: tlchwi02: um... at this point? wasn't the explicit trade off of (for example) gmail from its very inception that you pay for the service by allowing google to read every email you send and use it for advertising?

Apparently some people need to be reminded that *they* are the product.


I farking  hate that stupid meme. You can say the exact same thing about watching TV or any number of other advertisement supported activities. It's faux insight.
 
2014-08-21 04:56:10 PM  

xsarien: on the iOS side, unless you want some fundamental, system level hack, there's little reason to jailbreak since there's probably a free app for just about anything you can think of doing.


Tasker. I only have a few basic profiles on it, but they make the phone so much nicer (PIN lock screen disabled at home and work, phone goes to silent during sleeping hours when it's plugged in and face down, proximity-sensor triggered speaker phone, etc. etc.)

Which is great if you're Supernerd.

Oh. Hai.
 
2014-08-21 06:22:47 PM  

moel: This is why my g-mail has slowly become my new hotmail style spam dumping ground.


This is why my gmail account has always been a spam account.
I've always had a regular email account for my customers but any website or software that requires an email to sign up to gets the gmail.
Spam free in Thunderbird for many years.
Yes I'm old, yes I hate webmail. pop3 client for life biatches! lol
 
2014-08-21 07:11:25 PM  

Dangl1ng: Ehhh. This is a fundamental problem with Android and yet also it's strength. The android appstore is the wild west of places to get infected. As other have said, ios is better protected because Apple has that walled garden. Amazon too.

Basically, if you are using Android you need to be as careful as you are on a Windows pc on the internet. Don't download apps from the app store unless you know exactly what you are installing and that the person who developed the app is legit.
Generally speaking a verified whitelist source will protect you. As will intelligence and not being a foolish rube.


This.

xsarien: styckx: Is it really a security problem if you essentially tossed a virus no your phone?

The larger point - and to be fair, you have one too - is that Android apparently is the easiest place for this to happen. As far as I'm aware, the amount of legwork involved in sideloading on Windows Phone is just not worth it (or impossible? I really don't know), and on the iOS side, unless you want some fundamental, system level hack, there's little reason to jailbreak since there's probably a free app for just about anything you can think of doing.

But sideloading on an Android is (apparently, relatively) easy. Which is great if you're Supernerd. But if you're just someone's who all HURF DURF SCREW THE MAN AND HIS APP STORE you're much more likely to do something stupid.


And this.


This isn't a "Gmail is insecure!" problem.  This isn't that anyone can hack your gmail account from their computer across the interwebs.

This is an android malware problem that they're reporting.  Ya, if I get a piece of malware on my phone, EVERYTHING's hosed.  This is a no brainer, and is not new info.  Gmail, Outlook.com email, my ISP's email, my company email, my banking app login and password, whatever are all subject to theft.  If malware takes root, on ANY system, you can't trust anything on it anymore.  And you know what?  The same is true on your Mac, on your Windows PC, on Apple's iOS, on your Windows Phone, and on any version of Linux.  If there's malware loaded up, especially if you've rooted the device or log in as an admin on the system, any app that runs is suspect, any data can be mined and sent surreptitiously back over the net, and any keystrokes can be logged.

I'm glad they reported this, but their presentation sucks and is way too alarmist for what they're pitching.

In short, don't download apps to your phone you don't know and trust.  And the latest version of Scrappy Crappy BirdClone or whatever from that no-name developer with 35 broken english reviews is not a "trustworthy" app.


// this message brought to you by the Tinfoil Hat Society.  We're not wrong, we're just a little ...odd.
 
2014-08-22 10:37:05 AM  
The point is that they've identified a way that an app without special permission can do things by monitoring shared memory space. It can't steal your info from memory, but it can monitor that you're using an app (like, one where you enter your CC info) and make an educated guess about your behavior in that app, and then pop up a screen at just the right time to make you think you're still in the original app right before you enter your CC info.

It's pretty far-fetched but an issue worth fixing. Maybe apps shouldn't be able to monitor that memory space without permission.

On Android, though, permission management still sucks and no one really pays attention. It really should be better. Yeah, you're a little dumb if you upgrade a flashlight app from its original unprivileged version to the new version that wants super access to everything. But people just press "upgrade" and don't read it all. I thought we were going to get individual permission controls, but it hasn't happened yet without rooting as far as I know.

But this? A neat POC, but probably nothing to worry about in the wild.
 
Displayed 28 of 28 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report