So here it is, also for this month, the first part of My Cyber Attacks Timeline covering the first half of September.
Apparently It looks like the wave of the Anonymous attacks that characterized August has stopped. Even if several isolated episodes occurred, their impact was slightly lower than the previous months.
Probably the most important security incident for this month was the Diginotar Hack, not only because the Dutch Certification Authority has been banned forever by the main browsers and OSes but also because all the authentication model based on CAs is under discussion. Moreover once again a cyber attack has been used as a mean of repression. This incident is a turnkey point for information security but in my opinion also the DNS hacks by Anonymous Sri Lanka and Turkguvenligi are noticeable since they reinforce the need for a quick adoption of DNSSEC.
For the first time not even the Linux Operating System (an open world) was immune from hackers: both the Linux Kernel and the Linux Foundation Web Sites were hacked during this month, two episodes that Penguin Lovers will remember for a long time.
Easily predictable an attack recalling 9/11 carried on against the Twitter Account of NBC News was also reported.
Other noticeable events: three huge data breaches were reported, four attacks with political motivations targeting India, Nigeria, Colombia, and the Russia Embassy in London were perpetrated and another security vendor (Panda Security) was indirectly targeted.
The remainder of the month was characterized by many smaller attacks (mostly defacements and data leaks) and an actress (Scarlett Johansson) was also victim of data leaks.
Useful Resources for compiling the table include:
- Cyber War News
- CNET Hackers Chart
- Naked Security
- Office Of Inadequate Security (DataBreaches.net)
- The Hacker News
And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.
The site of Kernel.org suffered a security breach leading which caused the server to be rooted and 448 credential compromised. Although it is believed that the initial infection started on August the 12th, it was not detected for another 12 days.
|Sep 1||Apple, Symantec, Facebook, Microsoft, etc.
The Sri Lankan branch of Anonymous claims to have hacked into the DNS servers of Symantec, Apple, Facebook, Microsoft, and several other large organizations over the past few days, posting the news and records of its exploits on Pastebin.
|DNS Cache Snoop Poisoning|
||Birdville Independent School District
Two students hack into their school district’s server and accessed a file with 14,500 student names, ID numbers, and social security numbers. Estimated cost of the breach is around $3,000,000.
|Sep 2||Texas Police Chiefs Association
As usual happens on Fridady, Texas Police Chiefs Association Website is hacked by Anonymous for Antisec Operation. Hacker defaced their website and posted 3GB of data in retaliation for the arrests of dozens of alleged Anonymous suspects. According to Hackers the site has been owned for nearly one month.
|Sep 2||EA Game Battlefield Heroes
|Sep 2||vBTEAM Underground
Vbteam.info, the underground vBulletin Hacking website is hacked by “Why So Serious?“, who leaks 1400+ accounts of the Vbteam.info forum in pastebin.
An Indian Hacker named “nomcat” claims to have been able to hack into the Indian Prime Ministers Office Computers and install a Remote Administration Tool) in them. He also Exposes the Vulnerability in Income Tax website and Database Information.
Popular websites including The Register, The Daily Telegraph, UPS, and others fall victim to a DNS hack that has resulted in visitors being redirected to third-party webpages. The authors of the hack, a Turkish group called Turkguvenligi, are not new to similar actions and leave a message declaring this day as World Hackers’ Day.
|Sep 5||Mobile App Network Forum
One of the Sub domain of European Union (Institute for Energy) is hacked and Defaced by Inj3ct0r. Hackers deface the web page, release some internal details and leave a message against Violence in Lybia and Russian influence in Ukraine.
|Sep 5||Cocain Team Hackers||United Nations Sub Domain of Swaziland
United Nations Sub-Domain of Swaziland is hacked and defaced by Cocain Team Hackers.
|Sep 5||Uronimo Mobile Platform
The Uronimo Mobile platform is hacked by Team Inj3ct0r. They leak the web site database and release on Pastebin internal data including Username, Hash Password, emails and Phone Numbers of 1000 users. Estimated Cost of the Breach is $214,000.
|Sep 6||Comodo Hacker
The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. Meanwhile in a pastebin message Comodo Hacker states he own four more CAs, among which GlobalSign which precautionally suspends issuance of certificates.
||Beaumont Independent School District
The superintendent of schools for Beaumont Independent School District announces that letters are being mailed to parents of nearly 15,000 of its 19,848 students to inform them of a potential breach of data that occurred recently. Inadvertently, private information including the name, date of birth, gender, social security number, grade and scores on the Texas Assessment of Knowledge and Skills (TAKS) exam of students who were in the third through 11th grades during the 2009-2010 school year–were potentially exposed. Estimated cost of the breach is $3,210,000.
||Stanford Hospital, Palo Alto, Calif.
A medical privacy breach leads to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes. The information stayed online for nearly a year from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Estimated Cost of The Breach is $4,280,000.
|Sep 9||Comodo Hacker
After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website.
|| Comodo Hacker
As consequence of the infamous Diginotar Breach Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Google also indicates that it is directly contacting users in Iran who may have been hit by a man-in-the-middle attack.
|Man In The Middle|
|Sep 9||NBC News
The NBC News Twitter account is hacked and starts to tweet false reports of a plane attack on ground zero. The account is suspended and restored after few minutes.
|Trojan Keylogger via Email|
Data of up to 800,000 Samsung Card clients may have been compromised after an employee allegedly extracted their personal information. The Breach was discovered on Aug. 25 and reported to police on Aug. 30. It is not clear what kind of information has been leaked, maybe the first two digits of residence numbers, the names, companies and mobile phone numbers were exposed. Estimated cost of the breach is $171,200.000.
||BuyVIP (Amazon Owned)
Although not officially confirmed, BuyVIP users received an e-mail informing that their database had been hacked. Apparently, the website had been offline for a couple days and it looks like that not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers.
Few weeks after the kernel.org Linux archive site suffered a hacker attack, the Linux Foundation has pulled its websites from the web to clean up from a security breach. A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.
Anonymous leaks the complete database from a well known nazi website AryansBook.com and posts the content on The Pirate Bay. This is a fight towards racism of any kind.
|0-day exploit in SMF|
||Nigerian Government Website
Nigerian Government Website is hacked and defaced by Brazilian Hackers that leave a message in the main page.
A hacker gains unauthorized access to the card processing systems at Wilderness Waterpark Resort and improperly acquires 40,000 credit card and debit card information. Estimated Cost of the Breach is $8,560,000.
|Sep 12||X-Nerd||Panda Security
Another Security Company Hacked: a hacker going by the name of X-Nerd hacks and defaces the Pakistan Server of a very well known security software website: Panda Security.
||Russian UK Embassy
Just before Prime Minister David Cameron’s first visit to Moscow, the website belonging to the Embassy Of The Russian Federation in London was taken down by hackers. It seems as the attack was launched in sign of protest to the upcoming visit after a 5-year break in which no British leader went to Moscow.
Cyb3rSec dumps a list of 3500+ Accounts from the forum thetvdb.com.
|Sep 14||President of Bolivia (presidencia.gob.bo)
SwichSmoke crew hacks the site belonging to President of Bolivia and dumps the leaked data on pastebin.
||Bright House Networks
Bright House Networks, the sixth largest owner and operator of cable systems in the U.S., has sent a letter to customers warning that they may have been exposed after servers used to process Video on Demand (VOD) were breached.
Also an actress may be victim of hackers: The FBI investigate reports that nude photos of a famous celebrity (allegedely Scarlett Johansson) have been leaked onto the web. The day before Twitter was flooded with messages claiming to link to naked pictures of her, which were allegedly stolen from her iPhone by a hacker earlier this year.
More than 101 sites, with huge amount of data and personal information which ranges from emails, phone numbers, to full names and addresses, have been hacked by an hacker dubbed Stohanko. At this link a list of the hacked sites and the links to dumped data.
As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.
Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.
First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.
So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.
You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).
If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.
What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.
Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):
So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).
Going back to the initial question there are at least three factors which make Android different:
- The application permission model relies too heavily on the user,
- The security policy for the market has proven to be weak,
- The platform too easily allows to install applications from untrusted sources with the sideloading feature.
As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.
This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.
As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.
Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.
So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.
This awful infosec July is over, and finally we can sum up the Cyber Attacks reported during this month. I collected all the available information and inserted it inside the following chart. Where possible (that is enough information available) I tried to estimate the cost of the attacks using the indications from the Ponemon’s insitute according to which the average cost of a Data Breach is US $214 for each compromised record. The total sum (for the known attacks) is around $7.6 billion, mainly due to the “National Data Breach” of the South Korean Social Network Cyworld.
Approximately 16 attacks were directly or indirectly related to Antisec or Anonymous, they promised an hot summer and unfortunately are keeping their word…
Useful resources for compiling the (very long) chart were taken from:
- 2011 Cyber Attacks (and Cyber Costs) Timeline (Updated) (paulsparrows.wordpress.com)
- 2011 CyberAttacks Timeline (paulsparrows.wordpress.com)
- 50 Days of Hunt (paulsparrows.wordpress.com)
- LulzSec hacking: a timeline (telegraph.co.uk)
- Anonymous Denies Paternity For the CNAIPIC Hack (paulsparrows.wordpress.com)
It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.
This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:
- From the user perspective, on the poor attention for default (in)security settings;
- From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.
A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!
Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.
The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.
Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.
In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.
For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.
Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.
Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.
A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).
The best (or the worst, it depends on the points of view) is yet to come…
- How not to get your phone hacked (blogs.journalism.co.uk)
- Hacking into U.S., U.K. phones easier than in Canada, but remain wary (canada.com)
- Lawmakers Question Cell Phone Privacy In Wake Of Hacking Scandal (techdailydose.nationaljournal.com)
The Apple and the Android (almost) never agree in anything, but the issue of the Location Tracking has done the miracle and if there is one only point that Cupertino and Mountain View have in common, it is just the bad habit to track user’s position without his/her knowledge.
After the well known issue of iPhone hidden (so to say) location tracking, Wired was able to discover why Apple devices collect these kind od data, unleashing 13-page letter sent by Apple’s general counsel Bruce Sewell in July 2010, explaining its location-data-collection techniques. The letter was written in response to a request from Congressmen Joe Barton and Edward Markey asking for Apple to disclose such practices (Incidentally, Markey authored the “Do Not Track” bill to stop online companies from tracking children).
Although no comment so far has arrived from Apple, I was disappointed in discovering, from a Cisco Blog Post, dealing with the same argument, that a similar
bad habit collection has been detected for Google’s Android (at least the Android needs the root permission to grab the data).
In both cases the alleged main purpose of this data collection is to provide better location services. Instead my feeling is that the main benefit in this situation is not for the user, but for the marketing and/or advertising agencies which could come in possession of the data.
Interesting to notice the iPhone 3GS Software License Agreement states that:
By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ licensees’ transmission, collection, maintenance, processing and use of your location data to provide such products and services.
Location data – Google offers location-enabled services, such as Google Maps and Latitude. If you use those services, Google may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID).
Until now, nothing special, except the fact that Latitude asks for the user’s consent to share the data with the other, which, if I am not wrong, does not occurr for Google Maps. But the interesting point come a some lines below:
In addition to the above, we may use the information we collect to:
- Provide, maintain, protect, and improve our services (including advertising services) and develop new services; and
- Protect the rights or property of Google or our users.
Meanwhile Minnesota Senator Al Franken and the attorney general of Illinois are separately pressing Apple and Google to provide more information about the location data they collect about their end users…
- Lawmakers quiz Apple, Google about location tracking (infoworld.com)
- Grab Your Data? There’s An App For That! (paulsparrows.wordpress.com)
- IPhone Stored Location Even if Disabled (online.wsj.com)
- Apple, Google Collect User Data (online.wsj.com)
- iPhone Location Tracking: Important, Even if it Doesn’t Matter to You (blogs.cisco.com)
The news of the day is undoubtedly the discovery that Apple devices are a bit ‘too nosy’ and regularly record the position of the device into a hidden (!!) unencrypted and unprotected file.
The unwelcome and serendipitous discovery, which was announced today at Where 2.0, has been performed by two researchers, Alasdair Allan and Pete Warden, while they were working on a project concerning visualization of Mobile Data. It looks like this unrequested feature has been introduced since the arrival of iOS 4.0 and allows the locations and their relative time stamps to be written on an easily accessible file on the device and, even worse, backed up on every PC the device has been synchronized with.
Even if the purpose of the file is unknown (at least so far), and would be appropriate to wait a reply from Apple (if any) before coming to any conclusion, this event, once again, brings to the fore privacy issues for mobile devices, strictly related to the security model for these devices, and, more in general, to the cultural approach and revolution users must face (and get used to) when dealing with mobile technologies.
For sure the main issue here is the lack of respect by Cupertino towards the users (customers?). We know that this is not the first time that a mobile applications attracts criticism for the use of private data (think for instance to the affair of Google Latitude). In the case of Apple Equipment (differently from the creature of Google) the user may not explicitly approve the sharing (would be better to say the tracking since there is no evidence of sharing so far) of his data. But even if we do not consider the ethic point of view, from a security perspective the event has a devastating impact: if the file containing the data may be easily accessed, this means that, in case of theft, could be quite easy, for a malicious user, to grab the data and reconstruct the habits of the users. If we think, for instance, to industrial espionage, this occurence has a dramatic consequence enhanced by the evidence that this kind of devices are often used by CxOs. (Who are the most targeted by the risks of consumerization of IT, of which this is yet another example).
Moreover, in most circumstances I discussed the risks of geolocation (and its correlation with users’ habits) and the importance that this data could have if massively stolen (for instance by mean of a Mobile Botnet) by Cybercrooks and conveyed to a C&C Server. In a similar scenario bad guys capable of stealing such a similar amount of data would have no difficulty at all to organize an auction “to the death” between hungry marketing agencies, which would pay gold to put their hand on them. I must admit that the thought that these “bad boys” could be just the manufacturers of my iPhone (luckily I own an Android) does not make me feel very comfortable. This situation is also paradoxical: many security vendors offer privacy advisors for (other) mobile platforms, but the evidence that one user should defend his privacy from the manufacturer itself sounds absurd and frustrating. Of course I continue to repeat that it is better to wait for an Apple official reply, but, honestly speaking the fact that these data are only available for devices provided with a cellular plan, sounds very strange.
Meanwhile, if you want to know more and enjoy (I hope so) to verify where have you been since you bought your brand new iToy, you may have a really interesting look at this link where the authors of the discovery posted an app to unleash the file and graphically map the positions.
Last but not least, there is no evidece (so far), of a similar “Feature” on the Droids.
On the other hand, these are tough times for the privacy of smartphones owners. As a matter of fact, quite curiously, today another, apparently unrelated, piece of news coming from the opposite site of the Ocean caught my attention. It concerns Michigan State Police, which has been using data extraction tools to collect information from the cell phones of motorists detained for minor traffic infractions. This has been possible by mean of Cellebrite, a mobile Forensics Tool capable to perform:
“Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags. The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps,”
Even if the latter issue raises the question concerning to what extent the law can go when facing privacy of the citizens, the two news have in common the (mis)use of mobile data and I could not help but thinking that mobile data are continuously under attack and users should consequently consider carefully the usage of their devices (this is the reason why I used the term of cultural revolution).
Who knows, maybe Michigan State Police hoped to make further fines for speeding after detaining the motorists by tracking GPS position and timestamps. Probably if they had known the existence of the above mentioned feature of iOS, they would have avoided to buy the software and grab directly the data… At least for iOS 4 users…
ComScore has just published its Press Release related to February 2011 U.S. Mobile Subscriber Market Share. 69.5 million people in the U.S. owned smartphones during the three months ending in February 2011, up 13 % from the preceding period. As we have become accustomed to a few months, the Android is still on the top, earning 7 percentage points since November 2010, achieving a 33% market share. RIM ranked second with 28.9 percent market share, followed by Apple with 25.2 percent. Microsoft (7.7 %) and Palm (2.8 %) rounded out the top five.
|Top Smartphone Platforms:
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Smartphone Subscribers Ages 13+
Source: comScore MobiLens
|Share (%) of Smartphone Subscribers|
|Total Smartphone Subscribers||100.0%||100.0%||N/A|
Considering the market share on a per-vendor base, provides a different interpretation, and explains some strategic mobile choices of the Mountain View giant. Among the OEM, Samsung ranked at the #1 with 24.8% of U.S. mobile subscribers, up 0.3 percentage points from the previous three month period. LG ranked #2 with 20.9 percent share, followed by Motorola (16.1 %) and RIM (8.6 percent). Apple saw the strongest gain, up 0.9 percentage points to account for 7.5 percent of subscribers.
|Top Mobile OEMs
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Mobile Subscribers Ages 13+
Source: comScore MobiLens
|Share (%) of Mobile Subscribers|
|Total Mobile Subscribers||100.0%||100.0%||N/A|
I am not new to this kind of considerations (already faced in a previous post in Italian), but it is clear that the Android Landscape is becoming a little bit too much fragmented, and this risks to be a serious issue for the Android, both in terms of consumers’ perception, both in terms of security. As far as the consumer perception is concerned: many vendors are pushing more and more customizations not only on their own Android ROMs, but even on the services provided to consumer (read vendor-dedicated markets and services). This sounds confusing for the consumer who will inevitably ask why should he consider, inside the same platform, different parameters of choice external to the mere features of the devices (and how they map to consumer’s need). Not to mention also the tragedy of software updates: a new major release of the Android may take also one year to be ported in some devices, because of the wide customizations made by the manufacturers on their smartphones.
As far as security considerations are concerned, customization affects platform (in)stability and, inevitably security, if it is true that the same code must be adapted to run on different architectures, and security bugs are always behind the door.
These factors are probably behind the rumors claiming that Google has been demanding that Android licensees abide by “non-fragmentation clauses” that give Google the final say on how they can tweak the Android code, to make new interfaces and add services, and also behind the (not confirmed) rumors of standardizing the ARM Chip for Android 3.0. If we sum up these rumors with the fact the Mountain View will not (at least initially) release the Honeycomb Source Code, it looks clear that Google is running for cover in order to stem the excessive number of fragments in which OEM vendors are reducing its precious Android.
The Android is winning the market share battle against Apple and RIM, and forecasts for the next years show a bright future for the Android, destined to achieve nearly the half of the market in 2015. So far the Mountain View Strategy has shown to be winning, but the only obstacle, in this triumphant ride, could by represented by fragmentation, which might drive consumers to the monolithic models of Cupertino and Waterloo.
Si è da poco conclusa la Cansecwest, che ha ospitato al suo interno l’annuale contest Pwn2Own 2011, la sfida sponsorizzata da Tipping Point (ormai entrata nell’orbita del Titano HP) rivolta a trovare exploit nei browser e sistemi operativi mobili più diffusi.
La Mela e la Mora ne escono con le ossa rotte (anzi sarebbe meglio dire sbucciate ben bene), visto che entrambe sono state vittima di un exploit che ha consentito di sottrarre illecitamente la rubrica sia dal Melafonino che dal Morafonino (in realtà in questo secondo caso gli autori dell’exploit sono riusciti anche a scrivere un file a dimostrazione della possibilità di poter eseguire codice arbitrario).
Alla radice dell’exploit, la stessa vulnerabilità, basata sul medesimo motore di rendering utilizzato, quel Webkit che costituisce anche il cuore di Chrome, Browser di casa Google, e per il quale la casa di Mountain View, illibata al Pwn2Own (grazie agli ultimi aggiornamenti pre-contest) ha già furbescamente rilasciato una
pezza patch che rende vano il tentativo di exploit nei suoi confronti. Per inciso la stessa vulnerabilità ha causato il crollo di Safari durante la stessa manifestazione.
Nel caso della Mela, l’exploit è stato realizzato da un veterano del settore, quel Charlie Miller, già protagonista delle edizioni 2008 e 2009 rispettivamente per aver scovato il primo exploit sul MacBook Air e su Safari. Quest’anno, in collaborazione con Dion Blazakis, il ricercatore si è portato a casa i 15.000 dollari del premio grazie alla sottrazione illecita della rubrica dell’iPhone ottenuta guidando il browser del Melafonino verso un sito creato allo scopo. L’exploit funziona sulla versione 4.2.1 dell’iOS che è stata messa sotto torchio durante il Pwn2Own ma non funziona sulla neonata versione 4.3. Non fatevi tuttavia troppe illusioni: il bug è ancora presente, ma l’utilizzo dell’ASLR (Address Space Layout Randomization) rende la vita complicata agli hacker ed in questo caso invalida l’exploit.
Apparentemente più serio il caso del Lampone di RIM: in questo caso l’exploit è stato (è proprio il caso di dire) messo a frutto da Vincenzo Iozzo, Willem Pinckaers e Ralf Philipp Weinmann che si sono portati a casa il premio messo in palio da
Tipping Point HP. In particolare il primo e il terzo non sono nuovi a imprese del genere, in quanto si aggiudicarono il premio nell’edizione del 2010 riuscendo ad effettuare l’hack dell’iPhone.
Vulnerabilità simile, tipologia di attacco simile: anche in questo caso il team di ricercatori ha realizzato il trappolone mediante una pagina web costruita allo scopo che ha iniettato l’exploit nel Browser interno. Oltre a copiare la lista dei contatti ed alcune immagini dal dispositivo, i ricercatori hanni anno anche scritto un file sul dispositivo per dimostrare la possibilità di eseguire codice.
L’attacco ha una rilevanza particolare poiché, sebbene il Blackberry non disponga di funzioni di sicurezza quali il DEP (Data Execution Prevention) e il già citato ASLR, non esiste documentazione pubblica sugli internal del sistema operativo di RIM e questo aspetto ha costretto i ricercatori ad agire mediante approssimazioni successive, concatenando una serie di bachi. Per ammissione degli stessi ricercatori in questo caso il modello di Security Through Obscurity di RIM ha complicato, e anche non poco, la creazione dell’exploit.
L’attacco ha avuto successo con la versione software 22.214.171.124 (interessa quindi tutti gli ultimi dispositivi), e sembra che l’ultima patch rilasciata non sia stata risolutiva. All’infausto evento ha assistito in diretta il security response team di RIM. Immediatamente dopo il responsabile, Adrian Stone ha indicato che la compagnia lavorerà fianco a fianco con gli organizzatori del contest per verificare che le vulnerabilità siano presenti anche nelle ultime versioni del firmware.
“It happens. It’s not what you want but there’s no such thing as zero code defects,”
E’ stato il laconico commento di Stone.
Per una volta quindi il protagonista in negativo non è l’Androide che esce inviolato dal Contest. Anche se in realtà deve essere considerato il fatto, già discusso in queste pagine, che la stessa vulnerabilità era già stata riscontrata per l’Androide (ed utilizzata per costruire una vulnerabilità nel market) e subito patchata grazie all’ammissione del suo scopritore Jon Oberheide che ha così rinunciato a 15.000 bucks.