Good read. Most website designers are not very good at security. Yet, some people place valuable data in their hands.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
Be extra careful if you have an AppleID or other kinds of ID and "single password" access.
And this is why I hate single sign-on. And why most places I have different passwords for the accounts.
Yes, it is a small pain to keep track of, but that is indeed a small pain versus having to deal with this.
Of course, I eschew twitter, facebook, google+ and social networking in general. And, I keep things on the cloud only for convenience, and regularly back them up to local storage. So, my digital life, compared to the author's, is non-existent.
Definintely a good read. But boy do I feel like an ignorant dumb ass. :-[
Quote from: Vice on September 05 2012 12:22:35 PM MDT
Definintely a good read. But boy do I feel like an ignorant dumb ass. :-[
Don't feel alone.......only my ignorance saves me. ;D I can barely operate my cell phone much less all the stuff this guy has had breached.
Just read the whole article. I wish I could say I'm surprised. Not much surprises me anymore. Sad though it is. Clearly, even in this day and age, other's privacy is not taken anywhere near seriously enough. I believe it's because of greed (and control if you want to bring governments into the mix) getting in the way of caring. Companies like Apple care much more about their next sale than our privacy.
It's a crazy world out there! Good Luck to all.
Quote from: EdMc on September 05 2012 02:40:30 PM MDT
Quote from: Vice on September 05 2012 12:22:35 PM MDT
Definintely a good read. But boy do I feel like an ignorant dumb ass. :-[
Don't feel alone.......only my ignorance saves me. ;D I can barely operate my cell phone much less all the stuff this guy has had breached.
Talk about cell phones - mine got so complicated I couln't fiqure out how to place a call. So I got a NEW phone.
[attachment deleted by admin]
Quote from: REDLINE on September 06 2012 01:26:31 AM MDT
Just read the whole article. I wish I could say I'm surprised. Not much surprises me anymore. Sad though it is. Clearly, even in this day and age, other's privacy is not taken anywhere near seriously enough. I believe it's because of greed (and control if you want to bring governments into the mix) getting in the way of caring. Companies like Apple care much more about their next sale than our privacy.
It's a crazy world out there! Good Luck to all.
I DID read the Whole article! It was very informative. I was left with wanting more.
Quote from: Vice on September 06 2012 11:01:01 PM MDT
Quote from: EdMc on September 05 2012 02:40:30 PM MDT
Quote from: Vice on September 05 2012 12:22:35 PM MDT
Definintely a good read. But boy do I feel like an ignorant dumb ass. :-[
Don't feel alone.......only my ignorance saves me. ;D I can barely operate my cell phone much less all the stuff this guy has had breached.
Talk about cell phones - mine got so complicated I couln't fiqure out how to place a call. So I got a NEW phone.
LOL! I dumped cell phones completely a couple years ago. It was around the time I began wondering why I had it in the first place. Seems my landline phone works just fine. As for using the cell phones as "computers" too....seems my laptop works just fine too. Getting rid of the cell freed up a good amount of cash for other stuff like reloading equipment and supplies. Technically I do have a cell phone provided by my boss. It maybe gets used 3-4 times a week at best, but that's specifically work related, and I don't pay the bill.
Quote from: REDLINE on September 07 2012 08:07:44 AM MDT
Quote from: Vice on September 06 2012 11:01:01 PM MDT
Quote from: EdMc on September 05 2012 02:40:30 PM MDT
Quote from: Vice on September 05 2012 12:22:35 PM MDT
Definintely a good read. But boy do I feel like an ignorant dumb ass. :-[
Don't feel alone.......only my ignorance saves me. ;D I can barely operate my cell phone much less all the stuff this guy has had breached.
Talk about cell phones - mine got so complicated I couln't fiqure out how to place a call. So I got a NEW phone.
LOL! I dumped cell phones completely a couple years ago. It was around the time I began wondering why I had it in the first place. Seems my landline phone works just fine. As for using the cell phones as "computers" too....seems my laptop works just fine too. Getting rid of the cell freed up a good amount of cash for other stuff like reloading equipment and supplies. Technically I do have a cell phone provided by my boss. It maybe gets used 3-4 times a week at best, but that's specifically work related, and I don't pay the bill.
Dude, I wish I could dump my cell bill. I pay $185 a month and that's AFTER my 21% discount through my job. We have five lines for me, wife and kids.
I will say that I love my iPhone and I don't even use my laptop or desktop anymore. But I could have almost 200 extra for gun stuff a month.
Yeah, back about 3 years ago, and for a few years before that I was paying a hair over $100 month and I never had anything fancy like an iPhone. And all this cost we speak of for monthly bills doesn't even include figuring in the cost of the phones. Especially the cost of the phones today. As Uncle Ted would say; Are you kidding me?!? I do understand how many people depending on their walk of life simply can't be without them though too. I'm glad for you that you get the discount you do through your work, and it's still a lot of money. Well, a lot of money to me anyway. :D
As much as I dislike cell phones and email. I LOve my iPhone. It has changed the way I operate.
Guessing my online account info might be difficult. I view user IDs and security questions like I view pass phrases. Each account has different access info. They are random and completely unrelated to me or the questions asked. For example, rather than the high school I graduated from, I'll enter random word fragments and numbers I commit to memory or record in encrypted files. Same with user IDs. Linux has a program called 'mkpasswd' that calls a secure random number generator to create character sequences.
Up until a little over a week ago, I only used "dumb" phones, the ones that make phone calls. 8) I was aware of security issues with computing devices and didn't want one unless I could tighten security on a "smart" phone like I do my laptops. But, my last dumb phone crashed, so I bought a Samsung Android phone.
Since the Android operating system is based on Linux, I figured I can figure out how to configure the OS to beef security. Right now, Wi-Fi, GPS, Google services, and just about everything not needed to make phone calls is turned off. Downloaded/compiled some programs to access the phone via the USB cable from this Linux laptop. Downloaded the Android source tree ( http://source.android.com/source/downloading.html ) Will take the time later to understand what rooting a phone really is and what it will allow me to do. I know a guy who works on phone firmware to see what he thinks.
The NSA provided a description of their secure Android setup. A lot of their approach involves avoiding public Internet access to the phones by using a VPN tunnel to their computers hosting VOIP services. I've thought about adding a virtual machine to one of my company's servers so I can VPN to a secured proxy running on that VM. Then, limit incoming/outgoing Internet traffic on the phone to the IP address of the secured VM.
Maybe I'll describe what I do to secure my Linux laptops in another thread, if anyone is interested.
harrygunner, you might check this out. Rooting android from Linux (or BSD/OS X) is not well documented. This is one of the better tutorials I have found:
http://www.cypherpunk.at/2011/10/08/manual-rooting-android-on-linux-2/
'sqlbullet' Thanks for the link. I'm checking out the adblinux executable that runs on Linux from your link.
It's not really a phone anymore. It's a computer with telecom functions. Has a multi-core CPU and plenty of storage space. One can even install Ubuntu on it and use it as a PC. Someone needs to make a combination small flat screen monitor/foldable keyboard that uses a single USB connection. Then, the smartphone can be a part time tablet.
I'm going to see if I can archive the firmware that's on the device so I can recover if need be. I archive the drive of a new laptop, mirroring the entire disk right after unpacking it. I booted off a KNOPPIX 6.7 CD, mounted an external USB drive and ran:
dd if=/dev/sda bs=4M conv=notrunc,noerror | gzip -c - > /media/sdb1/laptop_diskimage.gz
The fresh 640G disk compressed to 40G. If the laptop is incompatible with Linux or defective in some way, I can set the drive back to "store bought new".
Looks like people are hosting pre-rooted firmware as well as non-rooted original firmware. All this could be fun.
-----
Starting to like the VPN idea for the phone. I access Internet through a proxy inside a SSL tunnel from my laptop all the time. Traffic between the phone and the proxy could be compressed. So one can surf more before hitting a limit or having the phone provider throttle back access speed.
Hot spots are dangerous places. A bad guy in the cafe can put his wireless NIC card into 'Monitor' mode and capture packets from other users. I know it can be done. An older lady wanted to know her wireless access password. But her adult son, who configured the router was out of the country. To help her, I did that and captured packets to my laptop from her laptop while she surfed. Fortunately, she was using WEP and a program I downloaded quickly recovered the router password.
So, being able to tunnel to a safe server is important.
Or avoid using hotspots/WIFI. I am grandfathered in on unlimited data on my phone, so I don't even turn Wifi on. I hadn't considered tunneling back to home and then routing all traffic over the tunnel...And probably won't since the 4g on my phone is far faster than the DSL at my house.
Sucks to live in a city that won't get on the fiber bandwagon. Friends in other nearby towns have 40 meg connections both ways for half what I pay for 7/1.5 dsl.
I'm securing my phone for obvious reasons, then there's the fun. Smart phones are not very useful to me, but now that I have one, might as well play with it. I didn't sign up for an Internet plan, but I can still get to the Web over wireless. I don't expect to be using phone to access the 'net much. But, I can check email from a coffee shop if I don't have my laptop.
I installed a stripped down version of 64 bit Linux onto a virtual machine (VM). Used OpenSwan for the VPN and 'tinyproxy' for the proxy. The VM will be hosted on a Linux OS using KVM. But, one could create the functional equivalent within a Windows environment. (I don't do Windows, so haven't worried how.)
Took some interesting tweaking since I didn't load the X Window System or any GUI onto it. Had to configure a serial tty by hand for me to log onto it when needed.
I went to the trouble since my Android "smart phone" has a VPN client program. It's simpler to set up SSH proxy, but haven't rooted the phone yet.
Essentially, any Wi-Fi Internet or Wi-Fi phone calls will be tunneled to the VM proxy before entering the Web, bypassing potential hot spot lurkers.
I bought a 64GB microSD since I'm considering dual booting and installing a secure Android OS on the microSD.
Our friendly government agency, the NSA, has provided some help, similar to the help of SELinux for the Linux OS. http://selinuxproject.org/page/SEAndroid
Maybe after all this, I can have a phone only I am using. :D
Quote from: harrygunner on October 04 2012 09:03:27 PM MDT
I'm securing my phone for obvious reasons, then there's the fun. Smart phones are not very useful to me, but now that I have one, might as well play with it. I didn't sign up for an Internet plan, but I can still get to the Web over wireless. I don't expect to be using phone to access the 'net much. But, I can check email from a coffee shop if I don't have my laptop.
I installed a stripped down version of 64 bit Linux onto a virtual machine (VM). Used OpenSwan for the VPN and 'tinyproxy' for the proxy. The VM will be hosted on a Linux OS using KVM. But, one could create the functional equivalent within a Windows environment. (I don't do Windows, so haven't worried how.)
Took some interesting tweaking since I didn't load the X Window System or any GUI onto it. Had to configure a serial tty by hand for me to log onto it when needed.
I went to the trouble since my Android "smart phone" has a VPN client program. It's simpler to set up SSH proxy, but haven't rooted the phone yet.
Essentially, any Wi-Fi Internet or Wi-Fi phone calls will be tunneled to the VM proxy before entering the Web, bypassing potential hot spot lurkers.
I bought a 64GB microSD since I'm considering dual booting and installing a secure Android OS on the microSD.
Our friendly government agency, the NSA, has provided some help, similar to the help of SELinux for the Linux OS. http://selinuxproject.org/page/SEAndroid
Maybe after all this, I can have a phone only I am using. :D
Wish I had a mind for even just half of what you said there. Other than that I think I can say; Great Job! :D
There needs to be a simple way to armor smart phones. They are insecure, yet can offer up a lot of information to the unscrupulous.
People download "apps" without understanding what they might be doing. Recently both presidential candidates offered campaign apps to constituents. Those apps were capturing phone contacts and GPS coordinates and uploading the information. Probably the same company created both versions of the app (with different looks and logos). Keystroke loggers in apps are a serious problem.
Until being recently outed, several phone companies issued phones with an app from a company called CarrierIQ. That app uploaded user data to the phone companies. That fact was known, but it continued until CNN wrote about it. Innocent or not, customers weren't notified and it caused a scandal.
Some people think NFC is cool, not realizing strangers in a crowd can transfer nefarious code to other phones and capture info off their phones. (Related, but similar, I fell off my chair when a friend told me her credit card has a NFC chip in it. Shows how common it is to completely disregard customer data security.)
I've heard people say they do on-line banking from their phones. Healthcare providers access patient info from such phones.
Nothing new. New tech, new opportunities for crooks.
Yes in deed, too many unknown things being transfered electronicly without the user even knowing or being educated by the product designers or applications being used. Although some features can be disabled some can not! ???
Just look at the spam e-mail and phone calls that find their way to your computers and phones.
A good percentage of Google hosted 'apps' are gathering personal information.
http://www.darkreading.com/mobile-security/167901113/security/privacy/240012705/more-than-25-of-android-apps-know-too-much-about-you.html
I have trouble judging the level of difficulty some might ascribe to this, but I wanted to present the high points of my VPN+proxy virtual machine (VM) I use to tunnel traffic from my "smart phone".
If anyone starts this project and has questions, I'll answer them as best I can.
One could run a virtual machine on a Windows box at their home if they have a static IP address. Once a connection is made to a hot spot at a cafe or hotel, traffic is tunneled between the phone (or laptop) and your home Internet access. This thwarts the people sitting, sipping coffee while capturing packets from other people using the hot spot.
The bottom line, I have a virtual IP address that shows up on my phone or laptop to access the proxy on the VM. The VPN carries the traffic between my devices and the VM's virtual network. Then, the proxy carries traffic between the VM's virtual network and the Internet.
I'm a Linux guy, so I built a small VM from a Redhat Enterprise clone OS. I used to use CentOS, but when they had a significant lag behind Redhat, I moved to Scientific Linux. (CentOS has caught up and stayed current since then.)
I went with Linux KVM as the virtual host, but VirtualBox or VMware are easier to use to build a VM. VMware Player and VirtualBox are free.
There was no need for a GUI or many services, so I made a fairly basic installation. (However, you may want a GUI if you don't use a serial console to log into the VM.) I always make /home, /tmp and /var/tmp separate partitions so I can have them mounted in a way where no programs can run on them (noexec, nosuid, nodev to defeat some malware methods).
The two main services running on the VM are OpenVPN and tinyproxy. 'tinyproxy' is all I need since I only built access to phones owned by my immediate family. No need to cache sites, etc. OpenVPN is more straightforward to configure than OpenSwan. There are plenty of OpenVPN client phone apps. (For my laptop, I installed OpenVPN and configured it as a client.)
I assigned a single NIC, one CPU and 512M of RAM to the machine. I configured OpenVPN on the server (VM) to assign a "non-routable" IP address to the client and to create virtual IP addresses on the server. Then, I configured 'tinyproxy' to listen to all IP addresses, but only allow connections from this virtual network. In other words, the outside can't access the port that 'tinyproxy' listens to. One must go through the VPN to get to that port. 'tinyproxy' also adds some autonomy in that I can limit which packet headers will be presented to websites I visit. That makes my connects look more generic.
The part some may be uncomfortable with is building the private keys and public certificates for the VM and for each phone. Essentially, one creates one certificate authority (CA), then uses that CA to create/sign public/private key pairs for each party. I created a separate pair for my devices and for each of my family. OpenVPN has a pair that only resides on the server, each phone has a pair that only resides on the phone. Each party also stores the public certificate for the CA. This authenticates parties as having keys signed by the same CA.
Finally, I have a firewall on the VM that blocks entire continents filled with the usual suspect hackers, protects local services, etc. It also forwards local traffic to/from the virtual 'tun' network that OpenVPN creates.
I can elaborate on any of the steps if someone is interested.