News:

Testamonial:  And i have actually gone to a bar and had a bouncer try to start a fight with me on the way in. I broke his teeth out of his fucking mouth and put his face through a passenger side window of a car.

Guess thats what the Internet was build for, pussy motherfuckers taking shit in safety...

Main Menu

Security Thread

Started by Triple Zero, August 02, 2009, 01:13:29 PM

Previous topic - Next topic

Lord Cataplanga

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

A vulnerability in Android's security model has been found, that affects 99% of all Android devices.

Quote from: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified. This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

That means that trojan applications can be nigh-indistinguishable from the legit ones.

This vulnerability requires a firmware update to patch, and there is no way Samsung is going to release a new version of my ancient phones' firmware :(

QuoteInstallation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet.

This "botnet" idea seems like it could work, because most Android phones are quite old, and rarely get firmware security patches.

Pæs

Hokay, ditching plans to make apps, working on benevolent mobile botnet instead.

LMNO

Is it just me, or did you just up the difficulty level by about 162%?

Pæs

BUMP in lieu of PlightOfFernandoPoo making his security thread.

Recommending risky.biz for security podcasts to follow. Hard to find security podcasts which aren't just a bunch of dudebros lulzing about farts.

Cain

Looks good.

I personally like Krypt3ria, though it's only one person and they don't update as much as I'd like.

disfnordia

I have been around a long time, not this forum just this world. I rarely post on the clearnet, when I see facebook with a discordian page, of which I belong, I know the end is neigh. Now you damn kids get off my grass!

I wanted to link to zine that had some useful information https://zine.riseup.net/

This is my first post, I will stick around for a while. I am scanning some old 23 zines I have lying around from the 80's. I will up load them soon for your viewing pleasure.