The Market Ticker
Commentary on The Capital Markets- Category [Technology]

The point raised here is a good oneand the platitude provided is false.

Google's Android mobile operating system takes a lot of criticism from security researchers for various security flaws and weaknesses. This week, Rapid7 security researcher Todd Beardsley stronglycriticized Google for not patching a security vulnerability that he disclosed to the search giant.

The security flaw disclosed by Beardsley is in the WebView component that is part of the default Android Web browser in versions of Android prior to 4.4 KitKat. According to Beardsley, Google told him it would not patch any versions of Android prior to 4.4 for WebView.

The article goes on to talk about how you could simply load a different browser that is not impacted, such as Chrome.  

This is not a fix, however, because any app that can display web pages inside it, which happens to be a whole lot of them, remains vulnerable!

Let me point out that many apps, including some very popular ones, are really nothing more than front-end parsers and display modules for traditional web sites.  There are a whole host of these in the Android Play Store and its analogues; indeed, it's the usual way to provide such an app since it's simple and leverages existing back-end infrastructure used for people on traditional (desktop and laptop) computers.

As such problems with the WebView interface infest any app that provides this sort of visualization service and that can only be fixed by repairing the flaw in the underlying code!

Contemplate that not only does this flaw impact a huge percentage of installed and in-use Android devices but that financial institution applications may be using this interface as well for the same reason that everyone else does.

Now add to this that mobile operators, at least in the United States, "gateway" software; that is, they demand the ability to choose when (or if) to release updates at all.  IMHO this should result in the carriers being held responsible when a patch is available, a compromise occurs, and their lack of timely release of same is implicated in the resulting breach.

Still sleeping well, are you?

View this entry with comments (registration required to post)

The hits just keep coming.

First, there are now reports out that the Sony hack wasn't really North Korea.  But let's put this aside for a bit, because some of the "color" that has come out about this attack is rather stunning in terms of what it says about corporate malfeasance and misfeasance.

First, there apparently are a group of people, including one disgruntled ex-employee with both the technical background and internal knowledge of the firm's networking structure that may have been involved.

Ok, as far as it goes.  But here's where some of the reporting, if true, makes my eyebrows go up.

There are claims that the hackers stole some 100 terabytes of data.  That's a ****-ton folks, and that sort of flow had to go through somewhere on the company's network on it's way out the door.  It wasn't detected and stopped.  That right there tells me everything I need to know about the competence, or rather the stunning lack thereof, of the people involved in so-called "security" at Sony.

One of the first principles of computer security is that you don't know what you don't know.  But the corresponding bit of truth is that you do know what you do know, and one of the things you do know is what the common daily data flow looks like around your network and any competent security infrastructure both has the means to monitor this at all relevant points and someone is paying attention to it.

To put a not-so-fine point on this amount of data that was ripped off amounts to the capacity of 25 4TB disks.  It takes time to move that sort of data around and that kind of flow to an external location ought to have been noticed immediately -- and long before any material amount of it actually got through.  The usual and customary flow of data to customers and vendors is nearly always small to "un-remarkable" people, with large flows to specific customers and affiliates (e.g. sending digital copies of movies to certain theaters, for example) that are well-defined and known.

Everyone wants to talk about security in the form of a "product", especially the vendors who sell those sorts of things.  That's nonsense.  Security is a process in both the physical and electronic worlds.  You don't put up cameras in your liquor store for the routine guy who comes in to buy a fifth of scotch - you put them up because you want them there when the *******s comes in with a gun to stick up the clerk behind the counter.  99% of the data the camera generates is unremarkable, but the 1% catches an armed robber.

The other problem I have with the reported timeline is that allegedly the data was not only stolen it was subsequently destroyed at rest on the servers where it was present.  This implies that either a very weak chain of trust existed between a huge number of machines and servers or worse, a common compromise on all of them that was able to be triggered at once.  Again, people thinking "product" rather than process, and it bit them in the ass.

The one take-away here is that this is not just Sony, although they're the one in the news.  There is an entire industry dedicated to trying to sell you security as a product and yet it's not.  While Sony was apparently doing all of this internally that's not material to the discussion when you get down to it, because none of the "product" folks can mitigate the security culture problem, nor can they make people pay attention.

Here's my expectation: This is just the first of many, and it's nowhere near the worst we're going to see over the next few years simply because Sony, as a target, is really quite un-interesting in terms of the implications of trashing their computers.

View this entry with comments (registration required to post)

Main Navigation
Full-Text Search & Archives
Archive Access
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.