By Nathan Willis
July 24, 2013
In the wake of the ongoing U.S. government surveillance scandal,
general interest in the issues of user privacy and anonymity has
swelled to new heights. Often, free software is criticized in
discussions of the topic for providing technically sound privacy
options that are far too difficult to use in practice. But
CyanogenMod (CM), the aftermarket Android firmware project, has recently
added a feature that might meet the demands of usability mavens: an
"incognito" execution mode that denies apps access to the user's
personal information and to traditional tracking features.
CM developer (and "Cyanogen" himself) Steve Kondik announced
the feature on June 11. The feature adds a per-application flag, so
that users can launch any individual app in the incognito mode or
allow it to run as usual. When enabled, Kondik said, the mode will
return empty lists when the application requests contacts, calendar
events, web browser history, phone call logs, or messages. It will also report the GPS
to be disabled, although the GPS will continue to function for the
benefit of other apps not running incognito.
The idea behind incognito mode is an all-or-nothing switch; there
are no fine-grained options to worry about or potentially
misconfigure. The project also defines a solitary API call,
context.isIncognito(), which would allow the application to detect
whether or not it was launched in the restricted mode. It is up to
the app developer, Kondik said, whether to allow standard
operation under these circumstances, to shut down and refuse to run,
or "they can choose to display pictures of cats instead of
running normally."
Notably, the incognito mode is not designed to obscure the devices'
IP address or its IMEI
number from remote services or connections, nor does it
block ad content or restrict apps from accessing the network; it
only seeks to block access to user data. The feature was renamed
"Privacy Guard" a few weeks later (which arguably offers a clearer
description of the feature), and was merged into the main CM
codebase. The merge was too late to make the cut for the CM 10.1.0
release on June 24, but it is available in nightly builds.
Development of the feature continues. A July 3 update switched
Privacy Guard over from a per-app configuration model—in which
each app's settings screen needed to be visited separately—to
that of a central management screen, where users can toggle each app
from a single list. To conserve space, the management screen only
lists those apps that request access to one or more of the
privacy-managed data sources.
A grain of privacy
Although the public reaction to Privacy Guard has been quite
positive, there are still critics. Some contend that not spoofing
the device's IMEI number is a major privacy problem. IMEI numbers do
not change, so any existing record of the IMEI can be used to
associate a new application session with known tracking data. In the
comments on his initial announcement, however, Kondik described IMEI
spoofing as an anonymity issue, making it out of scope for the
feature.
Others were chafed about the all-or-nothing feature, particularly
with the fact that GPS access was lumped in with personal data. The
stated goal of the feature is to clamp down an overzealous app that
requests access to personal information it does not really require
to operate, and there are evidently a number of location-based apps in
that category. Denying them access to personal data makes sense, but they are rendered useless without GPS access. Kuber Koos
noted in the initial announcement discussion:
I just checked out Waze (with all the hype). I'd like to deny Waze the access it requires to my contacts, but still allow it access to GPS.
An all-or-nothing Incognito will be pretty useless for most apps. I
want them to do what their primary purpose is, but I want to block the
pesky things they require not essential to their function.
In the July 3 update discussion, developer Lars Greiss said that he
was working on an "advanced mode" option to enable finer grained
control for those who need it. Exactly what form that will take (and
how fine-grained it will be) has not yet been announced, but there is
certainly hope that Privacy Guard will find the right balance by the
time the next stable CM release arrives.
However fine-grained the eventual result is, there will no doubt
always be some users who insist on even more detailed controls. There
are alternatives to be found, such as OpenPDroid,
which modifies a number of Android services and libraries to provide a
generalized privacy framework. OpenPDroid, for example, can respond
to an app's data requests with empty data, fake data, or random data,
on the grounds that for any particular app, one of those options might
offer better protection than the others.
CM 7 had taken a fine-grained approach to privacy protection in its
own way, too. It exposed selectable settings for individual
permissions on each app, so that users could disable reading the
contacts database while leaving location services unaffected. That
feature was ditched in later releases, so it will be informative to
see what the reaction is to the new, all-or-nothing Privacy Guard.
Of course, restricting access to the user data stored on a device
is far from the only privacy issue facing the users of CM and other
mobile platforms. Defeating Web-based user tracking requires other
means, such as Tor. Other apps can be relayed through Tor with tools
like Orbot. CM
has begun working on its own implementation of SELinux, which should
also help protect privacy by protecting against information leaks.
Adding built-in support for something like Tor to CM would certainly
be a boon to privacy fans, just like built-in support for OpenVPN.
But that is probably not a feature users should expect any time
soon, so the privacy-conscious will need to continue to download and
manually install Tor—along with ad blockers, PGP,
and the other individual privacy packages. CM's new Privacy Guard may
not do everything, but the fact that it will be built in to future
releases and offer a simple user interface almost assures that it will
see more real-world usage than the alternatives.
Comments (9 posted)
Brief items
One that I’ve wondered about, but haven’t seen discussed is the risk of the
QR code being malicious. So I found the Google Glass vulnerability very
interesting – basically, until Google fixed this bug, if an attacker could
get a Google Glass wearer to take a picture of a QR code, they could
install malware in the Google Glass device. This is exactly the same issue
as getting an election office to take a picture of the QR code on a ballot
(which would be a normal part of ballot processing) – is it possible for a
voter to install malware into the ballot processing system by sending a
deliberately malformed QR code?
—
Jeremy
Epstein ponders a
Google
Glass vulnerability
The demand stunned the hospital employee. She had picked up the emergency room's phone line, expecting to hear a dispatcher or a doctor. But instead, an unfamiliar male greeted her by name and then threatened to paralyze the hospital's phone service if she didn't pay him hundreds of dollars.
Shortly after the worker hung up on the caller, the ER's six phone lines went dead. For nearly two days in March, ambulances and patients' families calling the San Diego hospital heard nothing but busy signals.
—
Paresh
Dave on VoIP attacks in the
LA Times
I wish to have unfiltered access to all Web sites irrespective of Her
Majesty's government's superior sensibilities, and accept being placed on
all associated surveillance watch lists designated for the tracking of
perverts such as myself.
—
One
choice in a spoof form for the UK's new internet filtering
It's like President Obama claiming that the NSA programs are "transparent"
because they were cleared by a secret court that only ever sees one side of
the argument, or that Congress has provided oversight because a few
legislators were allowed to know some of what was going on but forbidden
from talking to anyone about it.
—
Bruce
Schneier
Comments (none posted)
CNET is
reporting that the US government has been requesting the private SSL/TLS keys of major internet firms. Without
perfect forward secrecy (which is rarely used on today's internet), that would allow the US to decode HTTPS traffic—even retroactively. It's not clear which, if any, internet companies have turned over those keys. "
It's not entirely clear whether federal surveillance law gives the U.S. government the authority to demand master encryption keys from Internet companies.
'That's an unanswered question,' said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. 'We don't know whether you can be compelled to do that or not.'"
Comments (50 posted)
New vulnerabilities
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser |
CVE #(s): | CVE-2013-2853
CVE-2013-2867
CVE-2013-2868
CVE-2013-2869
CVE-2013-2870
CVE-2013-2871
CVE-2013-2873
CVE-2013-2875
CVE-2013-2876
CVE-2013-2878
CVE-2013-2879
CVE-2013-2880
|
| Created: | July 19, 2013 |
Updated: | July 24, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-2853: The HTTPS implementation does not ensure that headers are terminated by \r\n\r\n (carriage return, newline, carriage return, newline).
CVE-2013-2867: Chrome does not properly prevent pop-under windows.
CVE-2013-2868: common/extensions/sync_helper.cc proceeds with sync operations for NPAPI extensions without checking for a certain plugin permission setting.
CVE-2013-2869: Denial of service (out-of-bounds read) via a crafted JPEG2000 image.
CVE-2013-2870: Use-after-free vulnerability in network sockets.
CVE-2013-2871: Use-after-free vulnerability in input handling.
CVE-2013-2873: Use-after-free vulnerability in resource loading.
CVE-2013-2875: Out-of-bounds read in SVG file handling.
CVE-2013-2876: Chrome does not properly enforce restrictions on the capture of screenshots by extensions, which could lead to information disclosure from previous page visits.
CVE-2013-2878: Out-of-bounds read in text handling.
CVE-2013-2879: The circumstances in which a renderer process can be considered a trusted process for sign-in and subsequent sync operations were not propertly checked.
CVE-2013-2880: The chrome 28 development team found various issues from internal fuzzing, audits, and other studies. |
| Alerts: |
|
Comments (none posted)
kde-workspace: multiple vulnerabilities
| Package(s): | kde-workspace |
CVE #(s): | CVE-2013-4132
CVE-2013-4133
|
| Created: | July 18, 2013 |
Updated: | August 5, 2013 |
| Description: |
From the KDE bug report:
If KDM uses raw crypt() authentication (or pw_encrypt() on a patched Shadow system; see: https://alioth.debian.org/tracker/index.php?func=detail&aid=314234 ), instead of higher-level authentication such as PAM, and that crypt() can return a NULL pointer (as glibc 2.17+ does when passed a DES/MD5 encrypted passwords on Linux systems in FIPS-140 mode), then attempting to login to such an account via KDM crashes the daemon. (CVE-2013-4132)
From the KDE bug report:
Blinking systray icons are causing X to leak memory and plasma-desktop is to blame
In less than 24h it's using 100+ MB memory and the icon wasn't blinking most of the time. When the icon is not blinking then the used memory stays the same. As soon as icon starts to blink the memory usage in X also starts to grow. (CVE-2013-4133) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2013-4125
|
| Created: | July 24, 2013 |
Updated: | July 29, 2013 |
| Description: |
From the CVE entry:
The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages.
|
| Alerts: |
|
Comments (none posted)
lldpad: make a hardened build
| Package(s): | lldpad |
CVE #(s): | |
| Created: | July 22, 2013 |
Updated: | July 24, 2013 |
| Description: |
From the Fedora advisory:
Make a proper hardened build of liblldp_clif.so. |
| Alerts: |
|
Comments (none posted)
moodle: multiple vulnerabilities
| Package(s): | moodle |
CVE #(s): | CVE-2013-2242
CVE-2013-2243
CVE-2013-2244
CVE-2013-2245
CVE-2013-2246
|
| Created: | July 22, 2013 |
Updated: | July 31, 2013 |
| Description: |
From the Mageia advisory:
Users were able to access a daemon-mode Chat activity in Moodle before 2.4.5 without the required capability (CVE-2013-2242).
It was possible to determine answers from ID values in Lesson activity
matching questions in Moodle before 2.4.5 (CVE-2013-2243).
Conditional access rule values for user fields were able to contain unescaped HTML/JS that would be output to users in Moodle before 2.4.5 (CVE-2013-2244).
When impersonating another user using RSS tokens in Moodle before 2.4.5, an
error was displayed, but block information relevant to the person being
impersonated was shown (CVE-2013-2245).
The Feedback module in Moodle before 2.4.5 was showing personal information to users without the needed capability (CVE-2013-2246). |
| Alerts: |
|
Comments (none posted)
mysql: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2013-1861
CVE-2013-3802
CVE-2013-3804
|
| Created: | July 23, 2013 |
Updated: | September 9, 2013 |
| Description: |
From the CVE entries:
MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15,
and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31
and earlier, and 5.6.11 and earlier allows remote attackers to cause
a denial of service (crash) via a crafted geometry feature that
specifies a large number of points, which is not properly handled
when processing the binary representation of this feature, related
to a numeric calculation error (CVE-2013-1861).
Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier
allows remote authenticated users to affect availability via unknown
vectors related to Full Text Search (CVE-2013-3802).
Unspecified vulnerability in the MySQL Server component in Oracle
MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier
allows remote authenticated users to affect availability via unknown
vectors related to Server Optimizer (CVE-2013-3804). |
| Alerts: |
|
Comments (none posted)
npm: insecure temporary directory generation
| Package(s): | npm |
CVE #(s): | CVE-2013-4116
|
| Created: | July 23, 2013 |
Updated: | July 24, 2013 |
| Description: |
From the Red Hat bugzilla:
An insecure temporary directory generation / use flaw was found in the way NPM, Node.js Package Manager, used to generate location of the temporary folder to be used for tarballs expansion. A local attacker could use this flaw to conduct symbolic link attacks, possibly leading to their ability to overwrite arbitrary system file reachable with the privileges of the user performing the NPM archive expansion. |
| Alerts: |
|
Comments (none posted)
openjpa: code execution
| Package(s): | openjpa |
CVE #(s): | CVE-2013-1768
|
| Created: | July 22, 2013 |
Updated: | October 7, 2013 |
| Description: |
From the CVE entry:
The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs. |
| Alerts: |
|
Comments (none posted)
openstack-keystone: denial of service
| Package(s): | openstack-keystone |
CVE #(s): | CVE-2013-2014
|
| Created: | July 22, 2013 |
Updated: | July 24, 2013 |
| Description: |
From the Red Hat bugzilla:
Yaguang Tang reports:
concurrent requests with large POST body can crash the keystone process.
this can be used by Malicious and lead to DOS to Cloud Service Provider.
The OpenStack project has confirmed:
Concurrent Keystone POST requests with large body messages are held in memory
without filtering or rate limiting, this can lead to resource exhaustion on
the Keystone server. |
| Alerts: |
|
Comments (none posted)
owncloud: multiple vulnerabilities
| Package(s): | owncloud |
CVE #(s): | |
| Created: | July 22, 2013 |
Updated: | August 5, 2013 |
| Description: |
From the owncloud changelog:
Version 5.0.8 fixes:
SECURITY: XSS vulnerability in “Share Interface” (oC-SA-2013-029)
SECURITY: Authentication bypass in “user_webdavauth” (oC-SA-2013-030)
Also fixed in version 4.5.13. |
| Alerts: |
|
Comments (none posted)
qemu-kvm: privilege escalation
| Package(s): | qemu-kvm |
CVE #(s): | CVE-2013-2231
|
| Created: | July 23, 2013 |
Updated: | July 26, 2013 |
| Description: |
From the Red Hat advisory:
An unquoted search path flaw was found in the way the QEMU Guest Agent
service installation was performed on Windows. Depending on the permissions
of the directories in the unquoted search path, a local, unprivileged user
could use this flaw to have a binary of their choosing executed with SYSTEM
privileges. |
| Alerts: |
|
Comments (none posted)
squid: denial of service
| Package(s): | squid |
CVE #(s): | CVE-2013-4115
|
| Created: | July 22, 2013 |
Updated: | September 16, 2013 |
| Description: |
From the Mageia advisory:
Due to incorrect data validation Squid is vulnerable to a buffer overflow
attack when processing specially crafted HTTP requests. This problem allows
any trusted client or client script who can generate HTTP requests to trigger
a buffer overflow in Squid, resulting in a termination of the Squid service |
| Alerts: |
|
Comments (none posted)
virtualbox: denial of service
| Package(s): | virtualbox |
CVE #(s): | CVE-2013-3792
|
| Created: | July 22, 2013 |
Updated: | July 24, 2013 |
| Description: |
From the Mageia advisory:
Thomas Dreibholz has discovered a vulnerability in Oracle VirtualBox,
which can be exploited by malicious, local users in a guest virtual
machine to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error and can be
exploited to render the host network connection and the virtual machine
instance unresponsive or locking the host by issuing e.g. the "tracepath"
command.
Successful exploitation requires the target virtual machine to be
equipped with a paravirtualised network adapter (virtio-net). |
| Alerts: |
|
Comments (none posted)
xlockmore: screen lock bypass
| Package(s): | xlockmore |
CVE #(s): | CVE-2013-4143
|
| Created: | July 22, 2013 |
Updated: | July 31, 2013 |
| Description: |
From the Mageia advisory:
xlockmore before 5.43 contains a security flaw related to potential NULL
pointer dereferences when authenticating via glibc 2.17+'s crypt() function.
Under certain conditions the NULL pointers can trigger a crash in xlockmore
effectively bypassing the screen lock. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
