The Weekly Ink #30
THE WEEKLY INK
The Weekly Ink is the weekly newsletter brought to you by Duo Labs, with curated links of interest in the security world to help educate and entertain on security happenings and culture.
If you have links that you think would be interesting for inclusion and commentary, send them our way at labs@duosecurity.com.
Android Security State of the Union
After years and years of headlines and statistics about Android security and malware, ranging from questionable statistics to outright bs, Google finally fired back with some hard numbers through a report titled “Android Security State of the Union 2014”.
Through conversations with the Android Security Team over the years, I know having the data to refute the headlines but not being able to make it public was a big thorn in their side. So props to Google and the Android Security Team for finally publishing some detailed metrics on the real scope of the threat to Android devices.
Long story short: it’s nowhere near as dire as many of the mobile antivirus companies want you to think it is. But hey, truth doesn’t help sell their product, so to each their own.
PDF of the report is here.
China's Non-Denial Denial of Service
It’s well-known that China is not a fan of anyone trying to subvert the Great Firewall (GFW) censorship system. Based on the the 118-hour denial of service attack on GitHub, it’s clear that that indirect support of anti-censorship information can make you a target too.
While the Chinese government did not admit to the attack, it was interesting that they didn’t explicitly deny the attack either. When a Chinese official was questioned on the GitHub attack during a press conference, she stated:
On your second question, it is quite odd that every time a website in the US or any other country is under attack, there will be speculation that Chinese hackers are behind it. I'd like to remind you that China is one of the major victims of cyber attacks.
BOOM! What a deflection! That’s US-presidential-debate-level spin right there! But interestingly, no outright denial. As James Mickens’ infamous article predicted, sometimes your adversaries will “hold a press conference and say ‘It wasn’t us’ as they wear t-shirts that say ‘IT WAS DEFINITELY US’”.
Of course, China’s not the only one doing this...
So, apparently non-denial denial of service is the new norm for state vs. state cyber conflict.
Google vs. CNNIC
Last but not least, Google has decided to yank CNNIC’s CA root from Chrome after discovering they had issued an intermediate CA cert that was being used by MCS Holdings to issue unauthorized SSL certificates and man-in-the-middle traffic.
While being booted out of the CA racket is a rare event that usually requires significant violations of CA practices or repeated acts of negligence, Google has at least left the door open for CNNIC to reapply:
CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
Sounds like Google leveraged the opportunity to push their Certificate Transparency efforts. Good for the Internet!