|
Dixie Cretin Seaman posted:There's a lot about cellphone OS security that I don't know. Is this a reasonable place to ask some basic questions? quote:For example, a lot of sites do 2fa through apps like Google Authenticator or Duo Mobile in lieu of hardware token like an RSA hardware token. How secure is 2fa through a phone in comparison, and are there distinct weak points to be aware of? Let's assume an unrooted phone with encryption enabled, using a strong passcode. There's always a chance of sec fuckups in general computing environment compared to a simple security token, but are there known weaknesses, say, if a malicious app is accidentally installed, or your phone connects to a hostile network? quote:If anyone happens to know about iPhone/TouchID security in particular, I'm curious how that ties in to device encryption. When the phone is shut off completely it requires the passcode for access (and again every few days for good measure). Otherwise it can be unlocked more conveniently with TouchID. Consider the following three iPhone states: 1) iPhone just turned on and is asking for device passcode to continue, 2) iPhone is locked and can be unlocked with TouchID, and 3) iPhone on for >2 days and is now locked and requiring password reentry to unlock. Is there a difference between these 3 states relating to the security of the full device encryption? For example does a phone being unlockable via TouchID (or generally being on with background processes running) indicate that a decryption key could be recovered from RAM more easily? If this is a dumb question, feel free to let me know; I have very little knowledge of this security architecture.
|
#
¿
Dec 29, 2015 03:08
|
|
|
|
| # ¿ May 3, 2024 10:02 |
|
|
Dixie Cretin Seaman posted:Thanks for the info. Practically speaking, how hard is that kind of attack for an unrooted phone? Assuming you're not a target of a TLA is it reasonable to ignore? Depends the attacker, the device, and you. Are you on a newish version of the OS and avoid downloading and installing stuff outside the official stores or going out of your way to disable security features? If so you're in a very good spot, you're more likely to get your 2 factor phished than your phone owned, the person is way easier to exploit than the device. Use 2FA, it makes it way harder for hackers in unspecifiedistan to get into your poo poo. Your phone is a good device for this since you have it on you and you are almost certainly not interesting enough for a targeted attack. If your adversary is the government where those services are hosted or where their officers are you're already hosed anyways 
|
|
#
¿
Dec 29, 2015 06:12
|
|
|
Dixie Cretin Seaman posted:Sorry, I guess I was unclear. I meant how hard is it to, for example, grab whole device encryption keys from RAM on an unrooted iPhone. My understanding is that this kind of thing is mostly theoretical and it would be beyond the capabilities of non-government adversaries. Is this about right? e.g. if there was some grey-market Chinese kit for owning smartphone encryption then there probably wouldn't be those anti-encryption political rants floating around recently... If the keys are in memory and they have physical access? Doable but I couldn't tell you the difficulty on an iPhone because I don't really do hardware attacks  .e: probably harder than breaking all your other devices by a good amount.
|
|
#
¿
Dec 29, 2015 06:33
|
|
|
Melian Dialogue posted:So if the Blackphone is a dud what options are there where you can still have decent functionality with say Android apps, but still have some semblance of security on mobile? Why does my Camera need access to "Modify settings" and why does a Sudoku app need permissions for Geotagged locations?? Do you pretty much have to be a hermit and not use any mobile tech? Get a phone running M and revoke permissions as you see fit?  e: And dont sideload apps and you're fine, easily better off than your desktop. hth. apseudonym fucked around with this message at 02:39 on Feb 27, 2016 |
|
#
¿
Feb 27, 2016 02:36
|
|
|
OSI bean dip posted:Overall, mobile phones really suck for security. Nah, not really.
|
|
#
¿
Feb 27, 2016 04:27
|
|
|
OSI bean dip posted:Add the fact there is what I said: If your threat model is NSA spookiness there's lots of easier things to do to non-mobile devices and far less integrity protection, though radios are a nice place to try and drop persistent code for sure depending on the hardware layout of the specific device. That's not really a realistic threat model for probably everyone browsing SA though, we're not worth that kind of attention. If your threat model is realistically the NSA your hardware all got shipped to you owned in ways youll never detect. The threat model for most of SA users is just the usual random poo poo on the internet combined with idiotic views on how security actually works leading to shooting themselves in the foot. In actual practical security for your average person mobile is far better than older OSs simple because we've learned from a lot of mistakes in older OSs' designs. The malware numbers for mobile are ridiculously small compared to desktop OSs.
|
|
#
¿
Feb 27, 2016 19:37
|
|
|
OSI bean dip posted:Yeah. But my remark is whether or not you can secure a phone and the answer is "not really". Also suggesting that the NSA is my concern is incorrect. Oh, you're coming at this with regards to bugs and exploiting. Sorry when people talk about the baseband its usually very  NSA stuff.Yes, bugs in the components of a device that touch the network are fun, but keep in mind WiFi drivers and hardware have similar bugs all too often, its an area of work across a lot more than mobile.
|
|
#
¿
Feb 27, 2016 20:34
|
|
|
OSI bean dip posted:http://arstechnica.com/security/2014/08/blackphone-goes-to-def-con-and-gets-hacked-sort-of/ If you don't trust the hardware that's fine, but there's a certain level of trusting trust here, the advice of "pull out the battery" or "airplane mode if you're not using it" is just making it secure by making it useless. You can use a dumb phone if you want but then whats the point, who even uses phone calls anymore. quote:The problem is that details on the radios is kept very close to the manufacturers' chests. Nobody can really do an audit outside of their own drivers.
|
|
#
¿
Feb 27, 2016 20:50
|
|
|
doctorfrog posted:Speaking of crazy persons: http://www.businessinsider.com/john-mcafee-nsa-back-door-gives-every-us-secret-to-enemies-2016-2 There were two backdoors, one which anyone could exploit (and was very amateurish) and one that with the knowledge of a private key would allow the decryption of traffic secured by that device. That second one is a dead ringer for the kinds of things intelligence agencies want, traffic decryption and most importantly nobody but us capability. quote:So, while the NSA was monitoring our perceived Middle Eastern enemies, the Chinese and Russians, and god knows who else, were making off with every important secret in the US, courtesy of the NSA’s back door. Is poo poo, tbh. I'm sure some fun happened due to the first backdoor, but calling that the NSA backdoor is disingenuous. Also they go on a lot about it being a programmer 'planted' by the NSA, there is no evidence to support that whatsoever. I will give it some points for only using 'cyber' once, but its otherwise garbage.
|
|
#
¿
Feb 29, 2016 01:46
|
|
|
Goodpancakes posted:I found a device I don't recognize just labelled as generic Android on my google account. Change your account password.
|
|
#
¿
Apr 15, 2016 08:03
|
|
|
Volmarias posted:I believe changing your password automatically invalidates all tokens forcing a re-login. This is correct.
|
|
#
¿
Apr 16, 2016 05:23
|
|
|
Segmentation Fault posted:Refresh This PC should be good enough for garden variety poo poo. Access it by holding down the shift key while clicking restart in the shutdown menu. Run malwarebytes and adwcleaner beforehand in safe mode (also accessible by shift-clicking restart) to make sure files left over from the process aren't infected. Of course, that's not going to catch everything, but it should be good enough. If the risk of possible re-infection is too greater in your mind than the loss of your data, then Reset This PC (again, shift-click) will restore to factory conditions. Reformat your drives.
|
|
#
¿
May 6, 2016 16:53
|
|
|
Szmitten posted:I have a question. Whenever I have a problem with the system, infection or otherwise, I find System Restore (rolling back a day/week/whatever) is extremely effective and way less destructive or long a process as formatting. Yet it's rarely an option talked about online. Am I being naive here? Yes. Restore data can and often is modified by malware.
|
|
#
¿
May 7, 2016 16:37
|
|
|
Squeegy posted:This thread is neat and I've enjoyed reading it. It's also gotten me to tighten up some stuff. I have a few questions; OpenDNS seems to be widely recommended, but I've been using something called Simple DNSCrypt. Have you ever heard of it and is it worth using over OpenDNS? It encrypts your DNS traffic, which seems like it would help prevent MITM attacks, and hasn't had any noticeable downsides for me other than occasionally changing the server when things stop loading. Unless your subsequent connections are over TLS DNS being secure doesn't really do anything. If they are over TLS then the security of DNS doesn't really matter short of a DoS.
|
|
#
¿
Sep 2, 2016 16:50
|
|
|
Squeegy posted:I use HTTPS Everywhere, if that's any help. More https is always good but that doesn't do anything for sites that still in tyool 2016 support support TLS  Plus there's a lot of traffic coming off your device that isn't from your browser.
|
|
#
¿
Sep 2, 2016 22:42
|
|
|
Squeegy posted:The understanding I have from posts in this and other threads is that it's not useful because malware will be injecting into processes that normally have network activity, allowing them to fly under the radar disguised as those legit services. Even if there's no injection generally by the time you try to kill it it's already done everything it wanted to do. It doesn't take long to set up a connection and exfil data. But you might learn interesting things looking at all the apps and services sending data, so it's useful in that regard.
|
|
#
¿
Sep 3, 2016 05:06
|
|
|
BigFactory posted:What's better security for a gmail account, 2 step verification where you need a password and a code, or using my phone to sign in where it asks for my fingerprint? Phone has a lot of benefits and is easier since you'll probably have your 2fa on that phone. E: fingerprints aren't secrets
|
|
#
¿
Nov 8, 2016 19:27
|
|
|
OSI bean dip posted:Biometrics aren't secrets. If I never go outside of my basement my face is totally a secret. Goons are secure!
|
|
#
¿
Nov 8, 2016 19:31
|
|
|
Subjunctive posted:Sort of a big ask. Stop using ask
|
|
#
¿
Jan 28, 2017 23:17
|
|
|
Oysters Autobio posted:So, what options are there for if I wanted to back-up my smartphone, factory reset it, and then use it for travel, then when I return, re-download everything? Is there software that does this? Mobile phones' backup and restore is at the point where a factory reset + setup is generally pretty straight forward. That said if your premise is to dodge things like "show me your social networks" factory reseting your phone is just going to accomplish pissing off the customs agent. Don't try and sovereign citizen around when border crossing.
|
|
#
¿
May 2, 2017 02:20
|
|
|
Oysters Autobio posted:Are there any security concerns from Android Pay in terms of further personal information being stored on the smartphone? Talking about the usual malware, viruses etc. that may target Android Pay as an app itself. This is more of my concern here, though the whole liability shift is good to know regarding tap or no tap (can we confirm that liability shift is the same here in Canada?). Your phone is far more secure than your desktop, its fine really.
|
|
#
¿
Aug 28, 2017 15:20
|
|
|
Lain Iwakura posted:Android Pay refuses to work if it detects* a rooted phone right? Yes*. pr0zac posted:This. Unless you're running a rooted phone and installing a bunch of sketchy non-Play Store apps in which case stop doing that. Then you're at worst the same as your desktop
|
|
#
¿
Aug 28, 2017 22:58
|
|
|
RFC2324 posted:I'd figure it's about equal to a roll your own solution by an amateur. You do you think makes the software for consumer networking hardware?
|
|
#
¿
Jan 1, 2018 04:50
|
|
|
Lain Iwakura posted:Great. Here's the advice you should give: uninstall MalwareBytes because it's trash.
|
|
#
¿
Jan 28, 2018 10:34
|
|
|
buglord posted:i know the answer to this, and most stuff is "its not as safe as you think so just practice good habits", but how safe is reckless internet browsing on something like Sandboxie? Run an up to date browser, don't run flash (lol) or Java (even more lol) and you're almost certainly fine. Browser 0days are way more valuable than you.
|
|
#
¿
Feb 5, 2018 07:57
|
|
|
Crotch Fruit posted:Don't most ISPs provide a security suite with internet service? I know the options in my area, AT&T and Cox, both include McAfee. I prefer not to let McAfee poo poo up my system, but considering the OP mentions "check if your school/work offers AV!" I think the OP should also mention checking with your ISP. Don't run software from your ISP lol
|
|
#
¿
Mar 15, 2018 05:48
|
|
|
Wiggly Wayne DDS posted:judge a company by how they respond to vulnerabilities, not that they've existed at all in an evolving codebase You absolutely should judge quality or nothing will ever get better. Patching is necessary but not sufficient.
|
|
#
¿
Jul 11, 2018 20:19
|
|
|
RFC2324 posted:wait, are you saying all a virus has to do to evade detection is like in memory instead of writing itself to disk? Or just not look like malware they already know, but yeah completely avoiding AV isn't hard.
|
|
#
¿
Aug 2, 2018 17:08
|
|
|
Subjunctive posted:You can also map memory w+x, so it wouldn’t really help anyway. I mean you could enforce W xor X Giving a component of your system the ability to read the RAM of things is the best way to shoot good security practices in the face.
|
|
#
¿
Aug 2, 2018 19:32
|
|
|
Rufus Ping posted:even if DEP is set to 'always on', suitable calls to HeapCreate/VirtualAlloc will clear the NX bit so you can't really enforce it I meant an OS could, I don't know or really pay attention to windows
|
|
#
¿
Aug 2, 2018 22:06
|
|
|
Wiggly Wayne DDS posted:you failed to mention your android phone is jailbroken, so let's just give up on securing that - no random online people aren't where you get trustworthy firmware for the most critical secret storage a regular person has. To expand Wiggly's point: you're going from having a large team of engineers protecting you to taking all the responsibility of making your device secure on yourself and to be blunt the post makes it clear you don't have those skills. We do. You're being paranoid and utterly unrealistic as to how attacks or attackers work, you'd be safer if you weren't trying to be smart and missing the mark so hard.
|
|
#
¿
Aug 22, 2018 18:16
|
|
|
Downs Duck posted:To make it easy, a mechanic or a nurse wouldn't respond like many (not all) IT-professionals do (various degrees of angry/insults/etc like in this thread), when asked politely about something related to their field of expertise. In my humble, anecdotal experience. When I said to switch off custom ROMs its because I do OS security, and you've taken your security from people who do it for a living and put it all on yourself, and you're not a mechanic. Fundamentally the view that you need to do extra things to make yourself secure is the problem, because you're not an expert and can't be expected to do so correctly, and in your attempts to do something you've made your situation worse.
|
|
#
¿
Aug 23, 2018 19:16
|
|
|
OSU_Matthew posted:Don’t forget a good VPN service like Nord so all the various trackers don’t catch wind of your Tijuana donkey show habit and then start spamming your ads with stuff like saddles. Yeah because those VPN providers aren't selling that info themselves. C'mon.
|
|
#
¿
Feb 15, 2019 18:42
|
|
|
|
| # ¿ May 3, 2024 10:02 |
|
|
SERPUS posted:Anyone ever seen something like this in the router firewall logs? 5228 is used by Google Play Services on Android devices for the push notification channel, do you have Android devices on the network? Blocking them is both going to gently caress with the phone and I'm not sure off hand the retry logic for that connection but I wouldn't be surprised if it loops rather tightly.
|
|
#
¿
May 25, 2020 19:17
|
|