All Posts

Algorithmic passwords - Memorable, high entropy, and unique

Background Passwords… ugh. I would wager that passwords rank among many peoples least favorite topics, but they are an integral part of life and therefore warrant discussion. Back in 2003 NIST published authentication guidelines for the US Federal government. Those requirements are largely responsible for password requirements for the last 15 years. In typical NIST fashion the document is comprehensive, includes threat models, mitigations, and detailed requirements. For their purposes a password is referred to as a “Memorized Secret Token” and the relevant threats and mitigations are:

SE for Android on the GS4 Google Play Edition

GS4 Google Play Edition != Nexus Caveat: Everything here is based on the leaked images floating around and are not necessarilly represenative of what the final, released version will look like. That said, it is probably partially useful and my curiousity got the best of me… As you probably know by now the GS4 Google Play Edition is not a Nexus device. It does not get updates from Google and does not have only Google provided code.

SE for Android GS4 howto and exploit demo

The client I’ve uploaded my changes to the SEAdmin client to bitbucket (be sure to check out the samsung-API branch) for brave souls who want to experiment with this. I also have an apk for those who don’t want to build their own. This must be installed to the system partition in order to work. It is also crazy hacked together so don’t blame me if your phone blows up.

Using SE for Android on the Samsung Galaxy S4

So, you want to secure your Galaxy S4? After my last blog post I really wanted to get my hands on a Galaxy S4 to see what we could do with it, from an SE for Android perspective. Well, I got one yesterday and the answer is, unfortunately, not a whole lot, but not nothing, either. First, I wanted to try turning on enforcing from an MDM app without rooting the device.

SE Android and the motochopper exploit

SE Android prevents first exploit against commercial phone That should have been the title of this post, but alas it is not. By now you may know that the Samsung Galaxy S4 is the first commercial device shipped with SE Android included. Included, but not enforcing. If you are familiar with SELinux you know that there is a developer mode (also called permissive) that audits access that would have been denied, but does not actually deny them.

And here it is... mRAT's found that bypass MAM

As a follow-up to my last blog post, I just came across this article: Mobile malware gets serious – RATs can bypass sandboxes and encryption 1 in 1000 devices, the tools are in the wild. There is no reason to believe this number will go down. Further, these mRAT’s apparently know how to bypass MDM and MAM sandboxes and encryption. of course, mRAT’s aren’t anything new, but this is the first I’ve heard about ones that specifically target/bypass MDM/MAM.

Security Anti-Pattern - Mobile Castles on Sand (or why app wrapping is not a security model)

#Mobile Application Management (MAM) Mobile Device Management (MDM) was all the hotness just a few years ago. It gave IT departments the ability to manage both corporate owned devices and devices owned by employees (BYOD) but it was dissatisfying. As BYOD became more prevalent and corporate owned devices less it made users feel like they were giving up all control of their device to their employer, mainly because they were.

Security Anti-Pattern - Mobile Hypervisors (for user facing VM's)

One of the things I was working on for most of 2012 was mobile security, specifically SE Android. My exposure to mobile was limited to using smart phones and making minor customizations to third party ROM’s before 2012. That would all change. A group of us started looking at a specific RFP that many believed would be the major mobile entréinto the federal government and military. It wasn’t. It turned into a fiasco.

Big changes

New blogging system… Also I left Tresys. After almost 9 years there I have resigned, which was a hard thing to do. Spencer Shimko, Brandon Whalen and I left Tresys a couple weeks ago to start our own company, Quark Security. That decision wasn’t easy but it is a good time in our careers and we all believe that we are prepared to succeed running our own company. We were joined by an ex-Tresys employee, Ed Sealing.

SELinux and RPM

Wow, I just noticed it's been a year since I've blogged, that is not good. That doesn't mean nothing has been going on though, we've been quite busy around here. First I'd like to talk about a couple projects we are working on. The first is better integration of SELinux policies into RPM. We've posted a patch set to the rpm-maint [1] mailing list and are awaiting feedback. To try out the patches yourself you can read the instructions on the project page at selinuxproject.