The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned.
The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Twitter, Facebook, or several other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts.
“We wanted to know if it is really possible to launch an impersonation attack against Google services and started our own analysis,” the researchers in the university’s Institute of Media Informatics wrote on Friday. “The short answer is: Yes, it is possible, and it is quite easy to do so.”
The findings build off previous findings of Rice University professor Dan Wallach, who in February uncovered the Android privacy shortcomings during a simple exercise for his undergraduate security class. The attacks can only be carried out when the devices are using unsecured networks, such as those offered at Wi-Fi hotspots.
Google patched the security hole earlier this month with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google’s own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-calledsidejacking exploits that steal authentication cookies.
A Google spokesman said the company’s Android team is aware of the Picasa deficiencies and is working on a fix.
Researchers Bastian Könings, Jens Nickels, and Florian Schaub warned that the weaknesses could be used against people who use their Android devices on networks under the control of an attacker.
“To collect such authTokens on a large scale an adversary could setup a wifi access point with a common SSID (evil twin) of an unencrypted wireless network, e.g., T-Mobile, attwifi, starbucks,” they wrote. “With default settings, Android phones automatically connect to a previously known network and many apps will attempt syncing immediately. While syncing would fail (unless the adversary forwards the requests), the adversary would capture authTokens for each service that attempted syncing.”
Apps that use ClientLogin should immediately start doing so over encrypted, https channels, the researchers said. A more robust authentication protocol known as oAuth will also close the authToken capture vulnerability, although https should still be used to prevent synced data from being intercepted.
The researchers also suggested Google improve its security by shortening the length of time authTokens are valid and rejecting ClientLogin requests from insecure http connections.
With more than 99 percent of carriers offering their users Android versions with known security weaknesses, the report demonstrates how little success Google has had in getting its partners to upgrade to the latest versions. Many Verizon Wireless customers, for instance, remain stuck with Android 2.2.2, despite containing vulnerabilities that have been known about for months.
Last week, Google said it planned to work more closely with wireless carriers in an attempt to help them offer Android updates more quickly. The company has yet to offer details.
The best part of waking up…is a smartphone in your hand? According to an Ericsson survey, that’s true for over one third of Android and iPhone owners.
A new survey from telecom equipment maker Ericsson (PDF) finds that some smartphone users are very, very attached to their devices, finding that fully 35 percent of iPhone and Android users in the United States admit to using non-voice applications before they even get out of bed in the morning. Some 18 percent of those users say they log in to social networking apps before they get up—and Facebook is the most popular. However, social networking from bed only tied with late afternoon and early evening as the most common “situations” for tapping into social networking services. Smartphone users said they were more likely to use social networking apps in the late evening (34 percent), at lunch (26 percent), or in the morning (22 percent) after they got up.
“Our research found apps are appealing to people at an emotional level,” said Ericsson ConsumerLab heard of research Michael Björn, in a statement. “Consumers become attached to a certain set of apps that makes them feel more in control of their lives, and turns everyday chores into positive experiences. Apps even give consumers a new sense of freedom; if a new situation arises, there’s probably an app out there that could help them.”
With Ubuntu 11.10 requiring a slick, ‘consumer orientated’ login experience that better matches the rest of Ubuntu, the decision to switch to ‘LightDM’ proved the ideal solution.
LightDM is promoted as fast, small, well documented, is easily themable and has ‘great accessibility’. A 3D-based interface will greet those with capable hardware, with a 2D version being used fallback where not supported.
The advantages of using LightDM instead GDM are according to launchpad blueprint:
- – Faster – the greeter doesn’t require an entire GNOME session to run
- – More flexible – multiple greeters are supported through a well defined interface. This allows Ubuntu derivatives to use the same display manager (e.g. Kubuntu, Lubuntu etc).
- – Simpler codebase – similar feature set in ~5,000 lines of code compared to 50,000 in GDM
- – Supports more usecases – first class support for XDMCP and multihead.
Note: this blueprint is marked with a “low priority” tag on launchpad so it may not end up landing in 11.04.
If you are using Ubuntu (Lucid or Maverick) you can install it from a PPA:
$ sudo add-apt-repository ppa:robert-ancell/lightdm
$ sudo apt-get update
$ sudo apt-get install lightdm lightdm-theme-webkit lightdm-theme-gnome
You can test lightdm by running it in a window:
$ sudo apt-get install xserver-xephyr
Create the file lightdm.conf:
$ lightdm --test-mode -c lightdm.conf
It had not worked for me though, I wonder why. It might not work for those who have graphic card issues with GNOME 3.
Lately I upgraded Ubuntu from 10.10 to 11.04. It was great with a nice login background. After logging in, I found the graphics was an issue. Either the driver or the laptop was not supportive. The Laptop config is a 64 BIT, 4 GB RAM, ATI 9488 card.
Finally logged in with Ubuntu Classic, which barely gave me any designer views. Playing around with it quite a bit, I removed the entire desktop gui, landed with the terminal login.
Once you login enter gnome-terminal, then you will be taken to the terminal screen with the file menu. The advantage of this is that you could open up different terminals, the disadvantage is that, you cannot see the previous terminal when a new one is open.
Enter the following lines
sudo apt-get install ppa-purge
sudo ppa-purge ppa:gnome3-team/gnome3
Once this is done sudo reboot, should bring you back to the login window. Selecting the required username does not bring you the list ubuntu/unit2d etc. Those are all gone, when you remove the desktop-gui. This will keep you on the 11.04 update without graphics issue, and the theme of 10.10.
Some of the issues I had after going through the above was, the task bar was missing.
Add it to the startups by
Click the Add button and enter gnome-panel in the command line
Enter a name and description, just to keep you updated and reboot/logout and login.
Everything should go fine.
Email sent out by SnapNames
On February 15, SnapNames will raise the starting bid for backorders for all deleting domain names from $59 to $69. This starting bid increase applies only to orders for names that are deleted from their respective registries (not the expiring or privately held names listed from registrar partners or sellers).
This change applies exclusively to new ordersâ€”any previously placed deleting domain name backorders will be grandfathered in and remain at a starting bid amount of $59; thus, $59 will be the opening bid if the name enters our system. (Note, if you are the only bidder in this scenario, like today you will be the buyer at $59. If another party backorders the same name after February 15, that partyâ€™s opening bid will be at $69 and the system will alert you to raise your bid if you so elect.)
As is the case today, all non-deleting domain names will enter our system at the starting bid price specified by the listing party. Opening bids for those names will stay at the amounts originally set.
There is no change to auction procedures. If there is only one bidder for a name at the time of its availability, the name will be awarded to that bidder. For names with more than one interested party, the names will go to auction and the highest bid at or above the starting bid amount will prevail.
Questions can be directed to the SnapNames support team:
In 1958, the government was considering the annexation of Alaska and Hawaii to the 48 contiguous states. This ca
used high school junior Robert Heft to design a flag to accommodate the potential additions as part of a school project. His history teacher, Stanley Pratt, didn’t think much of the design and gave it a B-!! Heft decided to submit the
design to Congress and convinced Mr. Pratt to raise his grade if the flag was accepted. On August 21th of the following year, President Eisenhower selected Heft’s design out of 1,500 submissions and called him personally to give him the good news!
Robert Heft’s original flag has now flown over EVERY state capitol building and 88 different U.S. e
mbassies. It is the only flag in our history to have flown over the White House during the administrations of five different presidents!
Easter is a religious holiday based on the resurrection of Jesus, the exact date of which was not recorded In light of this, no generally accepted date for Easter was fixed, and the date was based on the calendar However, the decision of which calendar to use was a point of contention The Julian calendar was the solar-based calendar of the Roman Empire since 45 BC, but the Lunar calendar (which was Jewish) had been in place for 2,000 before that Because of the differences in the calendars, Easter was celebrated on different dates.
In AD 325, a conclave of priests and bishops met at Christianity’s first Ecumenical Council in Nicea (present-day Turkey) to decide an array of topics, one of which was the date for Easter The different Church groups were represented and a decision was eventually reached It was decided that, throughout the Church, Easter would be celebrated on the first Sunday after the first full moon that occurs on or after March 21 Different regions, however, applied slightly different rules, some describing March 21 as the vernal equinox (i e , the Spring equinox, when the length of night and day are equal because the sun passes over the equator), although the first Sunday after the first full moon that occurs on or after March 21 is now the accepted formula Applying this formula, Easter Sunday must fall between March 22 and April 25, inclusive Easter Sunday hasn’t fallen on March 22 since 1818, and will next fall on that date in 2285 Similarly, it hasn’t fallen on April 25 since 1943 and won’t again until 2038.