The Skype blog gives some good security advice for those using Android

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

This is related to a recent Google take-down notice for the infamous 21 apps cited by the Android Police for malicious intent.

I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.

Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the “rageagainstthecage” root exploit – binary contains string “CVE-2010-EASY Android local root exploit (C) 2010 by 743C”. Don’t know what the apps actually do, but can’t be good.

Although we can write this off as unique to Skype, and even Skype only on Android, the problem is actually much more broad. Communication systems are either attacked in real-time or after a session closes and leaves behind residue and logs. This case shows how residue can be exposed to other applications without explicit authorization.

More troubling is that attackers continue to show a predilection for using back doors on systems that do not practice effective monitoring, let alone back door compromise prevention. Given the huge number of weak backdoor paths I have found in “data center” environments recently, I might have to turn this into a full-blown presentation.

Data centers, in others words, should take care in selecting which doors to punch into their walls.

A wise and weathered security executive many years ago told me a picnic is nice with people who have their head in the clouds but the group’s food is safer with at least one person who watches the ants.

CSO Online reminds me of this when they strike out in a recent post and condemn the tone and style of comments on Barracuda Networks. Apparently they don’t want anyone to mention the ants. They are critical of those who are critical (of Barracuda Networks).

to skin a vendor alive in the twittersphere because imperfections were exposed is something that doesn’t necessarily lead to a more secure product.
If anything, it’s like a group of misfits in the schoolyard beating up on another kid just because he’s even more awkward and ugly than they are. That’s a typical human failing: When we’re insecure about ourselves, we take comfort in someone else’s misfortune. We may be pathetic, but at least we’re not as bad as the next guy.

Although I am tempted to ask whether they are just defending one of their advertisers, I want to set motive aside entirely. Instead I wonder about consequences — whether a critical view of critics and the chill of negative opinion is good advice for a CSO tasked with risk management.

Some philosophical issues come to mind when I look at the CSO Online complaint.

First, they ask us to be aware that bad things happen to everyone, even those they hold up as industry leaders. This must be a variation of “if you don’t have anything nice to say, don’t say anything”, which itself is based on a gross and dangerous oversimplification to manipulate feelings. It usually fails a simple logic test.

Chairs are white, I am wearing white, and therefore I am a chair. Successful companies have been breached, Barracuda was breached, and therefore it should pat itself on the back as a successful company?

This is not about the feelings of school yard children, it is about discipline to protect data. Points of breach differentiation need to be held up, reviewed in detail and dissected to reduce the chance of oversimplification and repetition.

I suggest a better consequence, that could acknowledge some or all of the CSO Online stylistic concerns, would come from the command “if you don’t have anything nice to say, stick to the facts”. That probably is not even necessary, however. Barracuda is surely prepared and able to perform an investigation while easily defending its reputation (able to cooperate with investigators whether or not they consider them nice, or congratulatory).

Second, the “it could happen to anyone” sympathy card in response to a breach could undermine efforts in an industry that hopes to modify behavior. Shame is a form of regulation. Shaming a company for inadequate security is crude but arguably has the consequence of an informal method of compliance. Asking the industry to avoid communication that carries the message of shame has what consequence? What benefit does CSO Online see in resisting the human instinct to shame, to fail to make an example of a breached company?

John Locke, the famous philosopher, gives the following insights to shame in Some Thoughts Concerning Education.

Esteem and disgrace are, of all others, the most powerful incentives to the mind, when once it is brought to relish them. If you can once get into children a love of credit and an apprehension of shame and disgrace, you have put into them the true principle, which will constantly work and incline them to the right. (§56)

CSO Online gives us the analogy of a school yard bully to consider. They equate negative commentary and shame to bully behavior, although they give no examples of speech they consider bullying. Their analogy is so broad as to be unacceptable at face value (a call to silence all negative opinions). But, setting that aside, I will take a stab at why their analogy actually undermines their position.

Let’s say a kid in the school yard is vulnerable to pneumonia if exposed to rain. One day it starts pouring rain and the kid, who actually sells umbrellas and rain coats, catches pneumonia. The umbrella fails. The rain coat fails. Other kids make fun of this situation and therefore the kid feels shame. Should the kids who laugh and point be called bullies? Are they asserting domination or control, a typical element in the definition of bullying behavior? They may be practicing only a form of shame and disgrace, behavior that philosophers of ethics say will “constantly work and incline them to the right”.

CSO Online thus advocates an overly broad regulation of speech. While they give examples of friends of theirs who communicate how they like, they should know already that positive-reinforcement is not the ideal model in regulation and compliance. If they want to define breach bullies, to point the finger at bad actors, they should provide a test to know whether and when we will offend the sensitive ears of CSO Online.

Professional sports, for example, provide rules to regulate bad behavior. Boxing does not allow a contender to be hit after a fall to the mat, hockey stops a fight when a skater is not standing, no hits are allowed after the whistle in football, and so forth. The rule tends to center around someone who is down and no longer able to defend, or is in a compromised state relative to their attacker.

Would CSO Online have us believe that Barracuda is so vulnerable now that commentary with even an unpleasant tone or style should be stopped? The security company seems not only capable of response on its own, but in a reasonable position to defend itself with a simple apology. If CSO Online wants to jump into the game and throw the red card for foul play they should focus their judgment and ire at the actual attackers and not upon heckling fans. If I were a player on the field and fans started booing my team after a loss, I would ask myself how to improve or avoid another loss rather than focus on silencing the rowdy but legal crowd. Stopping rowdy fan behavior is like trying to stop the rain.

Moreover, is it really necessary or desired to regulate a security community discussion separately from any other industry? America has a legacy of free speech principles that apply here and applying CSO Online’s vague rules of etiquette can have more negative consequences to risk management than positive.

Risk is measured in likelihood and severity of an attack. Thus, for me it is less about whether the tone of everyone in the peanut gallery is to my liking and more about a factual discussion – how and why did a security company miss one of the most common attacks (likelihood) and was exposed customer information sensitive (severity). Silencing those who talk about the ants at a picnic may make the organizers less annoyed but it does not make the food safer.

WordPress.com has reported a breach of their site — root access was obtained but the exposure was contained.

While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Some ask in the WordPress.com blog comments whether “sensitive bits” could be API keys and tokens for partner sites like Twitter. So far WordPress has downplayed this risk.

WordPress.com also notes their password hashes are stronger than just unsalted MD5 thanks to Solar Designer’s phpass. They incorporated the stronger hash algorithms with salt since the beginning of 2008 (version 2.5).

It might be worth noting that Solar Designer is known also for developing John the Ripper, a password cracking tool, and he has warned of potentially weak implementations of phpass.

The openness of WordPress.com and the details of their password security practices should be seen as a sliver of good news, at least when compared with the Barracuda and HB Gary incidents that brought to light unsalted MD5 hashes. The risk may be lower with salted and strong hashes but even they can be recovered so WordPress gives the following usual advice to their users as a response.

• Use a strong password, meaning something random with numbers and punctuation.
• Use different passwords for different sites.
• If you have used the same password on different sites, switch it to something more secure.

The breach does not affect independent and self-hosted WordPress sites.