Until this point I was not aware that Lookout provided any value-add for mobile devices. I was under the impression it was the McAfee of mobile.
It sounds mean but this is the first reference to actual vulnerability discovery done by themselves on their blog, which usually reports on security updates that Google's Android security team discovered. Previous entries include such gems as "Now available: The Practical Guide to Enterprise Mobile Security" and "Insights from Gartner: When and How to Go Beyond EMM to Ensure Secure Enterprise Mobility."
I can't wait to see more great work. Lookout is now on my radar.
Tripwire is a linux util for doing just that. However you need some read-only media to store the hashes and I think rootkits can still just intercept the read calls.
Some years ago, I had Tripwire installed for a few days but quickly removed it again because whenever I upgraded installed packages, I'd get a storm of messages about files which had changed and that was just annoying since I was the one who had initiated the action that caused the files to change, but at the same time there were so many files that changed of course, that I had no way of distinguishing legitimate changes (as they all were) from any potential illegitimate changes.
That's precisely what it's supposed to do. If you update the Tripwire db every time you "initiate an action that causes monitored files to change" - then it does a _magnificent_ job of telling you when someone _else_ changes those files.
You need to run 'tripwire --update' every time you run 'apt-get update' or 'pip install foo' or 'npm install bah' or whatever - then you wont get that storm of false positives.
Yes - a few times a year when normal and authorised things or people have unexpectedly changed files in tripwire-protected places, and in ~20 years I think three times when I'd had an intrusion.
Those three timely notifications of real breaches have made 20+ years worth of occasional false positives 100% worth it.
I'm on mobile so links are annoying to get, but Apple has a great PDF on iOS security in general, which includes details on their protections against kernel patching. Windows has KPP, and Mac OS has SIP. Not familiar with anything for Linix but I'd be shocked if there weren't multiple incompatible implementations of similar features.
Realistically, this is also something virtualization can help guard against. If your OS is initialized from a known good version external to the VM, every time the VM starts, you greatly increase the difficulty for an attacker to get persistant root.
Doubt it. Once you have control of the system, why would you not be able to just disable the check? What they should do is enforce code signing at the processor level.
Too bad that has it's own issues. Android/Google definitely has the clout to be able to call the shots (ie force the processor manufacturer to issue them a CA cert for their own use), but what would happen if ARM then became a dominant server arch?
Also, putting code signing in the processor wouldn't fix the problem: code signing already happens in higher levels (ie higher than userland), so moving the verification a level up would likely take the exploitable bugs with it. The problem remains.
If the checks are enforced by the bootloader which is signed, then you cannot disable them. I think this is how the system partition is protected on recent Android versions. As this attack demonstrates, simply requiring all code to be signed isn't enough.
And quite the heads up move by Ahmed Mansoor to recognize the suspicious text for what it was and send it to the research team instead of clicking the link. If this thing really has been going since iOS 7 that means he is the outlier in taking precautions.
FTA: He had been targeted previously by FinFisher AND Hacking Team's malware. Avoiding malware is nothing new to this guy, something this NSO Group should have taken into account when they came up with their spear-phishing attack.
Sure but how is that responsive to parent's point about Mansoor being an "outlier in taking precautions"? The reason he found out about the previous attacks was likely because he took similar precautions:
"When Ahmed Mansoor opened the document, his suspicions were aroused due to garbled text displayed. His email account was later accessed from the following suspicious IPs.."
Then again, he's not some comfortable first-world programmer who makes $100K a year and enjoys talking about infosec and opsec as a fun diversion, he's a guy living in a repressive third-world dictatorship who has put his entire life on the line for the human rights of others and probably has little to no computer science or infosec education, so, maybe cut the guy some fucking slack.
NSO Group claims not to launch attacks itself; rather it only sells tools to do so. So it might even be that the same government has targeted him with all three hacking tools.
Until this point I was not aware that Lookout provided any value-add for mobile devices. I was under the impression it was the McAfee of mobile.
It sounds mean but this is the first reference to actual vulnerability discovery done by themselves on their blog, which usually reports on security updates that Google's Android security team discovered. Previous entries include such gems as "Now available: The Practical Guide to Enterprise Mobile Security" and "Insights from Gartner: When and How to Go Beyond EMM to Ensure Secure Enterprise Mobility."
I can't wait to see more great work. Lookout is now on my radar.