[PCM]Qualcomm Chip Bug Poses Risk to App Account Security - Page 3 - Overclock.net - An Overclocking Community

Forum Jump: 

[PCM]Qualcomm Chip Bug Poses Risk to App Account Security

Reply
 
Thread Tools
post #21 of 32 (permalink) Old 05-02-2019, 06:43 PM
New to Overclock.net
 
Avonosac's Avatar
 
Join Date: Dec 2012
Location: PA
Posts: 2,944
Rep: 158 (Unique: 114)
Quote: Originally Posted by xJumper View Post
One thing I never get tired of is learning, I'm all ears. So instead of one liner'ing it, let me know how I am wrong and what exactly it is I am missing.

Spoiler!
Ok, with this response I believe you may actually be interested, though your qualification of what you deign to acknowledge as a vulnerability is rather suspect.

The problem with the normal response to any of these security vulnerabilities is they are viewed in a vacuum. However, they aren't ever used in a vacuum, they are chained together, so when you make statements like "you would have to download an app and give it root privileges before this is dangerous" it shows how you're missing an understanding of the anatomy of an attack. Most attacks use a series of minor vulnerabilities to eventually reach full takeover, and there isn't a version of android which doesn't have a known successful attack chain. So you don't need to get them to install an app to give root privileges, you just need to use a different privilege escalation attack after you have remote code execution.

Second, security is only as strong as the weakest link. So arbitrarily removing social engineering, mimic malware, supply chain subversion, or spearfishing from your attack surface definition is at best a dubious position to take. You aren't invulnerable from all of them, so why would you arbitrarily expect all users to be more careful and capable than you are?

I'm going to assume you know how bad SMS is for 2FA, however most people don't and even if they did this attack would expose the keys for their time based authenticator apps and password managers. Crack into a phone like this and you can steal a life.


Avonosac is offline  
Sponsored Links
Advertisement
 
post #22 of 32 (permalink) Old 05-03-2019, 01:26 AM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,018
Rep: 111 (Unique: 98)
Quote: Originally Posted by Avonosac View Post
Ok, with this response I believe you may actually be interested, though your qualification of what you deign to acknowledge as a vulnerability is rather suspect.

Second, security is only as strong as the weakest link. So arbitrarily removing social engineering, mimic malware, supply chain subversion, or spearfishing from your attack surface definition is at best a dubious position to take.
I am a staunch defender of the classic computer security model, so to me "exploits" that rely on things like physical access, purposefully giving elevated privileges and other stuff we would consider a given or no-brainer as things you need to do or not do to have a secure system aren't held in the same light as traditional exploits.

tl;dr version, someone takes your phone, hooks up a jtag kit to it and rips it's flash memory content out; I don't consider that a real exploit. The attacker had physical access, that would have been a huge "duh" in the classical computing security circles. Yet some proponents of the newer type of security model see that as a valid vulnerability.

Quote: Originally Posted by Avonosac View Post
and there isn't a version of android which doesn't have a known successful attack chain.
Is there a version of anything, any OS that doesn't have a successful attack chain? It would appear that my desktop OS on the kernel it runs has no known major flaws yet there probably and likely always is a way for it to get owned if I literally did every single thing wrong and complete every link in the attackers "chain". I'm speaking all in the hypothetical here, but if you have to go wrong ten times in a row is it really a true "exploit"?

On a side note I had never heard of this term "attack chain" until now, I just figured they did stuff like that though, use many small things to accomplish a larger goal.

Quote: Originally Posted by Avonosac View Post
The problem with the normal response to any of these security vulnerabilities is they are viewed in a vacuum. However, they aren't ever used in a vacuum, they are chained together, so when you make statements like "you would have to download an app and give it root privileges before this is dangerous" it shows how you're missing an understanding of the anatomy of an attack. Most attacks use a series of minor vulnerabilities to eventually reach full takeover, and there isn't a version of android which doesn't have a known successful attack chain. So you don't need to get them to install an app to give root privileges, you just need to use a different privilege escalation attack after you have remote code execution.
My question is, how many "chain links"/exploits would you need to use to be successful in using this particular exploit. Depending on that (which the articles does not mention) would sway my position on if this is a "real" vulnerability or not.

Quote: Originally Posted by Avonosac View Post
You aren't invulnerable from all of them, so why would you arbitrarily expect all users to be more careful and capable than you are?
Depends on how bad you need to screw up for the attack to be successful. If the amount of "wrong turns" that need to be made exceed what I deem is a reasonable amount of mistakes a semi-knowledgeable person would ever make I wouldn't view it as an exploit to "my" standards, but like I said thats me.

Quote: Originally Posted by Avonosac View Post
Crack into a phone like this and you can steal a life.
If any one device, file or piece of software "cracks" your life you did it wrong.

Quote: Originally Posted by Avonosac View Post
I'm going to assume you know how bad SMS is for 2FA
I do and constantly rail on it and companies that force it as a means for 2FA, I'm actually really against 2FA in it's current state.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲



Last edited by xJumper; 05-03-2019 at 01:32 AM.
xJumper is offline  
post #23 of 32 (permalink) Old 05-05-2019, 07:33 AM - Thread Starter
Expert pin bender
 
dagget3450's Avatar
 
Join Date: Jul 2014
Posts: 1,885
Rep: 147 (Unique: 88)
Quote: Originally Posted by xJumper View Post
I am a staunch defender of the classic computer security model, so to me "exploits" that rely on things like physical access, purposefully giving elevated privileges and other stuff we would consider a given or no-brainer as things you need to do or not do to have a secure system aren't held in the same light as traditional exploits.

tl;dr version, someone takes your phone, hooks up a jtag kit to it and rips it's flash memory content out; I don't consider that a real exploit. The attacker had physical access, that would have been a huge "duh" in the classical computing security circles. Yet some proponents of the newer type of security model see that as a valid vulnerability.



Is there a version of anything, any OS that doesn't have a successful attack chain? It would appear that my desktop OS on the kernel it runs has no known major flaws yet there probably and likely always is a way for it to get owned if I literally did every single thing wrong and complete every link in the attackers "chain". I'm speaking all in the hypothetical here, but if you have to go wrong ten times in a row is it really a true "exploit"?

On a side note I had never heard of this term "attack chain" until now, I just figured they did stuff like that though, use many small things to accomplish a larger goal.



My question is, how many "chain links"/exploits would you need to use to be successful in using this particular exploit. Depending on that (which the articles does not mention) would sway my position on if this is a "real" vulnerability or not.



Depends on how bad you need to screw up for the attack to be successful. If the amount of "wrong turns" that need to be made exceed what I deem is a reasonable amount of mistakes a semi-knowledgeable person would ever make I wouldn't view it as an exploit to "my" standards, but like I said thats me.



If any one device, file or piece of software "cracks" your life you did it wrong.



I do and constantly rail on it and companies that force it as a means for 2FA, I'm actually really against 2FA in it's current state.

I don't understand what your point is. "Exploit" doesn't need to be defined as it is already in the dictionary:

Quote:
exploit noun
ex·​ploit | \ ˈek-ˌsplȯit How to pronounce exploit (audio) , ik-ˈsplȯit How to pronounce exploit (audio) \
Definition of exploit

(Entry 1 of 2)
: deed, act especially : a notable or heroic act

exploit verb
ex·​ploit | \ ik-ˈsplȯit How to pronounce exploit (audio) , ˈek-ˌsplȯit How to pronounce exploit (audio) \
exploited; exploiting; exploits

Definition of exploit (Entry 2 of 2)

transitive verb
1 : to make productive use of : utilize exploiting your talents exploit your opponent's weakness
2 : to make use of meanly or unfairly for one's own advantage "

You say "The amount of wrong turns, or the idea of software cracks your life "your doing it wrong", is rather disingenuous to the whole concept of exploits. Considering how much people's lives are on their phones (personal devices) these days, you can easily steal "all" data to their identity. Also, combined with always connected devices and "cloud computing" as simple examples. "Traditional exploits" is like your talking about decades ago when paper pad and pens were a thing.

GPU i currently own: 390x/FuryX/Vega FE/RX Vega 64/1080TI - CPUs: 5960x/R7 1700/X5650x2/E5 2863/e5 2670
Radeon Vega Frontier Edition Owner
dagget3450 is offline  
Sponsored Links
Advertisement
 
post #24 of 32 (permalink) Old 05-05-2019, 07:48 AM
Performance is the bible
 
Join Date: Apr 2009
Posts: 6,705
Rep: 436 (Unique: 300)
Quote: Originally Posted by xJumper View Post
I am a staunch defender of the classic computer security model, so to me "exploits" that rely on things like physical access, purposefully giving elevated privileges and other stuff we would consider a given or no-brainer as things you need to do or not do to have a secure system aren't held in the same light as traditional exploits.
This is where you do not understand computer security.

For example, the latest intel memory bug, can use a relatively simple exploit in the memory, remotely through site scripts, and once that is done, they can use a different exploit that allows more privileges, something that in the past required physical or elevated privileges before (spoiler+rowhammer exploits used together).

So while one exploit could have required physical access to load something up, now, it might not.

So how you accept "classic computer security", has been voided and irrelevant for years.

That is also the mistake of many security "experts" in many companies. They aren't up to date with what you can or cannot do, and think "classic", and then get surprised when data is lost/stolen.


Defoler is offline  
post #25 of 32 (permalink) Old 05-05-2019, 03:09 PM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,018
Rep: 111 (Unique: 98)
Alright I'll give it to you guys, it's an exploit and I'm wrong. Still not an exploit that would likely affect me and even if I did somehow get owned by it they wouldn't be able to take over my life as I got that strapped down and compartmentalized pretty damn well but yes it is an exploit.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲


xJumper is offline  
post #26 of 32 (permalink) Old 05-07-2019, 10:39 PM - Thread Starter
Expert pin bender
 
dagget3450's Avatar
 
Join Date: Jul 2014
Posts: 1,885
Rep: 147 (Unique: 88)
Quote: Originally Posted by xJumper View Post
Alright I'll give it to you guys, it's an exploit and I'm wrong. Still not an exploit that would likely affect me and even if I did somehow get owned by it they wouldn't be able to take over my life as I got that strapped down and compartmentalized pretty damn well but yes it is an exploit.
I totally get where you are coming from(i think). I myself don't use my phone for anything but voice/txts. I don't pay any bills, surf web without addons, use social media or load any apps on it. So realistically i don't care if it somehow got hacked. That said i have so many family and friends who more or less have the phone surgically attached to their hands or body. In fact if it weren't for work i would prefer to just not even have one. Maybe i am old now, but i wouldn't have guessed 20 yrs ago that everyone would have a personal device they use to communicate to the world and every other possible aspect of life like dating/shopping etc..



Also refreshing to see someone admit they might be wrong, instead of mercilessly posts sticking to denial of others opinions or facts. (i've been guilty of that myself been trying to work on it though)

GPU i currently own: 390x/FuryX/Vega FE/RX Vega 64/1080TI - CPUs: 5960x/R7 1700/X5650x2/E5 2863/e5 2670
Radeon Vega Frontier Edition Owner
dagget3450 is offline  
post #27 of 32 (permalink) Old 05-08-2019, 11:03 AM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,018
Rep: 111 (Unique: 98)
Quote: Originally Posted by dagget3450 View Post
I totally get where you are coming from(i think). I myself don't use my phone for anything but voice/txts. I don't pay any bills, surf web without addons, use social media or load any apps on it. So realistically i don't care if it somehow got hacked.
That's that classical security model I'm talking about. Where you have your mainframe (desktop machine at home) which is where you focus your security/hardening and your other devices out in the wild which you assume and operate under the pretext of them being compromised, no different than internet cafes, public networks, unknown hosts, etc. When you follow that model, many of these new "exploits" end up being trivial and don't effect you.

You have the businesses today that keep it simple, desktop work machines on every desk, POTS landlines and thats it, everything runs on the LAN/wired switches. Firewall set to default deny out, everyone goes home for the day, building is locked out and security patrols it, not too many ways to hack that business. Then you have the businesses that have PBX boxes, ip phones, cloud drives, mobile apps/company phones, e-portals, VPN's, VNC's, all sorts of special remote clients, etc. There's like a million attack vectors to that.

Quote: Originally Posted by dagget3450 View Post
Also refreshing to see someone admit they might be wrong, instead of mercilessly posts sticking to denial of others opinions or facts. (i've been guilty of that myself been trying to work on it though
Part of "knowing" is knowing when you don't know something. Old enough that I don't care about being "wrong" anymore or "losing" I'd rather just get to the right info.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲


xJumper is offline  
post #28 of 32 (permalink) Old 05-09-2019, 07:05 AM
New to Overclock.net
 
Avonosac's Avatar
 
Join Date: Dec 2012
Location: PA
Posts: 2,944
Rep: 158 (Unique: 114)
I'll point out one more thing, because you still want to believe the classic security model works somewhere and I honestly can't blame you because comforting lies are really comfortable. You aren't in control of most of your personal attack surface.

I appreciate you did want to learn as compared to the normal forum fare, so here's another chance. How does your classic security model help protect you when a customer service representative gives an attacker information which compromises a completely different service as a step in the chain? It doesn't.

Ultimately, the classic security model is mostly about good individual security practice but fails to address the whole surface. It's like installing a massive bank-safe door in your white picket fence to keep the neighbors kids off your lawn, sure the door might be impossible to get through but doesn't help much when you can go right around it.

I'm not pooh-poohing the model either, it remains generally good personal security practice. It is however extremely important to recognize that it's primary contribution to your security is now rooted firming in security by obscurity, rather than any actual inherent security properties.


Avonosac is offline  
post #29 of 32 (permalink) Old 05-11-2019, 02:32 PM
Old to Overclock.net
 
Join Date: Jan 2008
Posts: 2,018
Rep: 111 (Unique: 98)
Quote: Originally Posted by Avonosac View Post
How does your classic security model help protect you when a customer service representative gives an attacker information which compromises a completely different service as a step in the chain? It doesn't.
It dosen't, the classic model is sort of an elitist stance, it looks at it only from a 2D perspective, the computer security part and assumes everyone will follow sysadmin level behavior.

Quote: Originally Posted by Avonosac View Post
I'm not pooh-poohing the model either, it remains generally good personal security practice. It is however extremely important to recognize that it's primary contribution to your security is now rooted firming in security by obscurity, rather than any actual inherent security properties.
I apply the model to myself but I'm well aware that the model wouldn't work for most people or a public business. Like I said it's an elitist stance.

362436
(15 items)
CPU
AMD Ryzen 5 1600
Motherboard
Asus Prime X370-A AMD Ryzen AM4 DDR4
GPU
Gigabyte GeForce GTX 950
RAM
2x Corsair Valueselect 8GB 288 Pin DDR4 SDRAM DDR4 @ 2133
Hard Drive
Corsair Force LS 2.5" 120GB SATA III MLC SSD
Optical Drive
Lite-On 24X SATA DVD/RW Optical Drive
Power Supply
Corsair RM550x 550W 80 Plus Gold
Cooling
Noctua NH-L9A-AM4 Low-Profile
Case
Antec NSK4100 Steel ATX Mid Tower
Operating System
Mint 18.2 x64
Monitor
HP 24" LCD/LED 1920x1080
Keyboard
IBM PC-AT
Mouse
Logitech G5
Audio
Sennheiser HD650
Audio
Asus Essence STX II
▲ hide details ▲


xJumper is offline  
post #30 of 32 (permalink) Old 05-12-2019, 01:23 PM
New to Overclock.net
 
Avonosac's Avatar
 
Join Date: Dec 2012
Location: PA
Posts: 2,944
Rep: 158 (Unique: 114)
Quote: Originally Posted by xJumper View Post
It dosen't, the classic model is sort of an elitist stance, it looks at it only from a 2D perspective, the computer security part and assumes everyone will follow sysadmin level behavior.
I'm a recovering classic model believer, the reason I posted was to emphasize the fact that the classic model is still mostly best practice but doesn't even address the majority of your own attack surface. It's a model for a bygone reality, not an elitists stance - because it's literally attempting to assert security it can't deliver.

The thing that sucks about giving up the classic model is the realization that despite your knowledge you can't protect yourself. You were likely someone who generally was independent and savvy enough to create complex services for yourself and you took pride knowing you were able to do so securely. You now can set up these services, and even more complex ones but regardless of the effort you expend, you no longer are capable of keeping yourself safe. This is a real tough pill to swallow.


Quote: Originally Posted by xJumper View Post
I apply the model to myself but I'm well aware that the model wouldn't work for most people or a public business. Like I said it's an elitist stance.
Yea, like I said its still a good idea but unfortunately it doesn't work for you either.


Avonosac is offline  
Reply

Quick Reply
Message:
Options

Register Now

In order to be able to post messages on the Overclock.net - An Overclocking Community forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.
User Name:
If you do not want to register, fill this field only and the name will be used as user name for your post.
Password
Please enter a password for your user account. Note that passwords are case-sensitive.
Password:
Confirm Password:
Email Address
Please enter a valid email address for yourself.
Email Address:

Log-in



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page


Forum Jump: 

Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off