You are here: Home / Archives for analysis

Forensic security analysis of Google Wallet – viaForensics « viaForensics

December 15, 2011 By Leave a Comment

Summary of Google Wallet security findings

So, in summary, here are the items of note from my high level analysis.  Bear in mind this is nowhere near the level of testing an app like this deserves but since this is done on our own time, it’s all I could manage thus far.  Anyway, here goes:

A fair amount of data is stored in various SQLite databases including credit card balance, limits, expiration date, name on card, transaction dates and locations and more.

The name on the card, the expiration date, last 4 card digits and email account are all recoverable

[Fixed in Version 1.1-R41v8] When transactions are deleted or Google Wallet is reset, the data is still recoverable.

The Google Analytic tracking provides insights into the Google Wallet activity.  While I know Google tracks what I do, it’s a little frustrating to find it scattered everywhere and perhaps in a way that can be intercepted on the wire (non-SSL GET request) or on the phone (logs, databases, etc.)

[Fixed in Version 1.0-R33v6] The application created a recoverable image of my credit card which gave away a little more info than needed (name, expiration date and last 4 digits).  While this is not enough to use a card, it’s likely enough to launch a social engineering attack.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits. Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineer attack.

And this testing was really only very high level. Far more sophisticated and comprehensive security analysis is needed to determine if other vulnerabilities are present.  In addition, privacy conscious consumers so understand that analyzing nearly everything you use Google Wallet for is basically the price you pay for the service. For a tech standpoint, it’s very exciting to see Google Wallet in production. However, it has consistently been viaForensics’ position that the largest security risk from apps using NFC do not stem from the core NFC technology but instead the apps that use the technology. In this case, the amount of unencrypted data store by Google Wallet surpasses what we believe most consumers find acceptable.

via Forensic security analysis of Google Wallet – viaForensics « viaForensics.

Filed Under: Tech Bytes Tagged With: , , , , , , , ,

Apple reportedly setting up system for remote iPhone diagnostics

August 31, 2011 By Leave a Comment

AppleCare technicians may soon be able to glean troubleshooting information from your iPhone, saving you a trip to the Apple Store. The company is reportedly set to deploy a Web-based tool to collect various bits of diagnostic information from an iOS device in order to transmit it directly to Apple’s servers for analysis.

According to a source speaking to HardMac, Apple has internally announced that it has created a Web-based version of diagnostic tools that AppleCare technicians are already using. The tool allows a technician to send an e-mail (or presumably an SMS) with a specially crafted URL. When a user clicks the URL, it connects to Apple’s servers and collects various bits of data about the device’s state, the health of the battery, and the version of iOS running.

via Apple reportedly setting up system for remote iPhone diagnostics.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Oracle Introduces iPhone/iPad Support for Business Intelligence Suite

May 4, 2011 By Leave a Comment

Business Intelligence Mobile Support

However, with this week’s release, it is the iPhone/iPad support that Oracle is really marketing — hardly a surprise given the level of market penetration that iPad and iPad 2 now have.

This means that, as of this release, users will have mobile access to the stable of alerts, ad hoc analysis, dashboard reporting, scorecard and “what if” analysis, as well as multidimensional and unified relational OLAP.

Workflow have also been made iPad-friendly, with users now able to initiate workflows actions from their mobile device, and in doing so giving workers an agility that they haven’t had before.

It also gives them support for additional data sources including Oracle TimesTen In-Memory Database, Microsoft SQL Server Analysis Services and SAP Business Information Warehouse (BW).

These new Oracle Business Intelligence product releases build upon the success of Oracle BI 11g and provide customers a wide range of new capabilities that extend intelligence to the iPad and iPhone, offer more powerful visualization, interactivity, performance and scalability features to their ERP and CRM applications, and optimize customer interactions and decisions in real time,” said Paul Rodwick, vice president of Product Management, Oracle Business Intelligence.

via Oracle Introduces iPhone/iPad Support for Business Intelligence Suite.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Connecticut Law Tribune: E-Discovery: Wisdom Or Worry: State Courts Lack E-Discovery Rules

February 8, 2011 By Leave a Comment

Unlike most other states, Connecticut does not have e-discovery rules similar to the federal rule amendments adopted in 2006. Is this a cause for concern? No. The costs of e-discovery are simply too high to justify anything but a careful and thoughtful approach to adopting rules that potentially could change the playing field for parties and lawyers alike.

The risks of adopting e-discovery rules without a thorough analysis are obvious: e-discovery expenses should not be the gatekeeper that determines which litigants have a day in court. For example, certain parties and law firms may be deterred from bringing contingency fee cases involving terabytes of electronically stored information (ESI) because they lack the financial resources to bear the expense of collecting, processing, reviewing, and producing ESI in the absence of cost-shifting.

Even without specific e-discovery rules, Connecticut state courts have been applying existing statutes, rules, and causes of action to address e-discovery issues. Yet, the relatively low number of cases involving e-discovery issues, which are published or available on electronic databases, raises significant questions.

via Connecticut Law Tribune: E-Discovery: Wisdom Or Worry: State Courts Lack E-Discovery Rules.

Filed Under: From The News Tagged With: , , , , , , , , ,

Process Makes Perfect: Some Guidance on Mastering Early Case Assessment | Corporate Counsel

October 21, 2010 By Leave a Comment

A LexisNexis online survey conducted between Jan. 28, 2007, and Feb. 23, 2007, by Cogent asked 341 practicing litigators at mid-sized (20-75 attorneys) and large (76+ attorneys) law firms across the U.S. a series of 40 questions about their early case assessment and analysis practices, the perceived value of those practices and outcomes they ascribe to early case assessment and analysis. Based on their answers, we can report that the benefits of early case assessment include:

  • Successful outcomes — attorneys responded that, on average, performing early case assessment results in a favorable outcome in 76 percent of cases
  • Strategic planning — 87 percent of respondents said early case assessment is beneficial for determining the best way to proceed with a case
  • Reducing expenses — conducting early case assessment enables attorneys to reduce the litigation expenses in 50 percent of their cases on average
  • Managing budgets — More than half of attorneys surveyed (57 percent) find early case assessment assists in their ability to prepare a more accurate litigation budget

Savvy litigators shouldn’t be put off by the misconception that ECA is all about electronic evidence or that they need some clairvoyant ECA software. ECA is a human process. It is litigation fact-research of the most traditional kind, and for all but a small portion of the work related to Electrically Stored Information (ESI), it is a paper process.

via Process Makes Perfect: Some Guidance on Mastering Early Case Assessment.

Filed Under: From The News Tagged With: , , , , , , , , ,

Climbing Back – Consultants George Socha and Tom Gelbmann highlight key trends they identified in their annual e-discovery survey | Law Technology News

August 20, 2010 By Leave a Comment

In the world of electronic data discovery, 2009 was a year to refocus, with providers and consumers shifting away from review and moving toward information management and analysis. And while money wasn’t pouring in like the apex years, revenue is climbing back, with a steady if modest growth.

More than anything else, those are the lessons learned from our seventh annual review of the industry, The 2010 Socha-Gelbmann Electronic Discovery Survey.

We are definitely starting to see the maturation of the electronic data discovery market. The good news: prospects are bright for law firms and EDD providers that focus on helping clients address e-discovery challenges efficiently, with an eye to early understanding of electronically stored information and what it means to the matter at hand.

The future is dim, however, for those who seek only to treat the symptoms, pursuing short-term, reactionary, just-make-it-go-away approaches. It’s also murky for those who continue to insist that the way they addressed EDD three years ago still works fine today.

via Climbing Back.

Filed Under: From The News Tagged With: , , , , , , , , ,

Web Security in the Cloud: More Secure! Compliant! Less Expensive!

July 26, 2010 By Leave a Comment

Drawing on the findings from multiple benchmark studies on best practices in content security and security software as a service, Aberdeen’s analysis shows that users of cloud-based web security had substantially better results than users of on-premise web security implementations in the critical areas of security, compliance, reliability and cost. Compared to companies using on premise web security solutions, users of cloud-based web security solutions had 58% fewer malware incidents over the last 12 months, 93% fewer audit deficiencies, 45% less security-related downtime, and 45% fewer incidents of data loss or data exposure.

via Web Security in the Cloud: More Secure! Compliant! Less Expensive!.

Filed Under: From The News Tagged With: , , , , , , , , ,

Buy Globally, Sue Locally for Products Liability | Law.com

March 27, 2010 By

In a global economy, price and convenience are valued above all else. Global consumers demand produce out of season, buy sophisticated appliances made with cheap labor and build homes with materials shipped from abroad. And yet when these products prove to be defective, they expect to be able to sue the manufacturer at the local courthouse, regardless of where it resides. After all, the product reached them — so they should be able to sue in their home court, right?

We’ve come a long way from Penoyer v. Neff, 95 U.S. 714 (1878), when a defendant’s physical presence in the forum state was required to exercise jurisdiction over him. Various U.S. Supreme Court decisions have expanded the notion of personal jurisdiction, simultaneously muddying the water as to precisely what constitutional analysis is required.

Take, for example, Asahi Metal Indus. Co. v. Superior Court of Calif., 480 U.S. 102 (1986). There, the separate plurality opinions of justices Sandra Day O'Connor and William Brennan both approved of some form of the “stream of commerce” theory of jurisdiction but disagreed on the exact formulation of the test to be applied. Although lower courts subsequently used some form of “stream of commerce” analysis after Asahi, they seldom used it as a stand-alone test. Most have always added to it some form of “minimum contacts,” “purposeful availment” or other analysis to establish that the defendant somehow intended or expected to benefit from the jurisdiction. This traditionally has been seen as required by the due process clause.

via Buy Globally, Sue Locally for Products Liability.

Filed Under: From The News Tagged With: , , , , , , , , , , , , , ,