Security questions ?

[carpetmojo]

A query for the many tech-experts out there.

Acting on advice from a Sony thread, as it is a question that may affect all makes of wifi readers, what, if any, protection do these have against virus, Trojan, malware and other nasties ?

And can we install things like Avast and Malaware, run scans and things, to keep things safe and functioning ?
Or doesn't the risk exist ?

Or do we just hope the bogies can't see a profit, or any fun, in messing around with our reading habits ?

[Pinecone]

Only an issue if you root your reader and use it for general browsing.

If you leave it stock and only access the reader store, should not be a problem.

[jgaiser]

I don't know what OS Sony uses, but as long as it's not Windows, you probably don't have to be concerned. Kindles, Nooks and Android based units are completely safe.

[taustin]

Quote:

Originally Posted by jgaiser

I don't know what OS Sony uses, but as long as it's not Windows, you probably don't have to be concerned. Kindles, Nooks and Android based units are completely safe.

That isn't really true. Android malware is certainly less common, to be sure, but it does exist in the wild.

As for "only accessing the reader store," many readers have at least something like a web browser, and while it's very unlikely, even the official store can be compromised. Google Apps and the generic Android store have both been used to distribute malware, if only briefly.

It it becomes a widespread problem, though, anti-virus will become available for these devices. Just hope you aren't part of the reason why, before it happens.

[carpetmojo]

[QUOTE=taustin;1817963........... Just hope you aren't part of the reason why, before it happens.[/QUOTE]

Quite !

But most readers will at the very least buy a few books from "outside" commercial sites - Waterstones etc, more so if they're cheaper than official sites - which is the point of having a browser, surely, to, well..... browse ! Which leaves us open to attacks, yes ?
So basically, there is a possible danger ?

So where's all the helpful info as to what to do, should it happen ?

Tell me they've thought of it, please...

[susan_cassidy]

Books themselves are not executable. You'd be more likely to encounter a problem using a browser on the reader, and having the browser hijacked.

For example, Kindle is based on Linux, so if you installed an executable (Linux-based) on it, and managed to execute it, the program could do some sort of damage, but just reading books isn't going to do anything, as far as I can see.

Don't know what Sony is based on, but the same principle applies. You aren't executing books.

[ScalyFreak]

Quote:

Originally Posted by carpetmojo

Which leaves us open to attacks, yes ?
So basically, there is a possible danger ?

Yes, and no. There is danger in that malicious scripts can be run in your browser and track your activity, redirect your searches, or collect your information and then "phone home" to share it. Some browsers are more vulnerable than others, generally the more common it is, the more likely it will be targeted. No one bothers directing an attack towards an obscure piece of software used by 0.5% of the market. In the Windows world they hit Firefox and Internet Explorer, and most likely the default browsers in iOS and Android.

The Android Marketplace offers anti-virus apps that run discretely on the device and scans all downloaded files for threats before allowing you to install, and they can of course also scan all data on the device if necessary. Android AV apps are a lot more common today than last year, and as Android becomes more popular it will become a bigger target, and as a result the selection of anti-virus apps will undoubtedly continue to grow.

So for any eReader running an Android OS, there is a part of your answer.

If I remember right, my Sony 950 runs a Linux based OS. Linux, like Android and unlike Windows for the longest time, separates out the part that you the user can access from the important system files that Windows XP malware targeted in order to entirely cripple a machine. That why you need to give yourself elevated command-line access in Linux before you can do certain things, and why you need to root your Android device if you want to be able to do certain things to it. Without those elevated permissions, you are very limited in what you can do to modify the devices itself. This means that it's hard for malicious software to install itself to a level where it can do real damage.

Please note that it's very easy for you to over-ride a lot of this security by telling the Android Marketplace "yes, please accept all permissions and install this". Pay attention to what the app wants to do, and when in doubt, say no!

As for using the built-in browser to buy books from other sites, that actually moves a lot of the security issues fro your device to the store website. So if you use the browser on your Sony T1 to buy from Waterstones.com, then you would enter the info into their encrypted payment page in your browser and send it over your encrypted wifi over to them. If Waterstones have even the slightest little clue about information security, they store your info on a very secure server, that is separate from the website and protected in very paranoid ways, because that's EU law and they don't want to be dragged to court over being careless about your personal information. And once it's in their possession it is now up to Waterstones to keep your information safe, and up to you to clear the cache in your device browser so that it can't be seen and used by someone who picks your pocket on a crowded bus.

Sorry if this was a bit vague. I haven't spent nearly as much time as I should on learning about these issues. If anyone out there has, please, feel free to correct any mistakes I made (and share your links!).

[ScalyFreak]

Quote:

Originally Posted by susan_cassidy

Don't know what Sony is based on, but the same principle applies. You aren't executing books.

Oh yeah, this too. The only danger from opening a book on the eReader is if it is actually a different type of file disguised as an ePub or other book format. The only books where that might actually happen are books that don't come from legal sources, so as long as you buy from legitimate stores, that shouldn't be a problem.

[susan_cassidy]

Quote:

Originally Posted by ScalyFreak

Oh yeah, this too. The only danger from opening a book on the eReader is if it is actually a different type of file disguised as an ePub or other book format.

But the device is still not going to execute the file, even if it is really a program, with '.epub' tacked onto the filename.

[ScalyFreak]

Quote:

Originally Posted by susan_cassidy

But the device is still not going to execute the file, even if it is really a program, with '.epub' tacked onto the filename.

Not in the sense Windows does it, no. But just like you can write a malicious piece of code that can wreak havoc on a Linux system if it is "executed" (=run) with the right level of privileges, I'm sure there are ways that a piece of code can be tricked into running on any form of device with an operating system and cause problems. Wasn't there something like that released for the PS3's OS at one point? Or am I confusing it with the latest Apple virus now?

The important thing to remember is that the people in this world capable of writing that kind of code have far better things to do with their time than use it to try and hijack/infect eReaders.

[Ken Maltby]

Of course if you use an ereader that is actually dedicated to ereading and has no
internet interface itself, there is no such problem. No one writes malicious code
that can't call home anymore. The worst that can happen to a dedicated ereader
is for the code intended for a similar device (but one with an internet connection),
could try and mess up the file system. Then a simple reflash of the firmware would
set things straight. The CPUs in a dedicated ereader generally use a very small subset
of an operating system, (often a form of Linux) with features of the CPU designed to
support the very limited set of features, at a very low level. These "Embedded" systems
don't have many of the general purpose functions support that the virus creators make
use of in their attacks. Besides, the dedicated ereaders use low-power, limited
performance CPUs in their design.

Luck;
Ken

[carpetmojo]

....to Scaly Freak and Ken, for a pretty clear and interesting [yes, even to me, the tech-dummy in the corner] explanation, and all other comments and suggestions.

So it seems we're almost certainly safe, mainly 'cos it's too tricky be worth the effort to get at us, and even if they did, there wouldn't be any dosh [£/$%] in it .

I get that !

[JoeD]

Quote:

Originally Posted by susan_cassidy

Books themselves are not executable. You'd be more likely to encounter a problem using a browser on the reader, and having the browser hijacked.

For example, Kindle is based on Linux, so if you installed an executable (Linux-based) on it, and managed to execute it, the program could do some sort of damage, but just reading books isn't going to do anything, as far as I can see.

Don't know what Sony is based on, but the same principle applies. You aren't executing books.

You can still have issues with non executable data. For example loading the text from a book could cause a buffer overflow which can then use the remainder of the "text" as executable code. Loading a webpage in a browser can have similar exploits, although many browsers have fixed these over the years there may still be bugs lurking.

Same can be said for downloading a movie, if there's a exploit for the player you use to view it, the movie could be crafted to expoit it.

Although the exact type of attack depends on how the OS segregates code and data, some now include extra checking to mitigate stack overflows and other buffer based attacks.

That said, ereaders are likely a very low target. How many people do their banking on a kindle or enter other critical passwords? Even CC may be already stored on the site you buy books from so targetting an ereader doesn't really sound like it'd be worth it for anyone bent on doing no good.

[ScalyFreak]

Quote:

Originally Posted by carpetmojo

So it seems we're almost certainly safe, mainly 'cos it's too tricky be worth the effort to get at us, and even if they did, there wouldn't be any dosh [£/$%] in it .

Exactly! Too much work for too small a reward.

[taustin]

Quote:

Originally Posted by susan_cassidy

Books themselves are not executable.

Neither are JPEGs, but they have been used to transmit malware. Not all malware transmitted through Office documents have been in the scripting, either. One current one is in embedded fonts, which is also not, per se, executable.

Quote:

Originally Posted by susan_cassidy

You'd be more likely to encounter a problem using a browser on the reader, and having the browser hijacked.

That, however, is entirely correct.

Quote:

Originally Posted by susan_cassidy

For example, Kindle is based on Linux, so if you installed an executable (Linux-based)

Cross OS malware has been demonstrated, too, though not, so far as I know yet) seen in the wild.

on it, and managed to execute it, the program could do some sort of damage, but just reading books isn't going to do anything, as far as I can see.

Quote:

Originally Posted by susan_cassidy

Don't know what Sony is based on, but the same principle applies. You aren't executing books.

Since both major ebook formats are, basically, HTML, and web browers are, at this time, the biggest single vector for malware, that doesn't really comfort me any. The lack of processing power and full time internet connection on most book readers, however, does. Most malware these days is devoted to spamming or identity theft. A book reader is useless for spamming, and can't possibly get identity theft info for more than one person, so such a virus would be over little value. And for malware writers these days, it's all about money.