hacks

Jun 03

iFail – Apple drops the security ball – again

By alberg hacks, worst practices Comments Off

Apple, you're killing me!

If you ask people in my office what they hate about me, one of the items that is sure to show up on quite a few (long and varied) lists is my stubborn refusal to clear iPhones and iPads as corporate devices. Well, my stubborness has been vindicated twice over…

First a security researcher found that connecting a stock iPhone 3GS to a system running Ubuntu Linux provides access to get read and write access to much of the content on the phone without having to enter the 4 digit phone PIN.

Now, Apple, in claiming that its flagship product is enterprise ready, tells us that iPhone3GS offers hardware-based- encryption and uses AES 256 bit encoding to try to protect all data on the device. Encryption is always enabled and cannot be disabled by users. I guess that the Apple version of AES just happens to replave every character with the same exact character…

This morning, the situation developed further… further research by Heise Security in Germany showed that it was possible to gain complete access to all data some iPhone 3Gs and 3GSes by connecting to them from a Windows system. The trick does not work every time on every phone, and it is still unclear what the exact conditions are which case the vulnerability to manifest itself. When it does work, this vuln allows the attacker to create an iTunes backup of all of the information on the device. Not good.

Apr 04

return of the son of the attack of the killer PDFs

By alberg hacks, online security Comments Off

In the good old days (last week), you could feel somewhat safe opening PDF files as long as you had downloaded the latest Adobe Reader security fixes. Now it turns out that the hackers could have saved themselves a bunch of time and effort - it seems that a design flaw in the pdf file format can be used to embed and execute code in documents even if the reader is a good Internet citizen and has patched their system.

The user does have to cooperate a little bit… When the code is about to execute, a dialog box will appear and the user will have to click OK. Not to worry, nefarious malware authors, in addition to users’ propensities to click OK when asked, you can customize the dialog box to make it seem innocuous – “Click here to accept the license agreement, or “Click here to decrypt this document” are two ideas that come to mind.

If you are a super security savvy user who decided to abandon Adobe Reader in favor of the alternative Foxit Reader, you are in worse shape, smart guy. Versions of Foxit Reader prior to 3.2.1.0401 do not provide the dialog box warning – they just executes the embedded code. Foxit has issued an update and I suggest that you install it toot sweet…

I have not yet seen any information as to whether the Preview PDF reader which ships with the Mac will also execute code embedded in PDF files… I will update this post when I have further information… UPDATE (2010-04-07 – sources tell me that the attack does not work on files opened on Macs using Preview or Adobe Reader, but I have not verified this myself)

So… if you receive a PDF file which asks for a click on a dialog box when you open it, don’t click. Legitimate PDFs seldom require the user to take any further action to open them.

The whole Foxit issue got me thinking about the use of non supported software in corporate environments. I would guess that most organizations assume that Adobe Reader is installed and used on their computers. I would also guess that most corporate IT and info sec types are not aware of the existence or use in their organizations of alternative PDF readers like Foxit. For this reason, networks and information are put at additional risk, since any warnings and patches pushed out to the user community would not protect Foxit users. There are a few possible reactions to this problem:

Don’t allow users to install non approved software and enforce the policy with technical means.

Install software on your network which inventories new apps installed by users and provides you with an alert. In this case, you’ll have to follow up on these alerts and keep track of who has what oddball programs installed as well as keep an eye open for applicable security updates. More work for info sec, but, hey that’s why we get the big bucks.

Cross your fingers, rub your lucky rabbit foot and hang a horseshoe above your servers. Otherwise known as sticking your fingers in your ears and singing “la la la.”

If you can get away with number 1, more power to you (wearing my Dick Cheney hat here) from a security overlord point of view, but when wearing your business hat, it may turn out that the ability to install new apps helps more than it harms. That is why I am a fan of door number 2… work with your users rather than driving their bad security practices underground. Remember… Great CSOs enable AND protect the business.

Dec 22

an answer to your password problems…

By alberg best practices, hacks, online security, worst practices Comments Off

We shall bring the Great Satan to its knees... kill Twitter! Bwah hah hah!

As you know, the entire world was paralyzed a few days ago when Iranian hackers took down Twitter. Rather than finding out what their friends were having for dinner, people logging in to the web site got a message from one third of the axis of evil which proved that the level of English language instruction in Iranian schools is still better than that of most US public schools.

Now that we have begun the long road of recovery from this truly global tragedy, it is important to see what security lessons we can learn from it. It seems that the attack was pretty simple – the minions of Khomeini simply logged in to the DNS provider that provides the translation from “www.twitter.com” to the numeric IP address of their servers and instructed the DNS servers to send traffic to their server, which hosted their replacement home page. The attackers used valid credentials, which were probably filched from a compromised email account or document swiped from Twitter servers. The lesson here? Guard those user names and passwords and don’t use the same password for all of your accounts!

I know… passwords are a real pain in the ass and trying to remember a different password for each site is just about impossible. However, I have found an answer to this issue… LastPass is a web site and browser add in which allows you to store an encrypted copy of your passwords “in the cloud” and which can automagically log you in to web sites via its browser extensions for Firefox, IE, Safari and Chrome. When you start your browser, you type in one password to decrypt the password files and you are set to go. You can use 2 factor authentication on untrusted machines to further secure your precious passwords. Check out this series of screencasts for more information on how the system works.

I have been using LastPass for a while now and have found it to be be a breeze to use. Basic service is free; by paying $12 per year, you can get access to a bunch of premium features, which provide access on mobile devices like the iPhone, Blackberry and Android based phones.

The main question is… are these guys trustworthy? My research says yes… intercepting the data between my computer and LastPass showed no evidence of funny business – and the vendor even tells you how to conduct your own test in their FAQ.

I’m using LastPass, and I’m prettay, prettay paranoid..

Nov 21

your emails can come back to haunt you…

By alberg best practices, hacks Comments Off

You know those “private, internal emails” that get sent around within your organization, never meant to be seen by outsiders? Well, one day, they may in fact be seen – and this is an example of what could happen.

The exposure of what appear to be email messages from the Climate Research Unit of the University of East Anglia show conversations between leading climate change researchers which were obviously not meant for mass distribution. The messages exposed include:

Drafts of scientific papers
Unflattering comments about climate change skeptics
Discussions in which scientists talk about using “tricks” to deal with statistical inconsistencies in their work.

Of course, the critics of the theory that human activity are having a field day with this: “‘This is not a smoking gun; this is a mushroom cloud,’ said Patrick J. Michaels, a climatologist who has long faulted evidence pointing to human-driven warming and is criticized in the documents.” According to the Times article, “The evidence pointing to a growing human contribution to global warming is so widely accepted that the hacked material is unlikely to erode the overall argument. However, the documents will undoubtedly raise questions about the quality of research on some specific questions and the actions of some scientists.”

Whether or not you believe that human activity is messing with the climate, there is a lesson to be learned here. Unlike the ephemeral casual hallway conversations we have with our coworkers, electronic communications like email, instant messages, and in some cases phone calls leave artifacts which can surface long after they are written and which may, when viewed in isolation, provide a very different picture than what was intended. And hackers are now the only threat… emails may also be exposed in the course of legal discovery during litigation. Yikes!

The moral of the story? When writing an email or IM, you need to think about what message it would give when read by an outsider, out of context, months or even years after the events which prompted it. Another way that life is getting just a bit more complicated in our modern age…

Aug 16

you go, government!

By alberg best practices, hacks Comments Off

According to Reuters… “The U.S. government is covertly testing technology in China and Iran that lets residents break through screens set up by their governments to limit access to news on the Internet…” You go, government! This is the kind of stuff that I like seeing my tax dollars spent on. For a change, we are going after genuine bad guys (oppressive governments) and bringing a small but important measure of freedom to the people. No one gets killed, no one gets pissed at us (except for aforementioned oppressive governments) and the spend is relatively small. There is a potential downside, however… is giving citizens of another state the ability to freely access information that their governments have decided is off limits a form of cyberwarfare? If so, what kind of response can we expect from these governments? We may be opening up a new theater of war, here, but I for one think it is one that is worth fighting in.

Tagged with: cyberwarfare • freedom

Aug 02

software stops shoulder surfers

By alberg best practices, hacks Comments Off

Look behind you!

I just saw an interesting product demo from a company called Ocularis Labs… Private Eye uses the webcam built into most laptops to track when you are looking at the screen. When your gaze leaves the screen, the display is automatically blurred or replaced with an image of your choice. Look back at the screen and the display is restored. If the software detects a face other than yours in the frame (meaning that someone is possibly ‘shoulder surfing’), the program pops up a “rear view mirror” showing you the offender (and tipping them off to the fact that you are aware of them). The software (XP/Vista only) costs $59.95 a seat for the full featured version – comparable with a hardware privacy display filter. Those filters tend to be bulky and annoying – this seems like a promising technology for road warriors and those who like to work in public places like libraries, Starbucks, airline lounges or airplanes. I am planning to get this into the lab at work and see how it works – will let you know how it goes.

Jul 20

protect your online info with a watch-Tapir

By alberg hacks, online security Comments Off

On guard, protecting your data

Last week, the big story in social media (and infosec) was the theft and subsequent publication of a whole mess of internal documents from Internet phenomenon Twitter. While the purloined documents did not contain any earth shattering information, the incident was pretty embarrassing for Twitter and raised some questions about the wisdom of using cloud applications such as Google Docs for corporate applications. Further information has been released as to how the documents were filched and there are lessons in this for all of us.

Authentication questions are not secure enough to protect passwords. Think about all of the information about you out on the Internet… your Facebook page, your postings to web forums, mentions on school and social organizations’ web sites. This information can be used to guess correct answers to those questions used to protect your passwords. My advice? Make up “special” answers that have no basis in reality – just be consistent about them. Maybe your first school was the Jupiter Academy of Space Sciences or your first pet was a Tapir. Using a set of “special” answers gives you another level of password protection for your real passwords.

Using the same password for all sites is a recipe for disaster. I know… we all have a zillion passwords to remember and asking you to have a separate password for each site you visit is a pain. But think about it… if I get hold of the password you use for Facebook, can I also access your bank account and your email? There are some really good tools to help manage a plethora of passwords. My personal favorite is Keepass, which runs on PCs, Linux boxen, and Macs. Keepass keeps your passwords (get it?) in an encrypted file which you can carry with you or store “in the cloud” safely since it is encrypted. (You need a password to open the password file – make sure it is unique!)

Old email accounts can come back to haunt you. One of the tricks used by the attacker was based on the fact that web email providers sometimes recycle accounts which have not been used in a long time. In this case, the Twitter employee had listed a Hotmail account as their backup email address for Google Mail. This meant that when the attacker answered the password reset questions correctly, the new password was sent to the hotmail account. Just one problem… the Twitster had not used the Hotmail account in a really long time, so it expired. The attacker simply signed up with Hotmail for a new account with the same name and voila… the password was his (or hers).

The overriding lesson here is that the “best” hacks are not the result of amazing technical skill – they are the result of a moderately smart attacker taking advantage of the openings we leave for them. YOU are in control of your online security – if you are going to get hacked, at least make the SOB work for it!

Tagged with: hacking

Next Entries

Free WordPress Themes

FYI

Everything you read here has been written by Al Berg, who, by day, is in charge of Security and Risk Management for the best darn Institutional Equity marketplace on this planet. The opinions expressed in this blog are mine and do not represent those of my employer or anyone else.

Housekeeping

Subscribe in a reader

Subscribe by Email

Tools

recent paranoia links

Scam preys on required TweetDeck update 2010/09/06
Russian Trojan blamed for credit card losses at US diner 2010/09/06
Privacy in iTunes Ping 2010/09/06

Links

Wired: Threat Level

Twitter

back on the bike after too long away... 45 mins and 11.7 milesSeptember 6, 2010 10:04
testing, 1, 2, 3, oopsie! http://is.gd/eXG6ySeptember 6, 2010 4:07
damn... since I left tokyo the other day, i'll miss the parade... http://bit.ly/a9dSYRAugust 29, 2010 9:40
ceo, cfo, pants on fire? http://is.gd/eJ1vmAugust 29, 2010 12:42
@carlohartelucci Since I am in Tokyo at the moment, had to subcontract to the yakuzaAugust 27, 2010 1:50

FYI

Housekeeping

Tools

Links

Social Links