Uncle Sam Needs You (Geek!)

Thats right the US Air Force is looking for a few good geeks. And evidently they are willing to relax a few of the requirements of military service to get them. According to this quote in Wired Major General William Lord of the US air Force’s Cyber Command said “So if they can’t run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in.”

As a former Sergent in the US Army (7th ID (light)) I am pretty shocked at this statement. Military physical fitness standards are not that hard to achieve or maintain (especially in the Air Force). PT speaks to the very core of what it means to be a part of the military. When the Air Force needs pilots they don’t reduce or eliminate requirements they offer cash bonuses for reenlistment. So what happens when there is a shortage of cooks? or mechanics? Will we end up with a military that is to damn fat to get out of its own way? I don’t care what your job is, cyber warrior or not, if you’ve made the commitment to serve your country then you can make a commitment to pass a damn PT test.

Feds Use Spyware

Ever hear of CIPAV? It is some pretty bad-ass spyware that tracks every website, every chat, every email that you send from your computer. Maybe you know it by its more common name Computer and Internet Protocol Address Verifier. Sounds pretty official for a piece of nefarious software. Guess what, it is the software used by the FBI. Which is Ok I guess, I mean the FBI needs investigative and forensic tools don’t they? But what do they do with all this data they collect? Who are they collecting it from? Do they need or even attempt to get a warrant when they use it? Why is it such a big secret? These are just a few questions about this secret program that have come up since its existence was first discovered. Now it looks like the FBI actually asked the FISC court (Thats the secret court that rubber stamps eavesdropping warrants for the FBI) if they could use the software. Looks like they have been using this stuff since 2005! No idea of how it gets installed or if AV software will catch it. I’m all for the FBI and other agencies having the tools they need to do their jobs but there is no reason why it needs to be all secret and cloak and dagger, how about a little oversight?

PWN to Own Take 2

The folks over at CanSecWest will once again be hosting their popular PWN to OWN contest at this years con. I wrote about last year’s contest that was won after a spl0it was found in Quicktime that allowed the attacker to PWN the Mac laptop. This year they are also putting up an Ubuntu and Vista box. They haven’t mentioned what the configuration will be, what aps will be installed etc… but it doesn’t really matter. This exercise will prove nothing other than that the CanSecWest organizers know how to be media whores (hey, even I’m writing about it). Even if one or two of the boxes get owned it will not prove that one OS is more secure than the other. OS Security is proven (or disproved) over the types and severity (not number or frequency) of vulnerabilities found over the long term. So while this contest will likely get a lot of press, especially if someone is successful and owns one of the boxes, in the long run it really doesn’t mean anything.

Quickies and L0pht News

There have been a lot of things happening in the security world lately that I have wanted to write about like Geekonomics, the half million pictures pilfered from MySpace and the accompanying torrent file, how the NSA has wrestled control of the nations cyber-security away from DHS, how the recently proposed Protect America Act won’t, that Yahoo’s CAPTCHA has been cracked (not wide open but open enough), about Bruce Schnier’s excellent speech down under, how the Feds are getting rid of admin rights on XP boxes (about time) and of course about the CyberWar that wasn’t really. Like I said a lot of stuff going on recently to write about but I’ve just been to busy.

But what I really wanted to mention today was that the L0pht reuion I mentioned earlier seems to be becoming a pretty big deal. Did I mention the Pub Crawl?
P.S. Looks like the latest version of WordPress hosed some of my site. (Like the HNN archive) I’ll try to have it back online soon.

L0pht reunion? Source 2008

Well it looks there may be a mini reunion of old L0pht folks. We are still trying to round everyone up but there will more of us together on one stage than there has been for over ten years. (Damn, has it really been that long?) Anyway it will be at the Source 2008 conference in Boston in March. There are some other pretty damn big heavy hitters who will also be at the conference, Steven Levy (yes, of Hackers the book), Dan Geer (yes, of Athena), Richard Clarke (yes, that Richard Clarke). Not sure what day yet the L0pht panel will be speaking but it will be one hell of a conference.

Who trusts you and who do you trust?

For some reason I am constantly reminded of the old Schwarzenegger movie Running Man where the game show host Damon Killian yells out “Who loves you and who do you love?” to rousing applause. Except when I think of that scene I often replace the word love with the word trust. They mean about the same thing don’t they?
So who do you trust? Do you trust your security consultants? ‘Acid’ or ‘AcidStorm’ (aka John Kenneth Schiefer) who worked for a Los Angeles based security consultant company known as 3G communications has pleaded guilty to purposely infecting computers he was supposed to be protecting with various forms of malware, running a botnet of 250,000 machines and even stealing paypal account passwords. Did I mention he was a security consultant?
And how about this, brand new Maxtor brand hard drives from Seagate are found to have Trojans preinstalled on them. What’s worse is that this has happened before (and will probably happen again.)
The bad guys aren’t lurking around corners hidden in dark alleys, they are right here in plain sight. So who do you trust? Who trusts you?

Bomb Threats from Google Hacking?

The worlds of physical and information security are quickly merging into one but people are still trying to take shortcuts.
By now most people have heard news reports about bizarre crimes where stores are receiving bomb threats over the phone and are forced to wire money to some unknown account or the store will get blown up. Evidently the anonymous caller convinces the store employees that they are being observed, makes them sit in a circle or take their clothes off and then wire the money. You can read about these crimes here, here and even here that are taking place across the country from Maine to Kansas.
So how is this possible? How can someone be observing store employees from outside the store? Some of the police officers in the above linked stories think it must obviously be the work of evil hackers who broke into the stores security systems over the Internet. I think it was said best by Hutchinson Kansas Police Chief Dick Heitschmidt when he said “If they can access the Internet, they can get to anything.” (Brilliant! Why is this man wasting his life in law enforcement?)
Actually Chief they don’t even need access to the whole internet, just Google. Take a look at these Google searches, like this one or this one. Those are default web pages for security cameras. Come on, you didn’t think people actually still used old VHS tape for those things anymore did you? It is all IP based and digital. Most people are just to lazy or stupid to setup a robots.txt page to even just change the default passwords. As a result the video feeds from the security cameras are available to anyone with a net connection.
So your criminal does a few Google searches, finds an interesting camera or two, figures out what store they belong to and then makes a phone call. Pretty simple, kinda surprised this hasn’t happened before now.
It is worse than that really. A lot of companies are connecting things like their electronic door card access systems, alarm systems and other security systems to the network. Bomb threats via telephone are what happens when they get access to the video cameras what would happen if they had access to everything else?
Just remember if you can access something over the net then the bad guys can to if they want to bad enough. The key is to make it hard for them, you can start by changing the default passwords.

Remote iPhone exploit? Big Deal.

So the folks over at Independent Security Evaluators claim to have found a remote iPhone exploit. Evidently this is big news as it has already garned an article in the New York Times (talk about media whoreing) and been granted a coveted speaking spot at the Blackhat Security Briefings early next month. Must be a pretty bad spl0it to get all this attention, right? Doesn’t sound like it, more like they were just the first folks to find a decent sized hole.

Sure there have been other holes found, like figureing out how to change the color of your charging battery from green to neon pink or bright blue, or managing to hack in a custom ringtone or the big one of being able to bypass the AT&T activation but still be able to use the phone. These are all kind of rinky dink holes though, nothing that puts your personal data at risk. This new hole claims to do just that.

According to the folks at Independent Security Evaluators thier proof of concept code can read the log of SMS messages, the address book, the call history, and the voicemail data. Pretty damning stuff to be sure. So why is this not a big deal?

First of all the delivery method is little convoluted and requires some social engineering to convince the user to visit a compromised web page or to use an untrusted wireless network. These are the same attack vectors that plaque laptops and other PDAs, nothing new here. What is new is that this effects an iPhone, that is why it is getting the press. I also suspect that this will be pretty trivial to fix. From the details that have been released so far I suspect that just by altering iPhone’s Safari to prompt the user when downloading and running applications should do the trick.

So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics or the hack that hit Paris Hilton are what should be keeping you awake at night.

iPhone Security Myths Busted

I know what your thinking, “Not more iPhone! Enough Already!” yeah, I know me to, but seriously there is just to much FUD floating around out there. FUD from reputable places such as Gartner. Well, OK maybe not that reputable but people still listen to them for some reason. They released a white paper last week telling IT Managers to avoid iPhone because it is insecure. What a load of rubbish.

The big complaints seem to be USB, IMAP and WiFi. Actuallly there is a lot more FUD floating around other than just that but I’m just going to focus on the security complaints.

Evidently the fear with USB is two fold, one that users can steal company secrets and two that users will fill up their machines with iTunes music. USB thumb drives and MP3 players have been around for, I don’t know, a long time now. USB mass storage devices can be disabled on both Windows and MacOS. If your IT department hasn’t figure out that these are threats by now you have much bigger problems than an iPhone.

For some reason WiFi is suddenly a new threat, or I guess it is only a threat when it is integrated into iPhone. How is this any different than a WiFi enabled laptop? As long as iPhone supports standard encryption protocols like WPA it is no better or worse off than a roaming laptop, at least for protecting your data in transit over the airwaves. For data stored on the device that is another issue. It is unknown if iPhone has a firewall of any sort to protect it from WiFi attacts. However, considering that iPhone is based on OSX which has a firewall built-in it is a pretty good bet that iPhone will have one as well.

OK, so now we have proper mass storage device controls in place, we have encrypted our WiFi and turned on the firewall what else could possibly be an issue? What’s that? email you say? Simple IMAP? IMAP is a security issue? Since when? Oh, I see your just so used to using MS Exchange and RIMs Blackberry Enterprise server you don’t know how to use anything else. Oh, by the way, MS Exchange supports IMAP. Of course you don’t get all the funky features with IMAP that you get with Exchange/Blackberry like being able to revoke all of a users email when you fire them. I suspect Apple will have some interesting iPhone features inside of Mac OSX.5 Leapord later this year.

About the only security questions I have with iPhone is wether or not it supports IMAP over SSL. or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.

There are even some security features that will probably be in iPhone that haven’t been announced yet. Quick and easy firmware updates. You probably didn’t even realize it but iTunes will update your iPod firmware automagically with just the click of a button. It will be just the same with iPhone. If a problem develops Apple will just release a firmware patch that will automagicallly get applied the next time the user syncs. When was the last time you updated the firmware on your cell phone? Ever try to even look for a firmware update for your phone?

iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple’s encryption technology for user files. Thats right, encryption built right in. This hasn’t been announced and it might not be in there, but if the technology and the code already exist why not put it in?

iPhone looks to be just about as secure or even more so (no propritary and closed backend) than a Balckberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots.