Honey Dipped Patch Tuesday

I have never really understood Microsoft’s Patch Tuesday from a security perspective. Sure from an IT management perspective it makes a lot of sense. The ability to actually plan for events and effectively allocate resources in IT is a rare commodity. So much of IT management is reacting instead of planning that Patch Tuesday almost becomes a calming ritual performed once a month that can be rather comforting. Download, Test, Apply, eat your donut, repeat next month. From a security perspective though it makes absolutely no freaking sense.
So what happens when a hole is discovered on the Wednesday after Patch Tuesday? Thats right, nothing happens until the next patch Tuesday. Well, at least you hope nothing happens. You hope the bad guys haven’t already found and are actively exploiting the hole.
Some companies like Apple, Sun, HP, OpenBSD, etc., do not patch on a schedule, instead they patch when needed. From a security point of view this is preferred as it greatly minimizes the time you are at risk. Unfortunately this can also lead to the situation where you are rolling out patches for five of the last ten days, like Apple did earlier this month. Patching every other day from an IT perspective is bad, it means your fighting fires, it means you can’t plan, or allocate resources. It means you actually have to do your job and manage your IT! It means no honey dipped for you! Oh no, the horrors!
The reporters over at ComputerWorld evidently felt like it was a good time bring up this ancient argument again and found a couple of clueless Windows Admins who claim to be “Security Researchers” who wanted to bitch about how they actually have to do work and manage Apple’s patches. Waaaaah. It must be Apple who is not ready for the Enterprise. Since Apple is the one making them do work and apply patches on a Thursday it must be Apple who is wrong. Sun, and HP and OpenBSD, and everyone who patches when needed, according to these “security researchers”, must be wrong.
Most people in the security industry understand the double edge sword of patching on a schedule and making the enterprise IT drones happy versus patching when needed and making the (real) security guys happy. There really is no right or wrong answer, it depends on which side of the fence you stand and what is more important, being secure or having time on Wednesday to eat your honey dipped donut.

Remote iPhone exploit? Big Deal.

So the folks over at Independent Security Evaluators claim to have found a remote iPhone exploit. Evidently this is big news as it has already garned an article in the New York Times (talk about media whoreing) and been granted a coveted speaking spot at the Blackhat Security Briefings early next month. Must be a pretty bad spl0it to get all this attention, right? Doesn’t sound like it, more like they were just the first folks to find a decent sized hole.

Sure there have been other holes found, like figureing out how to change the color of your charging battery from green to neon pink or bright blue, or managing to hack in a custom ringtone or the big one of being able to bypass the AT&T activation but still be able to use the phone. These are all kind of rinky dink holes though, nothing that puts your personal data at risk. This new hole claims to do just that.

According to the folks at Independent Security Evaluators thier proof of concept code can read the log of SMS messages, the address book, the call history, and the voicemail data. Pretty damning stuff to be sure. So why is this not a big deal?

First of all the delivery method is little convoluted and requires some social engineering to convince the user to visit a compromised web page or to use an untrusted wireless network. These are the same attack vectors that plaque laptops and other PDAs, nothing new here. What is new is that this effects an iPhone, that is why it is getting the press. I also suspect that this will be pretty trivial to fix. From the details that have been released so far I suspect that just by altering iPhone’s Safari to prompt the user when downloading and running applications should do the trick.

So basically continue safe computing practices, don’t be complacent and don’t put to much trust in your devices and you’ll be fine. Vulnerabilities that require user interaction like this one aren’t what you should be worrying about, attacks that compromise entire cell sites and infrastructure like the one that hit the Greece Olympics or the hack that hit Paris Hilton are what should be keeping you awake at night.

iPhone Security Myths Busted

I know what your thinking, “Not more iPhone! Enough Already!” yeah, I know me to, but seriously there is just to much FUD floating around out there. FUD from reputable places such as Gartner. Well, OK maybe not that reputable but people still listen to them for some reason. They released a white paper last week telling IT Managers to avoid iPhone because it is insecure. What a load of rubbish.

The big complaints seem to be USB, IMAP and WiFi. Actuallly there is a lot more FUD floating around other than just that but I’m just going to focus on the security complaints.

Evidently the fear with USB is two fold, one that users can steal company secrets and two that users will fill up their machines with iTunes music. USB thumb drives and MP3 players have been around for, I don’t know, a long time now. USB mass storage devices can be disabled on both Windows and MacOS. If your IT department hasn’t figure out that these are threats by now you have much bigger problems than an iPhone.

For some reason WiFi is suddenly a new threat, or I guess it is only a threat when it is integrated into iPhone. How is this any different than a WiFi enabled laptop? As long as iPhone supports standard encryption protocols like WPA it is no better or worse off than a roaming laptop, at least for protecting your data in transit over the airwaves. For data stored on the device that is another issue. It is unknown if iPhone has a firewall of any sort to protect it from WiFi attacts. However, considering that iPhone is based on OSX which has a firewall built-in it is a pretty good bet that iPhone will have one as well.

OK, so now we have proper mass storage device controls in place, we have encrypted our WiFi and turned on the firewall what else could possibly be an issue? What’s that? email you say? Simple IMAP? IMAP is a security issue? Since when? Oh, I see your just so used to using MS Exchange and RIMs Blackberry Enterprise server you don’t know how to use anything else. Oh, by the way, MS Exchange supports IMAP. Of course you don’t get all the funky features with IMAP that you get with Exchange/Blackberry like being able to revoke all of a users email when you fire them. I suspect Apple will have some interesting iPhone features inside of Mac OSX.5 Leapord later this year.

About the only security questions I have with iPhone is wether or not it supports IMAP over SSL. or IMAPS. Considering that the iPhone has Safari built in I suspect that support for SSL will be included.

There are even some security features that will probably be in iPhone that haven’t been announced yet. Quick and easy firmware updates. You probably didn’t even realize it but iTunes will update your iPod firmware automagically with just the click of a button. It will be just the same with iPhone. If a problem develops Apple will just release a firmware patch that will automagicallly get applied the next time the user syncs. When was the last time you updated the firmware on your cell phone? Ever try to even look for a firmware update for your phone?

iPhone will run a modified version of OSX. That will likely include some form of FileVault, Apple’s encryption technology for user files. Thats right, encryption built right in. This hasn’t been announced and it might not be in there, but if the technology and the code already exist why not put it in?

iPhone looks to be just about as secure or even more so (no propritary and closed backend) than a Balckberry, Treo, or Blackjack. Everyone saying otherwise is either a paid MS schill, astroturfing, or just plain idiots.

Mac Hack Hype

So by now you have probably heard about the MacBook Pro that was compromised at CanSecWest last Friday. Here is a quick recap if you missed it. A MacBook Pro with all updates applied on a wireless network, if you can break in you win the laptop. Well, after two days no one broke in so the rules where relaxed a little and the MacBooks where allowed to surf to malicious webpages. You can read more details here, here, here, here, here, and probably a few dozen other places.
The hype on this is pretty amazing considering that this really isn’t that big of a hack. This sort of things happens on Windows platforms on a almost daily basis. Yes, its zero day but other than that so what? Lets take a look at the actual exploit, or at least as much as we can piece together from the various ‘news’ outlets. First you need to convince a user to visit your malicious web page with Safari (no mention if Firefox or other browsers are immune) which depending on who you are convincing may or may not be that hard. Then even after you get your code installed installed on the victim your only granted user level access. Your still not root. Granted your a big step closer to getting root but you are still mired in userland.
So yes, this is a valid hole that should be repaired as soon as possible but it doesn’t warrent anywhere near as much press as it has been garnering.