The iPhone Is Your Friend, Or Is That Enemy?

I know that this topic has been discussed before, but I am writing this one as a reminder to all the CISO’s out there that allow people to connect their phones to your corporate PC’s.

I do agree that in their default configuration iPhones aren’t exactly the most dangerous of devices to have on your network, however if you take the step to Jailbreak your iPhone, it opens up a whole new playing field.

After Jailbreaking my phone, the first things that I installed were nmap, metasploit, tcpdump and an application to enable my phone as a USB drive. This allowed me to gain access to a corporate network via wireless on my phone, and exploit a windows host in about 10 minutes, all from sitting in the lobby.

Also with a bit of scripting/or paid for applications, I was able to plug my iPhone into a PC and copy everything that was stored in the My Documents folder for that user. Some of this was company confidential data, some of it was personal photos and banking details.
Don’t get me wrong, I love my iPhone, but I believe that corporations should really take smart phones as a serious security risk, and not just write them off as phones. The age of a cell phone being just a cell phone is long gone now, and phones are easy to get into places and no-one bats an eye lid if you spend 10 minutes typing on your phone.

Next time you see someone sitting in a lobby working on their phone, remember this article, and ask yourself, what defenses do you have in place to protect against this threat?

Share

The complexity of the ad-hoc network (and network research)

After months of intermittent attempts and research, I finally have a connection between two of my laptops, and an Internet connection to the one that is not physically connected to the wired LAN.

(Well, perhaps I might qualify that.  I appear to have a connection to the Internet, and I seem to have been successful at viewing a couple of Websites, and sending one piece of email.  It’s pig slow, and at the moment the mailer is trying to download some email.  It’s made enough of a connection to know that some email is there, but actually retrieving the email is taking enough time that I have been able to start to prep this posting in a browser window while I’m waiting.  I type very slowly, and, as of the end of this paragraph, it hasn’t yet successfully downloaded the second of seven messages.)

(The speed of the connection [although the computer says the connection is "Very Good"] may be due to the fact that I’m using  WEP with 104, rather than 40, bit key.  Don’t know how much difference it would make.  At the moment, having only just established the connection, I’m not about to mess with the settings to find out.)

However, as happy as I am to have the connection, the simple fact of it is not important enough to warrant a blog post.  No, the real point is all the trouble I encountered trying to find out how to make it work.  Following on from the complexity of any computing that I wrote about earlier.
As usual, I made my own life more difficult.  If all I wanted was a simple ad-hoc wireless network, that could be had for the asking.  Well, sort of.  A simple wireless network doesn’t do very much, unless you can share information from the drives, or share an Internet connection.  And that seems to be extra.

(Maybe.  At one point in the process, I had left one of the test wireless networks “on.”  And in one of my classes, one of my students managed to connect to it and get an Internet connection from the wired connection I had.  Random successes aren’t terribly useful, unless you can repeat them.)

Anyway, I have a wired network at home.  I have sharing enabled, so that I can copy materials from one machine to another.  At the moment, all of them run Windows XP.  (Yeah, I know.  I’ll get around to Linux sometime …)  I have (now) multiple laptops, and have to take at least one of them on the road for teaching.  And, of course, the mobile machines have to connect to all kinds of wired and wireless connections on the road.

Of course, the easy way would be to go to London Drugs and get a wireless router, connect it to the wired LAN, and fill in a few simple settings.  It’d probably take no more than a couple of hours, from beginning to end.  But I wouldn’t learn much about ad-hoc networking that way, and I’ve been getting more interested in it, particularly as a security concern, as I have been seeing that “computer-to-computer network” legend show up in more and more places.  (Especially with “Free Internet Connection!” as the network name.)

So, having a spare laptop (since, on a recent teaching trip, it decided to go spare on me), I figured it would be easy to set up a connection between that and the new one.

Actually, it was on the trip that I wanted to start the process.  There was nothing wrong with the old laptop (except that it was a Toshiba, and I’ve had two Toshibas in a row, and I will never again by anything made by Toshiba since they’ve given me nothing but grief for eight years) except that the power supply was becoming unreliable.  I bought a cheap (and non-Toshiba) netbook and asked for advice about connecting them via ad-hoc network in order to transfer the necessary files.

Well, lots of advice, but nothing actually worked, and I fell back on using the Passport external drive my wonderful daughters gave me that has been so useful in so many situations.  But it doesn’t do networking.

The friends gave me some starting points in terms of places to look for advice.  Microsoft, naturally.  There is a wonderful page at http://www.microsoft.com/windowsxp/using/networking/expert/bowman_02april08.mspx which provides clear explanations.  Only a couple of problems: it was written in 2002, so the dialogue boxes have changed.  This piece does talk about sharing an Internet connection, but it doesn’t mention the need to modify the default IP addresses, since everything seems to want to use 192.168.0.1 as a base, and that leads to conflicts.  Bottom line: it doesn’t work.

Microsoft updated the information in 2006 at http://www.microsoft.com/windowsxp/using/networking/setup/adhoc.mspx and the dialogue boxes are closer to what you’ll actually see these days.  After running through that one I tested it out, only to find that the network never does show up on “Available Wireless Networks.”  I’m not sure if this is because, if you choose WEP, and tell it not to broadcast the key, it keeps it hidden.  I did manage to connect to the network, and even seemed to be able to see other computers drives, and see something of the Internet, but all of the connections disappeared over time.  Again, this page says to use Internet Connection Sharing, but doesn’t provide the necessary detail to make it work.

All kinds of pages are out there, if you do a Web search, seemingly based on this same, limited, misinformation.  At http://www.home-network-help.com/ad-hoc-wireless-network.html the author seems to have given some thought to the issue of IP addresses, but not much.  http://www.home-network-help.com/ics-host-computer.html goes into a bit more detail on the IP addresses, but not enough, particularly in terms of the entries that have to be made in various places on various machines.

Finding all the places to make those entries is a trip in and of itself.  The Help and Support Center for XP Home Edition is no help.  At one point I was afraid that the multitude of entries for the various networks I’ve connected to in hotels, airports, and seminar hosting sites had something to do with it, so I went and deleted all of those “Preferred networks” I had accumulated over the years.  (Did you know that they were all still there?)

Lots of people are willing, and more than willing, to provide the benefit of their lack of experience.  I say this, since so many of the entries don’t actually work.  http://www.ehow.com/how_6108229_make-wirelss-internet-_ad_hoc-wireless_.html  Terse, doesn’t work.  http://www.ehow.com/how_5167281_create-ad-hoc-wifi-network.html  Slight tech detail, doesn’t cover sharing drive or Internet connection, doesn’t explain how to make new wireless network visible to “View available wireless networks.”  http://www.ehow.com/how_5154137_create-ad-hoc-network.html  A touch more detail than above (5167281), mentions need to share Internet connection, mentions a dialogue button that doesn’t exist in the XP explanation.  http://www.ehow.com/how_5946176_set-hoc-network-windows-xp.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/way_5492555_ad-hoc-network-tutorial.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing.  http://www.ehow.com/how_5670567_set-ad-hoc-wireless-network.html  Some detail on setting up the network, doesn’t completely work, nothing on sharing, does do XP and Vista.

Some of the advice is contradictory.  For example, I mentioned I was using WEP.  This is because some of the sites, such as http://www.hardwaresecrets.com/article/418 and http://www.tomshardware.com/forum/28615-42-networking-security-problem suggest that WPA and WPA2 can’t be used if the “host” for your ad-hoc network is running Windows XP (which mine is).  Of course, that might be old news, which might have been superceded by intervening upgrades.  But, with this level of information, how am I supposed to tell?

We are awash in a sea of information.  Except that some of the information is misinformative.  As John Lawton stated, the irony of the information Age is that it has given new respectability to uninformed opinion.  This can have rather significant consequences.  A recent CBC story notes that this may play into the May 6 stock market mini-meltdown.

So far, the best clue I received was from http://www.wi-fiplanet.com/tutorials/article.php/3822651  I had frequently seen the “Bridge connections” option, but I somehow never thought to have two networks “selected” when I tried it.  Even then, I might have missed the opportunity.  I got the usual error message, but it suddenly dawned on me that ICS might conflict with it.  (Given that everybody else had been telling me to turn ICS on.)  So, I turned ICS off, and, sure enough, Bridge connections was happy to do just that.

I still have no clue what has been set, and where …

Share

The complexity of the end-user’s computer

Over the years I’ve had to learn a lot about computers.  I’ve written device drivers for the All-in-One system under Vax/VMS.  I know what to do with MS-DOS’s AUTOEXEC.BAT and CONFIG.SYS files.  I’ve learned more word processors than I can remember the names of.  I was using UNIX when that was still a big deal.  Because of some some research that was important in the early days of computer viruses I know a question that will stump any computer forensics expert on the witness stand.

I’m a little afraid of my new netbook.  Within a few months I’ll need to buy a new desktop, and I know I’m going to be more afraid of it.

In the DOS days, I knew pretty much everything that was going on in it.  I knew the hardware, and the system files.  I even had a bunch of tools that would let me see the raw disk and memory.  It was tedious to do so, but it was possible.

Even when Windows 3 and 95 came out, I understood that this was simply a new interface.  I could still examine the system, and make sure everything was as it should be.  I could have confidence and assurance in the computer.  True, there wasn’t any serious protection on it, but, since I knew the full system, I could examine it regularly and make sure that nothing untoward was happening.

Then came Windows NT.  Extra protection on the system, but suddenly every time you turned the system on, 400 files (a number of them system files) got modified.  Change detection lost its security.

Then the later members of that family started adding ties into applications and back again.  And with Windows XP, for the first time, when a friend’s computer got infected, the only solution was to re-install the system.

Complexity is the enemy of security.   However, this goes deeper.  These days we have huge numbers of people using devices that are, as far as they are concerned, magic.  Don’t get me wrong.  I think magic is a lot of fun.  It’s just that magic seems to be defined as inherently unknowable, and these users are not only content with, but actually proud of, their ignorance.

This is dangerous.  When you assume that you cannot know, that seems to absolve you of any responsibility for even trying.  You punch the icons, and do things with no understanding of the consequences.

At the moment, I am trying to set up an ad-hoc wireless network between some of my machines.  I’m not having much luck.  I’ve researched the process, and had suggestions from friends.  I’ve been working at it, off and on, for months.  It still isn’t working.  I can’t find the information I need, either on the process, or in regard to the actual settings on my machines.

Ignorance isn’t bliss.  It’s dangerous.  If I, as a computer, communications, and security specialist of decades of standing, can’t get a simple (well, not quite that simple) network set up, how can we give advice to the novice users of the world on how to keep themswelves safe?

Share

Microsoft Security Essentials review

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research‘s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

Share

Vanishingly small utility …

This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype - rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

Share

To tinyurl or to tr.im, that is the question …

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

Share

Give me your fingerprints, I’ll sell you a mobile phone

There will be a new national register of mobile phone users in Mexico.

Under a new law published on Monday and due to be in force in April, mobile phone companies will have a year to build up a database of their clients, complete with fingerprints. The idea would be to match calls and messages to the phones’ owners.

(underlining added)

Mexico has a very strong culture of using prepaid phones.

Share

NetBSD gone Mobile

There is an interesting article about NetBSD becoming the new os on the tmobile sidekick. While NetBSD can run on just about any kind of relevant hardware, running NetBSD on the sidekick and painting a nice GUI (with the help of Danger probably) should be lots of fun. As an end result, could this not rank as the most secure mobile device if nothing else?

Share

All your (base) stations belong to us

What started off nicely in 1992 and promised the much needed privacy to cordless communication at home, has been brought into a halt a few days ago with the practical approach to eavesdropping on DECT communication.

DECT or Digital Enhanced Cordless Telecommunication is a widely used standard for cordless devices, mainly phones, but not limited to it, several POS or Point of Sale devices as well use the standard to communicate in a cheap and secure manner.

The DECT standard itself was not broken, but rather using a cheap off-the-shelf device that is able to receive (not yet transmit) DECT based data, the researchers have been able to prove that eavesdropping on the communication channel is possible.

Most interesting to me as a reader of the paper is that what stopped people from ‘breaking’ it till now, was the lack of hardware, or moreover the lack of cheap hardware, to experiment with, now with the availability (it has been around for a while) of COM-ON-AIR device and its character device (or raw software driver) things have been made a lot easier.

You can read more on this at deDECTed.org

Share

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Share

Boxee on AppleTV users are exposed

Xyberpix posted his challenge without giving us any advance notice, but being the ego-driven macho man that I am, even with mediocre writing skills, I can’t not accept it.

So here’s a random thought for the day. AppleTV is a useless brick unless hacked to run something like boxee or another front-end player for custom movie files. It’s safe to say most AppleTV users use it to play content outside iTunes.

The latest AppleTV update (version 2.3) has two interesting qualities.

One, it fixes several vulnerabilities involving playing malformed movie files (kuddos for ZDI for the finds). It shouldn’t be difficult to compare 2.3 to 2.2 and find where the problems are exactly. Some reverse-assembly requires, but definitely doable.

Two, it breaks many of the hacks like mounting external USB drives, and creates problems for applications like boxee.

From problem #2, I’m willing to guess many (most?) of the ATV users that hacked the machine haven’t upgraded. From problem #1 I know that those who haven’t upgraded are vulnerable. They will remain vulnerable for some time, until the hacks improve and find a way around this infamous update.

So will we see an attack targeting AppleTV any time soon? It’s a cute little linux-based device that sits in the network with a connection to the local home LAN. All it takes is the right AVI on the piratebay (or youtube?) to create a little AppleTV zombie net.

Share

Three good reasons why iPhone isn’t the major corporate smartphone

Time to share information about three vulnerabilities reported in Apple iPhone recently.

There is a phishing vulnerability and a spamming vulnerability, which Aviv Raff has reported this month.

The phishing flaw exist in iPhone’s Mail application. With a specially drafted link it’s possible to convince the victim that the link is trusted. Including the address bar, naturally – see Raff’s screenshot here [.jpg].

The second problem is that downloading remote images is not disabled in Mail, i.e. the Web Bug flaw exists in the application and there is no ways to disable that “feature”.
The third one is a SMS security issue found by the son of blogger Karl Kraft, described below:

Those settings block the display of incoming text messages and show an alert saying “New Text Message” if an SMS comes through while the phone is locked. However, if the phone is set to emergency call mode the incoming text messages are previewed.

And then:

“Thus all I need to do to intercept the messages from his girlfriend is to place the phone in emergency mode and wait 30 seconds for the next sickly sweet message,” Kraft writes.

That was reported (yes, by his father) in iPhone version 2.1 (5F136) – the most recent version too.

Share

Nokia & Sun: Yes, Nokia S40 J2ME vulnerabilities exist

I have never understood news articles using terms like ‘claims’ and ‘rumors’ when reporting about several vulnerabilities reported in Nokia Series 40 (S40) phones.

Adam Gowdiak from Poland is a well known researcher, man behind Windows RPC issue MS03-026 etc.

Sun has confirmed that older versions of Java 2 Platform Micro Edition (J2ME) are affected (this was on 15h Aug already) and Nokia confirmed these issues today (let’s say, at last).

It is not known if Sun Microsystems or Nokia Corp. paid €20 000 to Gowdiak, last week or possible later.

Some references:

Security Explorations: J2ME security vulnerabilities 2008
MIDP’s and MIDlets put tens of millions Nokia S40 phones in danger

Update 22nd Aug: From IDG.no:

“Gowdiak would not disclose if he was paid, but said that only reputable, vetted companies that pay would get the full research, which amounted to 180 pages and 14,000 lines of proof-of-concept code.

Nokia has a complete copy of Gowdiak’s research, said Mark Durrant of Nokia’s corporate communications.”

Share

CloudAV

A few media sources seem to be picking up a press release from the University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).

Share

Where there’s an old technology, there’s a way …

I’m a dinosaur.  I freely admit it.  I use computers for far too long.  I use programs for even longer.

My word processor of choice is WordPerfect.  Version 4.2.  It does what I need, since most of what I do in terms of writing has to do with actual writing.  In other words, words.  Text.  I don’t care much about graphics, desktop publishing (does anyone even know what that means anymore), or mindmaps.  I’ve been using WordPerfect since 1985, although I admit I’ve moved up from 4.1 to 4.2 in the early days.  My wife uses a much more advanced version: she uses 5.1, since she does more with actually printing stuff out.
Over the years I’ve had to learn a few tricks to get WordPerfect to run, and print, with various versions of MS Windows.  (I’ve actually got a copy of WordPerfect Office 8 for Windows around, but it really was kind of a step backwards, so we’ve never really used it.)  Recently the (very old) HP LaserJet 4L that we’ve been using (for quite some time) started printing messy pages.  It was the advice of people in the printer biz that it would be cheaper to buy a new printer than to have the old one cleaned.  Since a new HP LaserJet P1005 was slightly less than $60 (getting a USB cable for it cost almost half again as much, and getting a new cartridge for the thing is even more) this seemed to be the case.

So, my Scottish soul bemoaning the fact that I was sending an almost-perfectly-good printer to the recycling centre, I got a new printer, and installed it.  The print quality is fine (slightly better than the old machine) and it even prints faster.  Under Windows, it’s just fine.

As I said, I’ve had to learn a few tricks over the years to keep the old proggie printing, so I knew about “net use lpt1:.”  DOS programs want to use the old parallel and serial ports, and desktop printers don’t come with those ports anymore: they all use USB.  So you have to install the printer, and then fake DOS out by redirecting the LPT1: output to the installed printer.  Set it up, fired up WordPerfect for a test, and tried a page.  Nothing.

Opened up the print queue and watched.  Job went to the print queue all right, stayed for about a minute, disappeared without an error–and nothing came out of the printer.  “Net use” is obviously working, but the printer isn’t.
Asked for help from HP.  Got back a message saying to turn on Microsoft Loopback Adapter.  Even had detailed instructions on how to do it.

Trouble is, MLA is only useful if you haven’t got any kind of a network.  The “net use” stuff won’t work if you haven’t got a network, so using MLA kinda pretends you’ve got a network, so the redirection stuff works perfectly happily.  (Is it just me, or is there something wrong with a technology that requires you to hack your own system to use basic and normal functions?)  Since everybody who has a high speed connection to the Internet these days (and that is a pretty large majority) has a “local” network, MLA is pretty much unnecessary.  So I replied back to HP thanking them and explaining
why their workaround didn’t help much.  Got back a snarky reply saying that they were just trying to help, and telling me to do it again.  No help from HP, then.

Turned to friends.  (Probably where I should have started in the first place, right?)  Got some suggestions to use PRN2FILE (old and free), DOS2PRN (newer and shareware), and Printfil (newer and very commercial).  All of these basically do the same thing as the “net use” command, so they didn’t help very much.

Another friend looked to the online documentation at HP.  (You don’t get any documentation with printers anymore.  Not even for the installation.  If I hadn’t installed an HP combo scanner a few years back I wouldn’t even have known that you have to install the software and start the setup running before you connect the printer.  HP doesn’t even include a sheet telling you that anymore.)  As far as he was concerned it should work, since the printer I had did support the HP PCL.  Unfortunately, the documentation isn’t very good on versioning.  You see, there is not only an HP LaserJet P1005, there is also an HP LaserJet 1005, as well as an HP LaserJet 1500 series.  The HP LaserJet P1005 doesn’t have PCL.  I’d bought a (*&^@#+”~ Winprinter.

OK, that’s it. right?  Game over.  You can’t make a Winprinter, which basically expects a bitmap from MS Windows, to print anything else.

Not quite.

Enter yet another friend with a pointer to http://www.columbia.edu/~em36/wpdos/winprint.html#usbprint.  Good old Columbia U.  (Good people at Columbia.  They brought us Kermit.  You’ve never heard of Kermit?  Kids these days …)  Starting there, I eventually found http://www.columbia.edu/~em36/wpdos/v5macroanyprinter.html.  I mean, how particular do you need to get?  Not only is it specifically for WordPerfect version 5.1, it even has a Ghostscript printer driver, and the macros to make it all happen with one keystroke.  Beauty job, guys.

I should also mention the Ghostscript and Ghostgum people.  I’ve actually been aware of those programs for some time.   I used to use them for reading PDFs, since it was generally quicker and more useful to use them than the Adobe reader products.  (I haven’t been able to turn WordPerfect docs into PDFs just yet: something odd with the GSviewer macro, but at least I know it’s possible.)

There’s always more than one way to skin a computerized cat …

Share

What is your blackberry doing without telling you?

I recently added a contact to my BlackBerry PIN network. The contact was informed of this via an email, and then went on to reply (accept) to this email based invitation.

The response sent from his blackberry was not visible in his “sent” folder, nor was it visible in my “inbox” as apparently BlackBerry has the ability to secretly delete emails as soon as they are processed – thus making it do things a bit “under the radar”.

It’s not yet clear to me how difficult it is to do this manually – adding of a contact to your BlackBerry PIN list – but here are some clues on the email mechanism. Apparently, you need to include in the subject and in the beginning of the message body (subject works in most cases – html appears to behave differently) the following string:

< $RemoveOnDelivery,SuppressSaveInSentItems>

You can combine the above in the subject line with confirm, which will cause BlackBerry to send back a delivery confirmation, combined with the deletion and suppression of saving the item:

< $confirm, RemoveOnDelivery,SuppressSaveInSentItems>

Share