binpoint.com

The security guy voice in my subconscious has been yelling at me to pay attention to the iPhone for a while now and that’s been bothering me.

As Information Security professionals must focus on threats they are charged to defend against, it’s beneficial for them to acknowledge what the attack vectors of tomorrow might be to better prepare for them today.

Proposition: iPhone user? You’re pwned.

Yes, that is quite a blanket statement. Give me a minute to back up that statement with my evidence.

Let’s start with motivations:

• Authors of malware (malicious software) do so to make money by capturing your resources (bandwidth or storage)
• Malware programmers will choose a target based on the amount of bang for their buck (or time)

Some statistics:

Conclusion 1: iPhone OS is as popular as Windows XP was 2001-2003

So far, we’ve established that the iPhone & Mac platforms are a realistic target. Let’s take a look at what vulnerabilities on iPhones look like. I have assembled a list of some of the bad vulnerabilities that have been found and patched to date. Keep in mind that these have all been discovered since the iPhone was announced in summer 2007.

Arbitrary remote code execution:
• Receiving a maliciously crafted SMS message
• Playing a maliciously crafted mp4, AAC or MP3 audio file
• Visiting a maliciously crafted website
• Viewing a maliciously crafted PNG or TIFF image
• Viewing a maliciously crafted MPEG-4 video
• Opening a maliciously crafted PDF file
• Accessing a maliciously crafted FTP server

Interception & redirection:
• Susceptible to DNS cache poisoning and may return forged information
• Predictable TCP initial sequence numbers may lead to TCP spoofing or session hijacking
• Look-alike characters in a URL could be used to masquerade a website
• A remote attacker may cause a device reset (via crafted ICMP Ping)

Breach of Privacy:
• Apps can read another Apps data
• User names and passwords in URLs may be disclosed to linked sites

Unauthorized Local access:
• An unauthorized user may bypass the Passcode Lock and launch iPhone applications via Emergency Call
• Deleted email messages may still be visible through a Spotlight search
• Passwords may be made visible via undo
• A person with physical access to a locked device may be able to access the user’s data

Now here comes the real shocker…

In the same amount of time after release, the iPhone had 18 more security patches than Windows XP did. To skew the number even further, 27 (twenty seven!) of those Windows XP Patches were replaced by another patch so technically there were only 59 patches for Windows XP in the first three years.

Conclusion 2: The iPhone is a more vulnerable target than infant Windows XP was (pre SP2!)

Finally, let’s review what sensitive personal information is stored on these devices and is at risk of being leaked.

• GPS Location
• Safari History
• AutoComplete data
• Call History
• YouTube History
• Emails
• Text Messages
• Address Book
• Pictures
• Name
• Phone Number
• Birthday

Conclusion 3: the iPhone is a sexy, well-organized, treasure trove of personal information, ripe for theft or abuse


This would suggest that the early iPhone 0-day attacks will be spear phishing high profile users such as celebrities, business leaders or government officials.

What do you think?

If you found this article useful, please show it by following my blog.

Your email:

 

source source source source

Apple, Information Security charts, doomsday, graphs, iPhone, malware, sales, WindowsXP

The days of using John the Ripper are numbered. Soon, you will perform your password cracking and password strength audits using security tools that utilize the GPU cores in high performance gaming video cards.

Why?

Gaming video cards are designed to churn through metric tons of floating point operations per second; hence the common metric gflops (giga floating point operations per second.) To accomplish this, modern boards come with dozens to hundreds of GPU cores which can run data crunching tasks in parallel.

An astute reader would point out that password hashing algorithms are devised to run on CPU cores which excel in integer operations, not floating point operations.

Luckily for us security folks, the number of processing units on the gaming video boards are so high, they can provide orders of magnitude improved performance versus traditional CPU based password crackers.

Can you recommend any GPU based password cracking tools that could replace JTR today?

Information Security brute force, gpu password, john the ripper, password cracking

SANS 502 – Firewalls, Perimeter Protection & VPNs is an undiscovered gem in the SANS armada of training offerings. It’s an excellent overview of technologies and concepts that any entry level Information Security professional going into a corporate environment needs. While it may not be as sexy as the penetration testing classes SANS also offers, it definitely still holds value for anyone who plans (or ends up) responsible for protecting a corporate network environment. This class corresponds to the GIAC GCFW certification. Personal comments aside, here’s the flyer SANS has just sent out:

---

Please join in me Burbank, CA starting on February 11 for SANS Security 502: Firewalls, Perimeter Protection & VPNs. Experience this local class and SANS award winning security training first hand in the popular Mentor format! For complete course details and registration information, please click on http://www.sans.org/info/45104.

Register by December 15th and receive $500 towards any single course* in 2010. Enter in the discount code “BYE09″ in step 3, group discount code.  Instructions to redeem your $500 award will be sent to you upon receipt of your paid registration.

Benefits of the Mentor Program https://www.sans.org/mentor/about.php are:

• Save 25% off the regular SANS tuition fee with the ability to save even more with group discounts (see below)
• No need to spend money on travel outside of your local area
• Small, locally run 10 week classes utilizing the same great SANS courseware presented at larger conferences
• Evening classes do not conflict with daytime commitments
• Direct, hands on contact with a qualified Mentor

The Mentor program reviews the courseware at a slower pace giving the student more time to learn the material. Students can apply the class material the next day when they return to the office and bring questions back to the Mentor each week!

“The SANS Mentor program is a great value. It allowed a learning environment that was local, with a knowledgeable instructor, and fellow like minded individuals.  All of this without having to travel!”
- Sean Nixon – Fidelity National Information Service

EXTRA TUITION DISCOUNTS are available for 2 or more students who register from the same organization. To obtain the Group Discount fee for this course, please contact Heather Kohls directly at mentor@sans.org PRIOR to registering with your company name and contact information of those wishing to attend.

Discover the quality training only The SANS Institute has to offer and register today!  Once again, for complete course details, course outline and to register, visit http://www.sans.org/info/45104.

Information Security Burbank, certification, GCFW, SANS, training

The Metasploit Framework 3.3 was released today (Tue, Nov 17th.)

Tons of bug fixes and more exploits for us to play pentest with!

(via SANS Internet Storm Center.)

Information Security

I’m not claiming to be an expert on how Macromedia / Adobe Flash is bolted together nor it’s security architecture, however adding an API to allow any website to stream HD video to directly to the video card sounds like a terrible idea on the level of badness equal to ActiveX. Makes you wonder what the QA cycle for video card drivers is like.

Luckily, Adobe has only announced support of this new reason to keep all us security folks employed HD Video Acceleration for Microsoft operating systems at this time.

(Feature announcement via Lifehacker.)

Oh, and here’s some performance benchmarks from anandtech

Information Security

OWASP has published a release-candidate report of the top 10 risks they foresee to web applications in 2010.

Summary:

1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Failure to Restrict URL Access
8. Unvalidated Redirects and Forwards
9. Insecure Cryptographic Storage
10. Insufficient Transport Layer Protection

Information Security owasp, risks, top 10, webapp

“I purchased X Anti-Virus for my Home PC last year and unimpressed, let it expire. Which anti-virus product should I purchase now?”

I get asked this question a lot. I provide below how I typically answer it, hoping that someone out there will find it useful as a template for your responses to similar questions to which you must respond.

Read more…

How To, Information Security

I’ve been looking into home automation gadgets like X10 for quite some time now. My interest in home automation revolves around reducing power consumption, recording anomalous events with cameras as evidence and because I’m super lazy and only like doing things once (but the right way) and want my CFL’s to flick on when I stumble in after a long day at work. I also want to build a DIY BIDS: Burglar Intrusion Detection System.

I even admit to visiting my local library and borrowing books on the subject solely with the goal of pimping the geek out of my home. So did I find true trekkie bliss, full of motion sensing lighting, sexy sounding verbal computer readouts, intelligent power management and enhanced security?

Read more…

EPIC FAIL, Information Security automation, home, Information Security

When was the last time you visited a hotel, plugged in your laptop, and logged into your gmail account?

Do you recall the last time you connected to Free Public Wifi to quickly check your eBay actions? Looking back, don’t you wonder who else may have been listening in on your Internet activity? Let’s find out how to protect yourself against unwanted network ‘wiretappers’…

Read more…

Information Security, Travel, Windows guide, hotels, Information Security

Does anyone remember when the FBI busted a major spam ring? Bravo to those boys for what must have been a tough job.

Here’s a pic of what a huge difference it made according to submissions to spamcop.net:

Hmmm, not much to see here.

Today I saw an article in the Washington Post talking about how Web Host McColo was shutdown after being accused with spam activity. Here’s this week’s spamcop.net pic:

I leave it up to you the reader to determine which day and at what time McColo was voted off the island.

Information Security, Internet Information Security, spam