Planet Security

July 02, 2009

The Register - Security Texting vuln turns iPhone into remote bugging device

SpyPhone 3GS

If you own an iPhone, security researcher Charlie Miller can take control of it, and short of turning off the device, it appears there isn't much you can do to stop him. Not until Apple fixes the flaw, anyway.…

The power of collaboration within unified communications

hackaday — Self-portrait machine

selfportraitmachine

[Jen Hui Liao] created a device that guides the user into drawing a portrait of themselves. Dubbed Self-Portrait Machine, it comments on how much in society is created by machines and we are dependent on them. Unlike previous drawing robots, the user is part of the sketching process. The machine holds the users hands and uses stepper motors and servos to move them around like a LOGO turtle. Liao promises to have more details available soon. Video of the machine after the jump.

by Zach Banks at July 02, 2009 09:15 PM

Roger's Information Security Blog — Alternatives to Desktop Lockdown

This is another post based on notes from the Gartner Information Security Summit. Neil MacDonald gave a talk titled Five Alternatives to Desktop Lockdown: Balancing Control and Creativity.

Desktop Lockdown has failed.

But so has complete freedom.

So what do you do?

From an operational perspective, desktop lockdown was performed to reduce the number of disk images the helpdesk had to maintain. It reduced application conflicts and visits by the helpdesk. IFrom a security perspective, lockdown was performed to prevent malware and prevent users from disabling security applications.

Lockdown has failed for a number of reasons. In XP, the locked down experience is lacking. You can't change the timezone or install a printer driver. Its not workable for the traveling user.

Locking down computers failed because new technologies bypass local controls. For example it doesn't prevent the user from using Google Apps and other forms of cloud computing in a insecure manner. Being a standard user doesn't even prevent all software installs. Google Chrome installs as a standard user. Microsoft was pressured to make Silverlight install without administrative rights. As long as the software only writes to your user profile and your portion of the registry, it can install as a standard user. Malware writers will not be deterred by lack of admin rights.

Its almost a cliché at this point but the consumerization of IT has led to a new workforce. Generation Y digital natives. They may not be better at not falling for fake AntivirusXP but they expect full access all the time.

Does IT really know what people need to do their jobs? Locking down was supposed to be a means to an end, not an end itself. Protecting the data is the primary goal.

Saying that lockdown has failed, does not mean that complete freedom has succeeded.
The cost of managing end user computers are far greater for unmanaged computer. The risk of virus attacks is much greater with administrative rights.

So what do you do? The talk reviewed multiple alternatives.

Alternative 1De-Privilege Admins - UAC
UAC prompts to elevate rights when admin rights are needed.

As you already know, that can be annoying if you have a lot of applications that are poorly written and need admin rights. Also depending on the user this can barely be a speedbump in stopping malware.

Alternative 2White list
While basic whitelisting is currently available in Windows XP and later as well as most Endpoint Protection (AV) applications, newer offerings from companies like Bit9 make it easier to whitelist. They maintain the lists so you dont have to manually update each time a new version is released. They also can use reputation services that make a judgment about any new/unknown files.

One user when told we were considering this technology stated as an engineer they install all sorts of software and really important work would stop if he couldn't install every random file he found on the Internet.

Host Based Intrusion Detection Systems (HIPS) also fall into this category. They are much more complex, and can cause instability issues depending on how it is integrated.

Alternative 3Remote Presentation
In this scenario users log into a remote server such as vmware or terminal server. Of the local computer and the remote session one is managed and one is unmanaged.

This scenario requires solid network connectivity. It also isn't clear how the network is protected from the unmanaged computer.

Alternative 4 Multiple Virtual Machines running locally
Unlike the previous example, the user can work with remotely. The virtual machines are on the local computer.

The major drawback to this approach is licensing cost, patching, and extra hardware cost.

In the future the hypervisor may make it to the desktop for better performance, but we are not there yet.

Alternative 5Workspace Virtualization
In this alternative the risky applications are put into their own sandbox.
Ringcube, Creedo, and InstallFree are three vendors in this space.

Alternative 6 Hybrid
A few from column a and a few from column b.

Alternative 7Employee Owned PCs
I've read the articles on companies that are providing dollars for people to buy and support their own computer. I also read about a smaller company where the owner considered the computer like a toolbox. The craftsman provides his own tools. Not a great analogy because a craftsman power saw isn't going to get infected and DDoS the network. (Although cheap worker provided power tools could break spectacularly in a particularly liable fashion).

The analogy provided during the presentation was a road. A trucker provides the truck. He can buy the truck he wants, but it must meet certain requirements. Then while used on the road he must obey traffic laws. Officer Friendly is waiting to write a speeding ticket.

Those are seven alternatives to desktop lockdown. I think that application whitelisting will become the most mainstream the fastest. Although virtualization is moving fast. XP mode within Windows 7 is virtualization. I believe Macs have a virtual MS Windows. The question I would have is what gets virtualized. Every Internet facing application?

For the longest time, vender's made me feel like I was at the only company in America to allow Administrator rights to users. (Neil MacDonald, if you head this way I'd love to know what percentage of companies in general and Federal Contractors in particular lock down the computers by restricting admin rights as required by the FDCC). It is very interesting to hear about some other solutions. Obviously antivirus is not working but we still need to provide protections.

CNET News.com - Security — Apple fixing iPhone SMS security hole

Vulnerability in the way iPhones handle text messages could be used to track the location of the phone, turn on the microphone, or turn phone into botnet zombie.

HP - Application Security Center Community — Quality Engineers & Testers - StarWest is Coming Up!

I'm thrilled to announce that I have been selected to speak at the StarWest 2009 Quality Conference (SQE) October 5-9th 2009, hosted at the DisneyLand Hotel in Annaheim, CA! Link to the conference website is here (http://www.sqe.com/starwest/Schedule/Default.aspx) and there are a number of awesome speakers as well!

The StarEast conference was chock-full of great speakers, vendors and of course yours-truly... speaking on Security topics and why the quality assurance teams are so crucial to the web application security process. That's right, I've been talking about Q/A engineering and testing teams and why they're so crucial to the success of any enterprise web application security program - but now for the first time you'll get the truth that the IT Security guys probably won't tell you - YOU are the key! My talk on this topic promises to be riveting and will certainly have an impact on formal testing and security organizations...

As an added bonus - if you sign up you'll get money OFF the price of your admission!

Normal 0 false false false EN-US X-NONE X-NONE

Register using special promo code SKWS and save up to $300! Register by September 4^th to add the Early Bird Discount for up to $600 in total savings! Call the client support group at 888.268.8770 or register online at: https://www.sqe.com/starwest/Register/SelectConference.aspx

I'll see you all there!

by RafalLos at July 02, 2009 08:45 PM

hackaday — Crack WEP using BackTrack

wepcrack04

Lifehacker wrote a guide for cracking a WiFi network’s WEP password using BackTrack. BackTrack is a Linux live CD used for security testing and comes with the tools needed to break WEP. Not just any wireless card will work for this; you need one that supports packet injection. The crack works by collecting legitimate packets then replaying them several times in order to generate data. They point out that this method can be hit-or-miss, especially if there are few other users on the network, as the crack requires authenticated packets. We covered cracking WEP before, but using BackTrack should smooth out compatibility issues.

by Zach Banks at July 02, 2009 08:30 PM

hackaday — Scratchbot: Whiskers to the rescue

Scratchbot is designed as a rescue bot, going places where there is low visibility. It’s defining feature is the fact that it uses “whiskers” to feel for things. We feel like this is a little gimmicky. If it is a low visibility situation, wouldn’t IR or audio, possibly sonar be a more effective? How would it differentiate between different physical obstacles? Are the whiskers really new? Aren’t they really just bump sensors? Maybe they have something a little more complicated going on. There was another recent bot that utilized whiskers and compared different tactile profiles to determine what it was touching.

by Caleb Kraft at July 02, 2009 07:50 PM

SANS Internet Storm Center — Cold Fusion web sites getting compromised, (Thu, Jul 2nd)

There have been a high number of Cold Fusion web sites being compromised in last 24 hours. We received several e-mails about this.

It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager. The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server.

The attacks we've been seeing in the wild end up with inserted script tags into documents on compromised web sites. As you can probably guess by now, the script tags point to a whole chain of web sites which ultimately serve malware and try to exploit vulnerabilities on clients.

What's interesting is that the group behind this is probably connected (if not the same) as the group that performed a lot of similar attacks back in March. I wrote several diaries about them seehttp://isc.sans.org/diary.html?storyid=6001 and http://isc.sans.org/diary.html?storyid=6010

Back in March, once they gained access to the server, they used a local privilege escalation exploit for a vulnerability that was, at that time, unpatched. If your servers are up to date with Microsoft patches, the vulnerability has been patched but they still can modify local web site files in a lot of cases (and sometimes even more, depending on Cold Fusion's configuration).

We'll be carefully monitoring the situation with this, of course. In the mean time, make sure that all applications you are running are up to date and fully patched. Another thing you might want to do is check for any old software you might have on your servers it is very common for applications to leave old, vulnerable parts that are not used any more hanging around. And such applications are just waiting to be compromised.

Thanks to Adam for giving us an early heads up.

--

Bojan

hackaday — How-to: Bus Pirate probe cable

cover

A probe cable makes it easy to connect the Bus Pirate to a circuit and get hacking. Good test clips make quick connections on cramped PCBs without causing short circuits. We made two cables for the Bus Pirate v2, keep reading for an overview of our designs and list of part suppliers.

Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.

Overview

cables.450

We use these cables to connect the Bus Pirate’s I/O pins to a microchip or test circuit. A cable consists of a 2×5 connector, a cable, and some kind of attachable probe like an alligator clip or test hook.

The gray cable (top) is a ‘junk box’ cable, we recycled it from scrap parts and old computer hardware. The ‘expensive’ cable (bottom) uses high quality and special-order parts.

2×5pin female connector

The Bus Pirate’s I/O header is two rows of five 0.1″ spaced pins. We used a 2×5 arrangement because 2×5pin female ribbon cable connectors are common and cheap. We decided against a single row of 10 pins because the connector is an expensive specialty item.

The pin names are shown above, and are silk-screened on the bottom of the PCB. See the Bus Pirate page for detailed descriptions of each pin function.

connector-comapre.450

The junk box cable uses a 2×5pin female connector from an old PC ISA card.

The expensive cable uses a black connector with a reinforced cable holder. Mouser has gray connectors ($0.69) and black connectors ($1.15).

connector-apart.450

Ribbon cable connectors have internal pins that pierce the cable when the top part is pressed onto the bottom part.

Ribbon cable

cables-compare.450

Standard 2×5pin female connectors attach to 0.05″ 10-strand ribbon cable. The wire thickness is usually 22, 24, or 26 AWG. We think 12inches (30cm) is a useful length that doesn’t get in the way.

Grey ribbon cable is pretty common. We salvaged a piece from an old computer connector, you might get lucky and find one with a 2×5 connector already attached.

A color coded cable makes it easy to identify each connection. DigiKey has 5 foot sections ($3.03), Mouser has it by the foot ($1.16, $1.19).

Ribbon cable is cheap and readily available, but it tends to tangle and kink. A really nice probe could use a ribbon cable stub attached to thicker test leads.

Test clips

Test clips are the most important part of the cable. They have to be easy to position, and maintain contact with the circuit. Alligator clips work, but there’s a lot of exposed metal that can create short circuits. Professional test clips have a grabber that retracts into the probe leaving less metal exposed.

Alligator clips

gator.450

The junk box cable has alligator clip probes, we pulled them off test leads like these (40 leads for $12). You could also use loose red and black clips (20 for $2.30).

Remember to put the rubber housing on the cable before soldering the wire to the alligator clip, it won’t go on later. In the photos you can see that some of our covers are cut to fit over the front of the clip because we forgot.

Round test hooks

barrel-hooker-action.forget

This is the classic, round-bodied test hook. These are great for grabbing onto 0.1″ pin headers, wires, and the leads of through-hole components. The hooks are usually too big to use with surface mount components, and the round body makes it hard to fit more than a few in a small space.

rndhook-open.ii

Test hooks are easy to position. Squeeze the probe to extend a single metal hook, grab something, then release. The hook retracts into the body of the probe, securing it in place and preventing short circuits.

rndhook-apart

Most hooks come apart by pulling the top away from the body. Put the test lead through the hole in the cap and solder it to the metal tab. Push the halves together when the joint is cool.

DigiKey ($17.26) and Fry’s ($14.95) have multi-colored hooks in sets of 10. Deal Extreme has dirt-cheap 10 packs of yellow ($2.30) and black ($2.33) hooks, but the reviews say the quality matches the price so buy extra (via [haku]).

Flat test tweezers

Tweezer-probes are great for clipping onto the legs of through-hole, surface mount, and many smaller chips. They usually have a flat body so they fit better in tight spaces than round hook probes.

hook-open.ii

This type of probe has tiny tweezers instead of a hook. Accidental short circuits are rare because there’s so little exposed metal when the tweezers retract.

hook-apart

Most tweezer-probes pull apart and have a metal solder tab inside. Run a cable strand through the hole in the cap, solder it to the metal tab, and then press the halves back together.

Tweezer quality varies dramatically among brands, we’ve used no-name probes that bend easily or don’t grip well. The X- series micro-hooks from E-Z-Hook are the Cadillac of tweezer-probes, we first used the XKM version that comes with the Saleae Logic. They’re intended to fit specialty test leads, but it’s easy to solder a wire to them instead. About $2 each, available directly from the E-Z-Hook website.

Conclusion

We highly recommend a cable with hook or tweezer-probes for secure connections without causing shorts. The right probe depends on the parts you use. Round test hooks work best with through-hole parts and wires. Flat test tweezers attach well to small, surface mount chips.

Please share any additional part sources in the comments. We did our best to provide a variety of sources, but there’s going to be some great places we’ve missed.

Friday, July 3, 2009 is the last day to pre-order a Bus Pirate. There’s only two days left to get your own Bus Pirate, fully assembled and shipped worldwide, for only $30.

buspiratev2goii450

by Ian Lesnet at July 02, 2009 07:08 PM

F-Secure - News from the Lab — SMS remote code execution vulnerability in iPhone

Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.

(picture from apple.com)

This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model as it's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction required which is unlike current mobile malware. InfoWorld has the original story here.

PS. I’m shift manager for one of our three daily response shifts this week and I'm tweeting about what we’re doing in the shift over at http://twitter.com/patrikrunald

On 02/07/09 At 06:30 PM

hackaday — Clever stair climbing robot

Stairs are one of the most commonly faced mobility challenges for a robot. This robot’s design eliminates the need for a complex drive train or computer, and instead uses a clever mechanical design to climb stairs. Version three of the robot uses five servos modified for continuous rotation, a Picaxe28, sharp IR sensors, and bump sensors.

[via BotJunkie]

by Gerrit Coetzee at July 02, 2009 06:26 PM

Privacy Digest — Out of business, Clear may sell customer data

Out of business, Clear may sell customer data: Via computerworld.

It would go to a similar provider authorized by the TSA

Three days after ceasing operations, owners of the Clear airport security screening service acknowledged that their database of sensitive customer information may end up in someone else's hands, but only if it goes to a similar provider, authorized by the U.S. Transportation Security Administration.

Until this week, the Clear service had given customers a way to skip long security lines in certain airports. For a $199 annual fee, air travelers could be pre-screened for flight and then use Clear's security checkpoints instead of the TSA's. Clear was run by New York's Verified Identity Pass, which also shut down on Monday.

Customers had to provide personal information, including credit card numbers, fingerprints and iris scans in order to participate in the program. After Clear abruptly shut its doors -- it has not yet declared bankruptcy -- some worried that this data could fall into the wrong hands. read more »

by MacRonin at July 02, 2009 06:05 PM

Privacy Digest — TSA asked to ensure safety of customer data after Clear closing

TSA asked to ensure safety of customer data after Clear closing: Via computerworld.

Transportation security agency given July 8 deadline to explain how private information will be safeguarded

The chairman of the House Committee on Homeland Security has given the Transportation Security Administration until July 8 to explain how the agency plans to ensure the security of private data collected by a recently shuttered company that offered a registered traveler program.

In a letter to the TSA's acting assistant secretary, committee Chairman Bennie Thompson (D-Miss.) expressed his concern over the abrupt closure of Verified Identity Pass Inc.

For a $199 annual fee, New York-based VIP offered a service called Clear that was designed to help air travelers get through airport security checks faster by vetting their identities and backgrounds in advance. read more »

by MacRonin at July 02, 2009 06:01 PM

The Register - Security Speculation mounts over AVG plans for OS X client

'Mac users have no antibodies'

AVG bosses aren't saying much, but there's new evidence the anti-virus maker is seriously considering building an application for the Mac.…

CNET News.com - Security — Waledac worm targeting July 4 spam offensive

Researcher warns people to be cautious about clicking on links related to Independence Day videos in e-mails over the holiday.

eWEEK Security — How to Improve IT Cyber-Security with Visual Analytics

Few disciplines require the comprehension of as much information in so little time as computer security. With billions of data records piling up daily for large organizations, no technique holds as much promise as using computer-generated images to tell the story of what's in the data a process known as visual analytics. Here, Knowledge Center contributor Justin Wolf explains how to use visual analytics to improve IT cyber-security.
- Data visualization has been around for decades, but modern desktop computers finally possess the power to turn raw data into interactive displays for analysis, enabling computer security analysts to use visual analytics techniques to solve daily problems. Although many other tools exist to assi...