GANSECBLOGGER Blog is moving!
June 8, 2010
This blog is moving to my business website location. The new location for this blog will be http://www.gansec.com/blog/.
See you there!
The official Weblog of Georgia Network Security Consulting, LLC.
June 8, 2010
This blog is moving to my business website location. The new location for this blog will be http://www.gansec.com/blog/.
See you there!
June 7, 2010 Leave a comment
Looks like there is a new vulnerability out that affects Adobe Flash, Player and Acrobat reader. Exploit is out on the Internet. Attackers are able to take over your system if you open up infected files (flash, PDF etc).
From this Adobe advisory:
A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.
There is no fix yet. Stay tuned.
June 2, 2010 Leave a comment
This is getting worse and worse – the good people over at H Security (here is the article) found out that the iPhone issue first reported by security expert Bernd Marienfeldt is even more significant: You can connect an iPhone to a Windows Vista machine and lo and behold, EVERYTHING is accessible, EVEN passwords.
[…] managed to connect an iPhone with iTunes under Windows and created a full backup, including such sensitive data as passwords in clear text.
However, they state, this does not work if the iPhone was in a locked state before it was shutdown. The article says.
[…] has come to the conclusion that the problem only occurs if the iPhone was shut down from an unlocked state. During the wake up this state is restored and the device is “open” for a short period of time before the Springboard application wakes up and locks it down. This short period is sufficient for a pairing to occur that ensures permanent access. An iPhone that was shut down in a locked state does not accept the pairing – which corresponds to heise Security’s observations. This reduces the risk somewhat, because a lost iPhone in a locked state cannot be tricked into pairing.
Either way, crazy stuff.
May 26, 2010 Leave a comment
Bernd Marienfeldt, security officer at LINX, uncovered a pretty bad vulnerability of the latest iPhone that is out there: even with encryption, set passphrases etc, anyone using Ubuntu LINUX can access certain data you have stored on it. There is no fix for this yet.
More detail on Heise-Online, here is the article.
Excerpt:
.. found that he was able to gain unfettered access to his iPhone 3GS from Ubuntu 10.04. If he connected the device whilst it was turned off and then turned it on, Ubuntu auto-mounted the file system and was able to access several folders despite never having previously been connected to the iPhone. The H’s associates at heise Security have successfully reproduced the problem. An Ubuntu system which had never before communicated with the iPhone immediately displayed a range of folders. Their contents included the unencrypted images, MP3s and audio recordings stored on the device.
UPDATE: Rumors have it that this may also affect the iPad.
January 25, 2010
RealNetworks recently released a patch to fix no less than 11 critical vulnerabilities.
This is the advisory from Real Networks. Patch can be downloaded from here.
Heise recommends to simply just uninstall it.
Since the proprietary RealMedia format is now barely used, as an alternative to installing the update, users might wish to simply uninstall RealPlayer completely. While few users still have RealPlayer installed, those who do mostly have vulnerable versions, as has been recently demonstrated by The H’s update check. During roughly 140,000 tests over a 30 day period, update check registered around 7,300 installed copies of RealPlayer versions 10.x and 11.x, of which more than 80% were vulnerable.
I agree. The format is not really used anymore. Real was useful a couple of years back, but no more. Throw it into the trash – uninstall it.
January 21, 2010 Leave a comment
I found an article on Help Net Security about the kind of passwords people use. The article can be found here.
Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.
In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.
Key findings of the study include:
- The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”
- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.
- Recommendations for users and administrators for choosing strong passwords.
“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.
The report identifies the most commonly used passwords:
1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.
“The problem has changed very little over the past 20 years,” explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security.
The complete report is available here.
There are two important lessons learnt from this:
1. Do not use simple to guess passwords
2. Do not use the same password in multiple places.
If you do not follow these guidelines, and someone guesses your password, you are pretty much out of luck as they will be able to access all the accounts and sites that this password works with.
I always recommend building passwords along the following guidelines:
- length between 8 and 12 characters, alphanumeric and non-alphanumeric
- contain at least one upper-case letter
- contain at least 1 non-alphanumeric value
- do not use a derivation of a word, e.g “t3stt3stt3st”, “password1”.
- use a sentence as basis for a password, pick letters of each word of that sentence, replace letter with numbers, add at least 1 non-alphanumeric value.
An example of constructing a secure password (do NOT use the password below)
“This will be a cool password nobody will ever crack”
=>”Twb4cPWDnw3c!”
Use the guidelines above, and you will never be hacked for the reason of having had weak passwords.
January 21, 2010 Leave a comment
Adobe quietly released a HIGHLY CRITICAL update to Shockwave on Tuesday. Exploiting these vulnerabilities enables an attacked to inject code and – shock – take over your system. Yes, you need to update your Shockwave installation ASAP. And yeah, you even have to uninstall your old version first!
Adobe advisory is here:
Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system. Adobe has provided a solution for the reported vulnerabilities. It is recommended that users update their installations to the latest version using the instructions provided below.
[…]
Adobe recommends Shockwave Player users uninstall Shockwave version 11.5.2.602 and earlier on their systems, restart their systems, and install Shockwave version 11.5.6.606.
Download Patches from here: http://get.adobe.com/shockwave/.
January 21, 2010 1 Comment
Considering that more and more people use Smartphones like Blackberries and iPhones, mobile security becomes more and more of an issue. You have an anti-virus scanner on your laptop? A firewall? You keep it up to date with the latest patches? That is awesome; I commend you for it. But what about your phone that you use to access your e-mail? How do you protect your Smartphone from getting hacked?
This is the first part of a series on how to secure your Smartphones. Credits to PCMag.
BlackBerry (System 4.5 and higher)
Go to Options, then Security Options, then:
- Password-protect start-up. Under General Settings, set Password to Enabled. You may also want to change other settings here, such as the number of password attempts allowed before the device is locked, and whether the device should automatically lock on holstering. Commit your changes by pressing the Back button (the half-circle arrow) and enter your new password when prompted. Choose a password you’ll remember and that will be quick and easy to type using the device’s keypad. Confirm that password, then exit to the main menu. Lock your phone by pressing and holding the * button to confirm that it has been password-protected.
- Encrypt data. Scroll past General Settings to Content Protection, and enable it. Under Strength, you can select Strong (80 bits), Stronger (128 bits), or Strongest (256 bits). I recommend using Stronger for faster encryption/decryption or Strongest for the most security. Selecting Yes for Include Address Book will keep your contacts secure but also result in disabling caller ID when the phone is locked. Circle-arrow back out, then create an encryption key by randomly moving the trackball and typing characters. A good practice is to regenerate an encryption key every two to four weeks: Under Security Options | General Settings, click on any service, then click Regenerate encryption key.
- Secure passwords. Please don’t fall into the trap of saving usernames and passwords in your mobile device’s browser. Anyone who finds your device and unlocks it then has access to all of your online accounts. Instead, use the Password Keeper utility to store and encrypt this info.
- Lock down Bluetooth. By default, Bluetooth is on. In addition to wasting your battery, this leaves you open to Bluetooth-based attacks. From the Home screen, go to Set Up Bluetooth. When prompted to Add Device select Cancel. Press the Menu button, then select Options. Set Discoverable to No, so other devices can’t find your BlackBerry, and set Security to High—or if the Bluetooth devices you use with your BlackBerry support it, set Security to High + Encryption to encrypt Bluetooth data transmissions. From the following checklist, enable only those services you think you are going to use with Bluetooth—most commonly headset and hands-free. Exit and save.
- Clear memory. Also under Security Options, memory clearing can delete sensitive data, such as unencrypted e-mail messages and username, password, and other certificate-related info, from memory. You can set the BlackBerry to clear memory under certain circumstances—for example, when you holster your BlackBerry or lock it.
Smartphone (Windows Mobile 6)
- Password protect start-up. Go to Start | Settings | Lock and configure a password. Check the box next to Prompt if the device is unused for and then select a time period from the drop-down box, something in the 5-to-30-minute range. You can set your password to be a simple four-digit PIN or a strong alphanumeric string and then enter your password in the boxes below. You can also set a hint, but remember that this can be read by anyone with physical access to your phone. At this point, it would help to go to Settings | Today, click the Items tab and check the box next to Device Lock to provide a quick locking option on your Home screen.
- Encrypt data. Under Settings | Security | Encryption, check the box that says Encrypt files placed on the storage card, then click OK. A storage card can actually contain both encrypted and nonencrypted data, but encrypted data can be read only from the device in which it was encrypted and written, or from a Windows PC using ActiveSync and Windows Mobile Device Center. There’s also a big gotcha lurking: If you have to perform a hard reset of your device or update the ROM, you will lose the encryption key stored on the device, and with it, access to your data. Companies can push encryption policies to Windows Mobile devices using Exchange Server 2007.
- Secure passwords. This requires a third-party solution, such as KeePass or some other eWallet type of encrypted password manager.
- Lock down Bluetooth. Go to Start | Settings, then the Connections tab, then Bluetooth. On the Mode tab you can enable or disable Bluetooth and make your device visible; Off and Not visible are the more secure settings. Scroll all the way right to the Security tab and check the box to require authentication for data beaming.
- Clear the memory and cache. In Internet Explorer, go to Menu | Tools | Options; in the Memory tab you can set a history retention time in days or clear the history manually. Click the Delete Files button to clear the Web cache. Navigate to the Security tab and click the Clear Cookies button.
iPhone
Unfortunately, you won’t find a list item called “Encrypt data” below. At this point, there doesn’t seem to be any encryption available for iPhones.
- Enable Passcode Lock and Auto-Lock. Click the main iPhone Settings icon, then click the General tab and select Auto-Lock. Select the time period you want, then exit out to the Home screen. Once Auto-Lock locks the phone, Passcode Lock will require a four-digit PIN to unlock it. Click the iPhone Settings icon, then General, then Passcode Lock. From there enable Turn Passcode On. Enter your passcode. Tap Require Passcode and then choose “immediately.”
- Secure passwords. There’s no native way to do this, so you’ll have to use a third-party password manager.
- Lock down Bluetooth. It’s great that Bluetooth is off by default on iPhones, but you should also set yours to require an eight-character PIN for connections with Macs. Turn on Bluetooth only when you need it.
- Clear the memory and cache. Back on the Passcode Lock screen, you can disable SMS Preview while the device is in its locked state, and also turn on the Erase Data function. This will wipe the iPhone clean after ten failed passcode attempts. You can clear cookies, browser cache, and history from the Settings menu in Safari.
This should get you started.