iPhone Vulnerability even worse than assumed – everything exposed when connected to Windows

This is getting worse and worse – the good people over at H Security (here is the article) found out that the iPhone issue first reported by security expert Bernd Marienfeldt is even more significant: You can connect an iPhone to a Windows Vista machine and lo and behold, EVERYTHING is accessible, EVEN passwords.

[…] managed to connect an iPhone with iTunes under Windows and created a full backup, including such sensitive data as passwords in clear text.

However, they state, this does not work if the iPhone was in a locked state before it was shutdown. The article says.

[…] has come to the conclusion that the problem only occurs if the iPhone was shut down from an unlocked state. During the wake up this state is restored and the device is “open” for a short period of time before the Springboard application wakes up and locks it down. This short period is sufficient for a pairing to occur that ensures permanent access. An iPhone that was shut down in a locked state does not accept the pairing – which corresponds to heise Security’s observations. This reduces the risk somewhat, because a lost iPhone in a locked state cannot be tricked into pairing.

Either way, crazy stuff.

Advertisements

Vulnerability in iPhone data encryption Or: Do not lose your iPhone because everyone will be able to access it

Bernd Marienfeldt, security officer at LINX, uncovered a pretty bad vulnerability of the latest iPhone that is out there: even with encryption, set passphrases etc, anyone using Ubuntu LINUX can access certain data you have stored on it. There is no fix for this yet.

More detail on Heise-Online, here is the article.

Excerpt:

.. found that he was able to gain unfettered access to his iPhone 3GS from Ubuntu 10.04. If he connected the device whilst it was turned off and then turned it on, Ubuntu auto-mounted the file system and was able to access several folders despite never having previously been connected to the iPhone. The H’s associates at heise Security have successfully reproduced the problem. An Ubuntu system which had never before communicated with the iPhone immediately displayed a range of folders. Their contents included the unencrypted images, MP3s and audio recordings stored on the device.

UPDATE: Rumors have it that this may also affect the iPad.

Do not use simple passwords and do not use the same password in more than one place

I found an article on Help Net Security about the kind of passwords people use. The article can be found here.

Imperva released a study analyzing 32 million passwords exposed in the Rockyou.com breach. The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of these as a security mechanism.

In the past, password studies have focused mostly on surveys. Never before has there been such a high volume of real-world passwords to examine.

Key findings of the study include:

  • The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”
  • Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.
  • Recommendations for users and administrators for choosing strong passwords.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.

The report identifies the most commonly used passwords:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

“The problem has changed very little over the past 20 years,” explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security.

The complete report is available here.

There are two important lessons learnt from this:

1. Do not use simple to guess passwords

2. Do not use the same password in multiple places.

If you do not follow these guidelines, and someone guesses your password, you are pretty much out of luck as they will be able to access all the accounts and sites that this password works with.

I always recommend building passwords along the following guidelines:

  • length between 8 and 12 characters, alphanumeric and non-alphanumeric
  • contain at least one upper-case letter
  • contain at least 1 non-alphanumeric value
  • do not use a derivation of a word, e.g “t3stt3stt3st”, “password1”.
  • use a sentence as basis for a password, pick letters of each word of that sentence, replace letter with numbers, add at least 1 non-alphanumeric value.

An example of constructing a secure password (do NOT use the password below)

“This will be a cool password nobody will ever crack”

=>”Twb4cPWDnw3c!”

Use the guidelines above, and you will never be hacked for the reason of having had weak passwords.