GANSECBLOGGER Blog is moving!

This blog is moving to my business website location. The new location for this blog will be http://www.gansec.com/blog/.

See you there!

Vulnerability in iPhone data encryption Or: Do not lose your iPhone because everyone will be able to access it

Bernd Marienfeldt, security officer at LINX, uncovered a pretty bad vulnerability of the latest iPhone that is out there: even with encryption, set passphrases etc, anyone using Ubuntu LINUX can access certain data you have stored on it. There is no fix for this yet.

More detail on Heise-Online, here is the article.

Excerpt:

.. found that he was able to gain unfettered access to his iPhone 3GS from Ubuntu 10.04. If he connected the device whilst it was turned off and then turned it on, Ubuntu auto-mounted the file system and was able to access several folders despite never having previously been connected to the iPhone. The H’s associates at heise Security have successfully reproduced the problem. An Ubuntu system which had never before communicated with the iPhone immediately displayed a range of folders. Their contents included the unencrypted images, MP3s and audio recordings stored on the device.

UPDATE: Rumors have it that this may also affect the iPad.

Child Safety on the Internet – Some Tips

Excellent article on Microsoft.com:

Age-based guidelines for kids’ Internet use

If your children use the Internet at home, you already know how important it is to help protect them from inappropriate content and contact.

Windows Live Family Safety and the parental controls included in Windows 7 and Windows Vista can help you create a safer online environment for your children.

The American Academy of Pediatricians (AAP) helped Microsoft develop age-based guidance for Internet use with the family safety settings in both of these products. It’s important to remember that these are guidelines only. You know your child best.

Up to age 10

Supervise your children until they are age 10. You can use Internet safety tools to limit access to content, Web sites, and activities, and be actively involved in your child’s Internet use, but Microsoft recommends that you sit with your child when they use the Internet, until the age of 10.

Here are some safety tips to consider when you go online with your 2-10 year old:

  1. It’s never too early to foster open and positive communication with children. It’s a good idea to talk with them about computers and to stay open to their questions and curiosity.
  2. Always sit with your kids at this age when they’re online.
  3. Set clear rules for Internet use.
  4. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  5. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that don’t give away personal information.
  6. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
    Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  7. All family members should act as role models for young children who are just starting to use the Internet.

Ages 11 to 14

Children this age are savvier about their Internet experience, but it’s still a good idea to supervise and monitor their Internet use to help ensure they are not exposed to inappropriate materials. You can use Internet safety tools to limit access to content and Web sites and provide a report of Internet activities. Make sure children this age understand what personal information they should not give over the Internet.

When your kids are this age it might not be practical to physically supervise their Internet use at all times. You can use tools such as Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.

Here are some safety tips to consider when you go online with your 11-14 year old:

  1. It’s a good idea to foster open and positive communication with your children. Talk with them about computers and stay open to their questions and curiosity.
  2. Set clear rules for Internet use.
  3. Insist that your children not share personal information such as their real name, address, phone number, or passwords with people they meet online.
  4. If a site encourages kids to submit their names to personalize the Web content, help your kids create online nicknames that give away no personal information.
  5. Use family safety tools to create appropriate profiles for each family member and to help filter the Internet.
    For more information, see Windows Live Family Safety, Windows 7 Parental Controls, or Windows Vista Parental Controls.
  6. Set family safety tools on the medium security setting, which should have some limitations on content, Web sites, and activities.
  7. Keep Internet-connected computers in an open area where you can easily supervise your kids’ activities.
  8. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  9. Encourage your children to tell you if something or someone online makes them feel uncomfortable or threatened. Stay calm and remind your kids they are not in trouble for bringing something to your attention. Praise their behavior and encourage them to come to you again if the same thing happens.

Ages 15 to 18

Teens should have almost limitless access to content, Web sites, or activities. They are savvy about the Internet but they still need parents to remind them of appropriate safety guidelines. Parents should be available to help their teens understand inappropriate messages and avoid unsafe situations. It’s a good idea for parents to remind teens what personal information should not be given over the Internet.

Here are some safety tips to consider as you guide your teens online:

  1. Continue to keep family communication as open and positive about computers as you can. Keep talking about online lives, friends, and activities, just as you would about other friends and activities.
    Encourage your teens to tell you if something or someone online makes them feel uncomfortable or threatened. If you’re a teen and something or someone online doesn’t seem quite right, then speak up.
  2. Create a list of Internet house rules as a family. Include the kinds of sites that are off limits, Internet hours, what information should not be shared online, and guidelines for communicating with others online, including social networking.
  3. Keep Internet-connected computers in an open area and not in a teen’s bedroom.
  4. Investigate Internet-filtering tools (such as Windows Vista Parental Controls, Windows 7 Parental Controls, or Windows Live Family Safety ) as a complement to parental supervision.
  5. Help protect your children from offensive pop-up windows by using the pop-up blocker that’s built in to Internet Explorer.
  6. Know which Web sites your teens visit, and whom they talk to. Encourage them to use monitored chat rooms, and insist they stay in public chat room areas.
  7. Insist that they never agree to meet an online friend.
  8. Teach your kids not to download programs, music, or files without your permission. File-sharing and taking text, images, or artwork from the Web may infringe on copyright laws and can be illegal.
  9. Talk to your teenagers about online adult content and pornography, and direct them to positive sites about health and sexuality.
  10. Help protect them from spam. Tell your teens not to give out their e-mail address online, not to respond to junk mail, and to use e-mail filters.
  11. Be aware of the Web sites that your teens frequent. Make sure your kids are not visiting sites with offensive content, or posting personal information. Be aware of the photos that teens post of themselves and their friends.
  12. Teach your kids responsible, ethical, online behavior. They should not be using the Internet to spread gossip, bully, or threaten others.
  13. Make sure your teens check with you before making financial transactions online, including ordering, buying, or selling items.
  • Discuss online gambling and its potential risks with your teens. Remind them that it is illegal for them to gamble online.
  • I would like to add that the most safety is offered through you, the parents. Make sure you communicate with your children. Educate yourself about the Internet.

    How to secure your Smartphone (Blackberry, iPhone, Windows Mobile-based phones)

    Considering that more and more people use Smartphones like Blackberries and iPhones, mobile security becomes more and more of an issue. You have an anti-virus scanner on your laptop? A firewall? You keep it up to date with the latest patches? That is awesome; I commend you for it. But what about your phone that you use to access your e-mail? How do you protect your Smartphone from getting hacked?

    This is the first part of a series on how to secure your Smartphones. Credits to PCMag.

    BlackBerry (System 4.5 and higher)

    Go to Options, then Security Options, then:

    1. Password-protect start-up. Under General Settings, set Password to Enabled. You may also want to change other settings here, such as the number of password attempts allowed before the device is locked, and whether the device should automatically lock on holstering. Commit your changes by pressing the Back button (the half-circle arrow) and enter your new password when prompted. Choose a password you’ll remember and that will be quick and easy to type using the device’s keypad. Confirm that password, then exit to the main menu. Lock your phone by pressing and holding the * button to confirm that it has been password-protected.
    2. Encrypt data. Scroll past General Settings to Content Protection, and enable it. Under Strength, you can select Strong (80 bits), Stronger (128 bits), or Strongest (256 bits). I recommend using Stronger for faster encryption/decryption or Strongest for the most security. Selecting Yes for Include Address Book will keep your contacts secure but also result in disabling caller ID when the phone is locked. Circle-arrow back out, then create an encryption key by randomly moving the trackball and typing characters. A good practice is to regenerate an encryption key every two to four weeks: Under Security Options | General Settings, click on any service, then click Regenerate encryption key.
    3. Secure passwords. Please don’t fall into the trap of saving usernames and passwords in your mobile device’s browser. Anyone who finds your device and unlocks it then has access to all of your online accounts. Instead, use the Password Keeper utility to store and encrypt this info.
    4. Lock down Bluetooth. By default, Bluetooth is on. In addition to wasting your battery, this leaves you open to Bluetooth-based attacks. From the Home screen, go to Set Up Bluetooth. When prompted to Add Device select Cancel. Press the Menu button, then select Options. Set Discoverable to No, so other devices can’t find your BlackBerry, and set Security to High—or if the Bluetooth devices you use with your BlackBerry support it, set Security to High + Encryption to encrypt Bluetooth data transmissions. From the following checklist, enable only those services you think you are going to use with Bluetooth—most commonly headset and hands-free. Exit and save.
    5. Clear memory. Also under Security Options, memory clearing can delete sensitive data, such as unencrypted e-mail messages and username, password, and other certificate-related info, from memory. You can set the BlackBerry to clear memory under certain circumstances—for example, when you holster your BlackBerry or lock it.

    Smartphone (Windows Mobile 6)

    1. Password protect start-up. Go to Start | Settings | Lock and configure a password. Check the box next to Prompt if the device is unused for and then select a time period from the drop-down box, something in the 5-to-30-minute range. You can set your password to be a simple four-digit PIN or a strong alphanumeric string and then enter your password in the boxes below. You can also set a hint, but remember that this can be read by anyone with physical access to your phone. At this point, it would help to go to Settings | Today, click the Items tab and check the box next to Device Lock to provide a quick locking option on your Home screen.
    2. Encrypt data. Under Settings | Security | Encryption, check the box that says Encrypt files placed on the storage card, then click OK. A storage card can actually contain both encrypted and nonencrypted data, but encrypted data can be read only from the device in which it was encrypted and written, or from a Windows PC using ActiveSync and Windows Mobile Device Center. There’s also a big gotcha lurking: If you have to perform a hard reset of your device or update the ROM, you will lose the encryption key stored on the device, and with it, access to your data. Companies can push encryption policies to Windows Mobile devices using Exchange Server 2007.
    3. Secure passwords. This requires a third-party solution, such as KeePass or some other eWallet type of encrypted password manager.
    4. Lock down Bluetooth. Go to Start | Settings, then the Connections tab, then Bluetooth. On the Mode tab you can enable or disable Bluetooth and make your device visible; Off and Not visible are the more secure settings. Scroll all the way right to the Security tab and check the box to require authentication for data beaming.
    5. Clear the memory and cache. In Internet Explorer, go to Menu | Tools | Options; in the Memory tab you can set a history retention time in days or clear the history manually. Click the Delete Files button to clear the Web cache. Navigate to the Security tab and click the Clear Cookies button.

    iPhone

    Unfortunately, you won’t find a list item called “Encrypt data” below. At this point, there doesn’t seem to be any encryption available for iPhones.

    1. Enable Passcode Lock and Auto-Lock. Click the main iPhone Settings icon, then click the General tab and select Auto-Lock. Select the time period you want, then exit out to the Home screen. Once Auto-Lock locks the phone, Passcode Lock will require a four-digit PIN to unlock it. Click the iPhone Settings icon, then General, then Passcode Lock. From there enable Turn Passcode On. Enter your passcode. Tap Require Passcode and then choose “immediately.”
    2. Secure passwords. There’s no native way to do this, so you’ll have to use a third-party password manager.
    3. Lock down Bluetooth. It’s great that Bluetooth is off by default on iPhones, but you should also set yours to require an eight-character PIN for connections with Macs. Turn on Bluetooth only when you need it.
    4. Clear the memory and cache. Back on the Passcode Lock screen, you can disable SMS Preview while the device is in its locked state, and also turn on the Erase Data function. This will wipe the iPhone clean after ten failed passcode attempts. You can clear cookies, browser cache, and history from the Settings menu in Safari.

    This should get you started.

    Keeping your other Windows applications up-to-date is not always easy

    I am glad that Microsoft has the ‘Windows Update’ facility these days, but I always hated the fact that I had to manually keep track of all the other applications that are usually installed on a regular Windows machine. Some examples are Adobe Reader, Flash Player, HP Drivers and a ton of other 3rd party applications that are widely istributed on lots of Windows machines these days.

    Secunia offers a free tool, the ‘Personal Software Inspector’, that keeps track of applications that are installed and that need patching. After you install it, it scans your entire system for installed applications and catalogs them. After that, it assigns your machine a ‘security score’ and lists all the applications that need to be patched. The ‘Personal Software Inspector’ (also called ‘PSI’) also provides you with the download links to click to get your software updated.

    Very, very handy. Give it a shot.

    http://secunia.com/vulnerability_scanning/personal/.

    This is also available for commercial use:

    http://secunia.com/vulnerability_scanning/corporate/.