Network Security Blog

The Mac version of QuickPwn is up and worked flawlessly for me! I’ve already installed Metasploit and a terminal program, though I haven’t really had a chance to play with either of them yet. And now that I’ve written that I’m not having problems, the iPhone just rebooted on it’s own. I’ll know soon if that’s a problem of the jailbreak.

The phone’s back up but I don’t see either the Metasploit or the terminal programs available. I’ll look through to see what’s required to enable them. Got the terminal program working, now playing with some of the other capabilities built in tho Cydia.

The link on the QuickPwn developer site seems to be down, so here’s an alternative link to the QuickPwn files.

I haven’t tested this one out yet, but if what Gizmodo is writing is true, there’s a huge security flaw in the iPhone on the 2.0.2 firmware. Basically if you take a locked iPhone and tap the emergency call button, you can then double-tap the home button to get you to your favorites. This is really a problem because from there you can open up a lot of different information on your iPhone, including email and other contact information. It opens up the potential of looking at all your email, your SMS history and opening Safari. Not a good thing.

I’m sure this will be fixed with the next release of the firmware, but there’s no hints of when that will be. We can hope it’s soon. In the mean time, Gizmodo has some steps to protect yourself. And there’s always the fact you shouldn’t be leaving your phone out where someone else can have physical access to it anyway. But we all make mistakes from time to time.

While Rich is off on a well deserved vacation with his wife, I’m joined by Mike Rothman, analyst, consultant, blogger, podcaster and friend. Mike and I recorded Monday night since I should be in a hotel somewhere in Southern California when this goes live.

Show Notes:

• Mike Rothman Security Incite Blog, The Pragmatic CSO Book and the Pragmatic CSO Podcast
• Road Tolls Hacked – Nate Lawson takes on FasTrak
• Summary of PCI-DSS 1.2 changes: You might want the actual summary.
• Google Streets: Google’s going down private roads in my own back yard.
• Tonight’s Music: Jim Armstrong with Two Shooting Stars

Network Security Podcast, Episode 117
Time: 30:34

Amrit Williams has a snarky little piece called “The 11 Worst Ideas in Security“. I haven’t read Ranum’s article yet, but I can guess at the content given some of Ranum’s previous writings. Amrit’s comment on WEP is worth reading the article by itself.

I’d actually forgotten about Microsoft Central Point Anti-virus, or I’d never really paid attention at the time. The former is more likely. I probably would have moved security analysts up the chart, but Amrit was once an analysts and still has a soft spot for them in his heart.

After some of what happened at Defcon and just to combat my general laziness when it comes to passwords, I purchased 1Password for my Mac Book Pro and iPhone several weeks ago. Actually, the OS X version is $34.95 while the iPhone version is currently free. The main feature that finalized my decision to purchase it was the ability to sync between the iPhone and the Mac Book Pro. I’m the only one in the house with a Mac, otherwise I would have purchased a 5-seat license for the house, which I think is only $20 more.

I’ve been using 1Password on both the iPhone and the MBP for several weeks now and I’m impressed. The sync works great, which I was especially greatful of when I had to reinstall 2.0.2 software on my iPhone after an aborted jailbreak attempt. I’ve been using the password creation portion of the program to replace the memorized passwords I’ve been using. I allow Firefox to memorize some passwords, but the most sensitive ones are still only going to be in 1Password or my head. Having the ability to quickly look up the password means they can be strong and I don’t have to keep them in my head.

I’ve had this article flagged on Lifehacker for over 4 months, waiting for the right time to use it. When a friend brought over his computer for repair, I took one look at the running system and realized it needs to be rebuilt from scratch. His hardware’s good, but the OS is infected beyond trusting. I’m hoping I can save a few pictures for him, but that’s about it. In the mean time, I decided his computer would make a good guinea pig for playing with a few LiveCD’s and the Fedora 9 Live USB Creator.

I have a 2 gig USB thumb drive I picked up at RSA this year courtesy of Secunia, which is more then enough room for a Linux installation. It took about 20 minutes to create the intial Fedora 9 Desktop installation on the thumb drive, but most of that time was the downloading of the ISO file. The boot up on the target system went well, but Fedora 9 doesn’t recognize the Linksys wireless card in the system and I don’t have the inclination to fight with an installation that much. I tried older versions of Knoppix and a Damn Small Linux I had lying around, but they didn’t like a lot of what they saw on the system, mainly the video and the wireless.

As an experiment I hit the “Use existing Live CD” button and pointed the Live USB at an ISO of Ubuntu 8.0.4.1 LTS (Hardy Heron), and it worked flawlessly. USB Creator had verified the Fedora 9 ISO, but it simply trusted the Ubuntu ISO and 4 minutes later I had an Ubuntu Live USB. Ubuntu at least recognizes the wireless card is there and even suggests some drivers, but I’ll have to hook it up in my office wired LAN to get the system on the Internet. Not an insurmountable problem, just one I’m too lazy to do yet.

I’ll probably wimp out and put Windows 2000 back on the system along with some additional safeguards. This is because I doubt my friend can adjust to Linux, even if all he does is surf the Web. In the mean time, I’ve got a decent little test system. Next up for a quick test run is Helix. Anyone have suggestions for a *nix live distro that I can test out fairly quickly to place on an non-computer savvy friends system?

PS. I hate being desktop support.

The servers at Fedora were attacked and compromised recently. The folks at Redhat are confident that none of the Fedora packages were compromised, but I’d be cautious for a while until the whole story is known.

I almost think it’s time to create a new blog called “Security Stupidity”. The latest issue to catch my eye is Apple’s “it’s not a security problem because nobody noticed” declaration; Michael Arrington has pointed out that Apple has made it easy for someone to enumerate the me.com and mac.com email address range by making public folders that use the same name as the email address. I’m sure I can think of several dozen people who presented at Defcon a couple of weeks ago who could do this in a matter of hours.

Michael Arrington has this one dead to rights: the bad guys have probably already figured this one out and are taking advantage of it as you’re reading this. There’s no way to remove an account name from this list, which means that Apple has no way of fixing this information leak without a major overhaul of their systems. I didn’t sign up for a me.com address before and now I’m glad.

I hope you’re not using your me.com or mac.com addresses for anything major, because they’re about to become spam magnets. This is the real power of full disclosure: Michael Arrington tried to tell them, they didn’t do anything so he disclosed, now Apple is going to pay the consequences, along with everyone who owns one of these email accounts.

Rather than admitting they’re wrong and fixing the problem (if that’s even possible), Apple will probably continue to deny this is a problem. But once it becomes a widespread issue, they’ll probably still deny it and quietly step up their behind the scenes anti-spam efforts. And we all know how well that’ll work.

Someone broke into a FEMA PBX system over the weekend and made over $12,000 worth of calls to Asia. The article tries to pass this off like it’s just some old school attack that’s no big deal, but to me that’s more embarrassing than if they’d been hacked using some zero-day no one had ever heard of. Getting owned because you forgot to change a password is incompetence, which is much worse than getting hit by something you had no way of defending against.

It sounds like someone was upgrading the system and forgot to change a default password over the weekend. At that point all it would take is a scan of the system with an automated tool getting lucky and finding the right phone line. Likely there’d be little or no skill involved, just having the right tools at the right time. I’m betting there’s a consultant somewhere in Maryland looking for a new client.

Oh, and FEMA (Federal Emergency Management Agency) is a branch of the Department of Homeland Security. Good job guys.

If the possibility of ending up on the Wall of Sheep at Defcon and Black Hat wasn’t enough for you, Mike Perry is about to release a tool that automatically steals the Gmail ID’s of any non-encrypted sessions it finds. If you’re surfing on the free, public wi-fi at your local coffee shop, anyone with a modicum of computer skills will be able to sniff your traffic with this tool and take over your account. Of course, this has been possible for quite some time, but this tool brings the difficulty down to something the average script kiddy can do rather than having to be Robert Graham.

Gmail has been capable of running on SSL for quite some time, but it’s not something that’s enabled by default. I always typed the https in by hand, but I don’t completely trust that method. I’ve used Better Gmail2 in the past, but that doesn’t like FireFox 3 for some reason. There are also a number of scripts for GreaseMonkey that force Gmail to use SSL, but now Gmail has made it an option on the settings page. It’s on the bottom of the page and easy to miss if you’re not looking closely.

There’s no reason not to use HTTPS if you’re anywhere other than your home network. And quite frankly, there’s no real reason not to use it at home too. Google’s excuse that it might slow down your connection is pretty lame and if that’s the only reason you’re not using HTTPS, you need to rethink whether you should be accessing Gmail at all when remote.