Network Security Blog

I mentioned a couple of days ago that once you jailbreak your iPhone, you’ve bypassed many of the security protections Apple put in place.  One of the biggest concerns once you do this is the SSH service running on the iPhone, since it’s relatively easy to find the default password for the phone (it’s ‘alpine’).  My solution is to use SBSettings and simply turn off SSH on the iPhone all together.  But if you have reason to leave SSH running, you need to at least change the password, especially if you’re going to any security conventions or will be traveling through target rich environments that might draw the attention of malicious elements (aka, hackers).  You know, places like airports, train stations, Las Vegas, New York, etc.

How to Change the iPhone’s Root Password

I caught up with Gary Palgon, VP of Product Management at  from nuBridges.  nuBridges is a tokenization vendor, meaning that they provide a way for a business to use a value that is hashed from the original data but can’t be reversed to discover what the original value is.  In the case of many of the people I deal with regularly, this would mean credit card numbers.  The merchant supplies the card number to the tokenization server, the server stores the card number in a safe, encrypted fashion and a token is used in place of the original card number anywhere it’s needed in the enterprise.  Because only the token is stored in most places throughout the enterprise, the scope of a PCI assessment is greatly reduced and cardholder data is much more secure than if it was in each of the datababases.

nuBridges has announced Format Preserving Tokenization, which allows the user to create a token that meets a wide variety of needs, such as keeping the string length or preserving the last four digits of a card number as part of the token.  This allows for uses such as allowing a customer’s ID to be verified by asking the last four digits of a social security number without revealing the whole number. 

NSP Microcast RSAC 2009 – Gary Palgon from nuBridges

If you believe some of the hype that’s been on the wire the last couple of days, the end of the Internet is nigh.  A number of researchers have discovered a vulnerability in the way that MD5 checksums are created for CA certificates and this could allow malicious attackers to create false certs that your browser and mine would accept as authentic.  There are a number of caveats, like the fact they had a bank of 200 PS3′s to play with to create the false checksums, but that wouldn’t be too big of hurdle for a organized group to overcome. 

I won’t even pretend I understand all of the points in this article.  So it’s lucky that I have friends who not only understand this stuff but enjoy dumbing it down so that even people like me can understand it.  Not that JJ would put it that way, but I’m not going to try to cover up my limitations.  So if you’re like me and don’t have the time to read the entire original article, read “A Layman’s Explanation of the CA Certificate Vulnerability”.  You’ll get the gist of what’s going on without getting too lost in the terminology.  And you can pass it on to your manager with a pretty good chance he’ll understand it too.

I rarely fly outside the US.  In fact, in the last year I’ve only done it once and will be doing so for a second time this week.  I am about as white bread American as you can get, but I still worry about having my laptops searched by the DHS.  I know the government says they only search a small fraction of all systems coming across the border, but if you’ve ever seen the hacking stickers on my Mac Book Pro, then there is a possibility that some agent out there might think that gives them a valid reason to search my laptop.  Last time I came through, they swabbed my Mac Book for explosives after all.

My personal computer has a lot of stuff on it, but nothing I’d be worried about someone else seeing, but my work laptop is a different beast all together.  I have a lot of sensitive information about clients on it, including screen shots of their software configuration, firewall configurations, policies, not to mention all the contact information and correspondence with said clients.  I doubt there’s anything I have that would shut down a business, but in the wrong hands the information I have could cause more than a few companies some late night sessions resetting passwords and changing configurations.  That’s why the drive is encrypted and I have a passphrase that’s more than 30 characters long.

So what happens if I’m stopped at the border and asked to type in my password?  If it’s my personal computer, I’ll probably say go for it and give type in the password.  But if it’s my work computer, where do I draw the line?  I’ll be coming back later in the week, I’ll be tired and want to get back to my family.  Do I say no, call my corporate council and prepare to be detained for however long it takes things to get worked out?  Do I bend my own morals and let them have what they want?  Or is there another alternative?

Seriously, I have absolutely no expectation of something like this happening.  On the other hand, it won’t hurt to have the company lawyer’s card handy as well as contact information for the Electronic Freedom Frontier.  You never know what’ll happen if I’m sleep deprived enough to get really beligerant on my way home.  Can I tell the border agent I’ve met their supreme leader, Secretary Chertoff?

At the end of October I was invited to a dinner put on by Seagate in San Francisco at Shanghai 1930 (highly recommend, BTW), along with a few other bloggers and a number of press folks.  I got to talk to a number of the Seagate executives and ended up sitting next to Luther Martin, the Chief Architect at Voltage Security.  The conversation was very fluid, ranging from politics to various security topics to the then upcoming holiday season.  There was nothing revolutionary in the conversation, though one of the execs in charge of consumer electronics said he felt very good about the future, since storage and backup in the home have barely scratched the surface of the market.  Finally on the way out, they handed each of us a Maxtor BlackArmor 320Gb external hard drive. 

The Maxtor drive is very nice, sleek and small.  It comes with a fairly short USB cable, pretty standard for these drives, and has a bright blue LED on the front to indicate activity.  And when I say bright, I mean it; the drive light’s up my office late at night and I really wish it had a way to dim or turn off the light, but that’s a minor quible.  When I plugged in the drive and started the software installation, it asked for the Security ID code from the back of the drive and a password, then acted just like any other drive on my computer.  Except none of my other drives are encrypted using AES-128 and require their own password before they’ll allow access. 

I’ve been running an older Maxtor Shared Storage drive on my network for several years now and love it.  It sits on the shelf and every night my files and my wife’s files get backed up over the network and I feel a bit more secure.  About every 3-4 months I take the whole backup and copy it to a second external drive hooked to the MSS drive via UPS, and once a year I copy those backups to a second external drive.  I’ve had drives fail on me before and I’m not willing to take a chance that my data would be lost in case of a drive failure.  Yes, I’m paranoid, but I’m a security professional and I’m supposed to be paranoid. The MSS runs a small program called Maxtor Quick Start that ran at startup and backed up everything, or at least it did until I installed the latest version of Maxtor’s software, Maxtor Manager.

I like the new Maxtor Manager, it works seamlessly, it backs up everything I want it to at Midnight every day, and my test restores have worked well so far.  The one issue I have with it is that it disabled Maxtor Quick Start from starting automatically upon bootup and doesn’t recognize my Maxtor Shared Storage Drive.  I can still start Quick Start manually and do backups to the networked drive by hand, but it doesn’t give me quite the same feeling of security I had before.  It is slightly redundant, I admit, since the BlackArmor drive is backing up the same drives nightly, but I’ve already stated that I’m a paranoid who only feels safe when I’ve got multiple copies of my data on backup. 

Other than the minor issues around my network and the bright blue LED, I love the Maxtor Black Armor drive.  I’m seriously considering purchasing one for a family member who’s in need of an external drive, especially since they aren’t any more expensive than your average external drive ($108 on Amazon for a 320Gb version).  The added security of having the encryption on the drive might not matter to many home users, but for folks like me who regularly work on sensitive documents, it’s a huge blessing and let’s me sleep a little better at night.  My issues with the software won’t affect most users and the backup software is easy enough to use that my luddite of a brother could install it and run it without any help from me.  Which is good, since I don’t do tech support, even for family.

I know I’m cynical, but when I start seeing headlines about this encryption technology or that wireless technology being broken, I have to wonder if it really is or if just a small portion of it was cracked. After all, it was reported a few weeks ago that Elcomsoft had broken WPA, but when George Ou did the math, it didn’t really affect anyone in the real world.  So when I read this morning that WPA has been broken, I have to take it with a grain of salt until the actual research is released.  Did they really break it or did they break WPA under a special set of circumstances?  Will this be usable in the real world?  Do I even care (by which I mean, will it affect me)?

The good news is, even if this is a real crack of WPA, the researchers are stating that WPA2 is still secure.  Until someone figures out how to work around that encryption scheme as well.

You trust your PIN Entry Device[PED] (the thing you swipe your credit card through at the checkout stand) don’t you?  You might need to rethink that trust:  PED boxes in Europe were tampered with, either at the factory or somewhere else in the supply chain, and had additional hardware installed to capture full stripe data as well as PIN information.  The information has been getting sent back to the crime ring responsible for the compromise and is turning up in fraud cases all over the world.  The funny part is the best way to distinguish a compromised machine from an uncompromised machine is to weigh them; the attack adds 3-4 ounces to the machines thanks to the additional hardware installed in them.

To me, this is one of the scariest attacks against credit cards yet.  True, attacking a merchant like TJZ will get you millions of credit card numbers, but an attack against the supply chain could affect every merchant if it goes unnoticed long enough.  This attack is comparatively to detect, given the extra hardware that was installed.   But what if the attack had taken place one or two steps earlier in the manufacturing process and actually became part of the software in the PED boxes?  I can imagine a PED box having a little extra memory installed to log all the credit card swipes it processes oin a daily basis and calling home to upload that information on a daily or weekly basis. 

This is the sort of attack that could possibly go undetected for years, especially if the people doing it have a fair understanding of the credit card company anti-fraud mechanisms.  It’d be easy to create an algorithm that is specifically designed to choose credit card numbers from the pool and use them in such a way as to fly under the radar with a little insider knowledge.  And anyone who’s already infiltrated the manufacturing companies will have a good chance at infiltrating other aspects of the process as well.

It took nine months for the authorities to track down and report on this breach of the supply chain.  The people who pulled it off knew what they were doing and knew how to make their devices look like they’d never been tampered with.  The authorities caught on, but the next time someone pulls this off, they’ll be smarter and it’ll be even harder to catch them.

This is just one more reason you should never use your debit card anywhere other than at a bank.  When your credit card is compromised, you’re only responsible for the first $50; if your debit card is compromised, it all depends on how nice your bank decides they want to be.  Do you want to rely on your bank’s charity?  I sure as heck don’t.

Update:  A little more information on this attack from the Wall Street Journal.  Thanks to Richard Stiennon

I’ll admit it:  Sometimes I’m lazy and sometimes I hedge my bets a little.  I didn’t have the time on Friday to look deeper into the real time requirements to hack a WPA password using Elcomsoft’s new tools.  I knew the time needed was considerable, but I didn’t realize exactly how long it’d take:  George Ou says it’d take 5793 years to crack a WPA password normally and even with a heftier computer than most of us will ever see, it’ll still take almost 6 years to break the key.  And Robert Graham backs him up, saying all it takes is lengthening your key by one character. 

I’d overestimated how much of an impact this could make on the security of a wireless network.  I thought Elcomsoft might have come up with a viable attack against WPA, but in reality, this is just a marketing gimmick.  No one’s going to devote 5+ years of computing power to hack a wireless network; first of all the information will probably be obsolete in that time frame, second, no one’s going to keep the same wireless network equipment and passwords for five years.  At least I hope they won’t.

There are any number of easier, quicker ways to break into a network than trying to brute force the WPA passphrase, everything from social engineering to just breaking in and stealing the servers.  Cracking the WPA will probably become easier as time goes by, but for now WPA is still a viable way to secure your wireless.  Unless you’re doing something stupid like using dictionary words in your passphrase. 

According to The Register, Russian company Elcomsoft has made a major jump in cracking WPA and WPA2 passwords using Nvidia graphic cards to brute force the passwords.  They say that a system with two Nvidia GTX 280 video cards in it can crack the passphrase 100 times faster than anything before.

Does that mean it’s time to shut down all you’re wifi and only use your wired network?  Not really, since this requires specialized hardware and software.  Not everyone can afford $800 just for two video cards, let alone the $600 for Elcomsoft’s software and the ~$500 it costs to buy rest of the parts required to build a computer.  That’s not a trivial investment for most of us, especially right now.

If this was a piece of open source software that ran on any GPU, I’d be scared.  It’d be a real blow to wireless encryption technology.  But given the cost of the product and hardware, I doubt many people will be breaking WPA passwords in the near future.  However, the people out there who are targeting specific businesses looking looking for specific information will love this tool and use it often.  Can you say “corporate espionage”?

Don’t abandon your wifi yet, but continue to take the precautions you should be taking anyway.  Put your wireless on it’s own network, make your users VPN into the corporate network and add as many additional layers of security as your company lets you.  Issues like this are why security professionals continually use terms like ‘defense in depth’; when one layer of security fails, you need to have other protections in place to make sure you aren’t pwned like TJX.

After some of what happened at Defcon and just to combat my general laziness when it comes to passwords, I purchased 1Password for my Mac Book Pro and iPhone several weeks ago. Actually, the OS X version is $34.95 while the iPhone version is currently free. The main feature that finalized my decision to purchase it was the ability to sync between the iPhone and the Mac Book Pro. I’m the only one in the house with a Mac, otherwise I would have purchased a 5-seat license for the house, which I think is only $20 more.

I’ve been using 1Password on both the iPhone and the MBP for several weeks now and I’m impressed. The sync works great, which I was especially greatful of when I had to reinstall 2.0.2 software on my iPhone after an aborted jailbreak attempt. I’ve been using the password creation portion of the program to replace the memorized passwords I’ve been using. I allow Firefox to memorize some passwords, but the most sensitive ones are still only going to be in 1Password or my head. Having the ability to quickly look up the password means they can be strong and I don’t have to keep them in my head.