Unwired

App-phone Vulnerabilities Continue to Surface as Western Marketshare Grows

kris-szabo — Wed, 30 Nov 2011 21:53:09 -0500

North America is quickly catching up to Asia and Europe in terms of app-phone market share. As a result we are quickly encountering the same problems these countries have experiences with SMS Trojans for several years now.

As app-phones have been designed for easy of development, with security being almost an afterthought, malware writers have found this an obvious evolution of their activities. Currently, a new SMS Trojan has been noticed with limited infections targeting users several European and Western countries, including Belgium, Canada, France, Germany, and the UK. This Android Trojan has a couple of functions, each designed to deceive the user and run up charges on the bill. The infection accomplishes this by sending out and receiving SMS messages to premium SMS numbers and hiding the texts before the system can display or alert to user to their presence.

The unpolished security of virtually all app-phones on the market today, is a large factor in the spread of these types of malicious programs. However, an equally large part is due user negligence. A closed, locked-in market filled with an overwhelming number of similar applications leave little time to inexperienced users to sort out legitimate applications from the cruft. More over, many of the natural forces that allowed open app markets catering smart phones of generations past, no longer function to weed out substandard software.

SMS Trojans Spreading to the Rest of the World

What is MD5 and Why Should You Care That It's Broken

kris-szabo — Tue, 13 Sep 2011 00:11:00 -0400

I came across an interesting article today discussing a talk with one of Kapersky Lab’s analysts, Evgeny Aseev. The discussion centers around the use of MD5 hashes, how they are no longer enough, and involves a few dropped comments about the H B Gary attack by Anonymous this year. This quickly becomes a bit technical so here’s a quick run-down of MD5.

What is MD5?

MD5 is a cryptographic function (it’s math!) that takes a blob of data and creates a relatively short string from it. This string is called a hash value. Hash functions, such as MD5 are sometimes called one-way hashes, which means it’s easy to go from the blob to the hash value, but it’s difficult to go from the hash back to the blob of data. One peculiarity of MD5 is that, while not very common, different blobs of data can have the same hash value.

So what is MD5 used for and why is it important? One use of MD5 is as a checksum of files. For instance you can download a large file, say an installer from a company. The company supplies you with the installer file and an MD5 hash value. Once you have finished downloading the file you can run MD5 on the installer and if the result matches the MD5 hash value given by the company, you can be fairly sure it’s the file you wanted to receive and it hasn’t been corrupted in the download.

Password Hashing

More generally, MD5 is used in many password systems as storage for a user’s password. When your password is first set, the system creates a hash value and stores that to the database. When you try to log in, it takes your password and runs MD5 on it. If the resulting value matches the one present in the database, you are allowed to log in. As you can see, on the surface this means that even if someone manages to steal a password database they still wouldn’t be able to steal your password.

As a side note, many people make a difference between encryption and hashes. The media is particularly notorious for this. Many may note that during the Sony PlayStation Network attack, the media reported that the password database had been stolen, and it wasn’t encrypted. This is true, in that you didn’t need to decrypt the database, but the passwords were all stored in a hash value generated by any of a number of hashing functions. In general, passwords are stored hashed rather than encrypted because hashing a password response and comparing it to a stored hash is fairly secure, while still being fast. Decrypting a database each time a password is entered, on the other hand, is a slow process and grows exponentially slower as more accounts are added to the system.

How is MD5 Broken?

So, now what’s the deal with MD5 hashes? Well, remember we said that two different blobs of data can have the same MD5 hash value? Well in theory, an attacker doesn’t need your password to access your account, he just needs a password that has the same hash value as yours. Therein lays one of the major weaknesses of MD5. Currently, there are easily available databases called Rainbow Tables. These Rainbow Tables are essentially a combination of random letters, numbers, and symbols paired with their pre-calculated hash values. In theory, all an attacker needs to do is see the hash value of your password in the database, look up this hash in the Rainbow Table, and use a password that hashes to the same value as your password. Current Rainbow Tables seem to hold values of essentially every password up to ten characters comprised of only lower-case letters, and every password up to eight characters comprised of uppercases, lowercases, digits, and spaces.

Generally, this kind of attack is an “escalation” attack. At some point the attacker has gained enough access to copy the password database and can now start matching password hashes against Rainbow Tables. Another vector an attacker could use, is taking a Rainbow Table and using each value against an account until one of the passwords work. This latter approach doesn’t tend to work very well on modern systems. Most modern systems of any significant design, lock an account out after 3-30 password attempts and require administrator intervention. In general, it has been fairly accepted that MD5 is broken and should not be used for authentication for well over a decade now. That said, MD5 is still widely employed by web applications and even some enterprise equipment vendors.

Enter H B Gary

So how does H B Gary figure into this? Aseev makes a throw away comment about password standards that were being used at H B Gary. The principals whose accounts were compromised used passwords consisting of six letters and two numbers. If they were being hashed using the MD5 function, suitable password candidates would exist within the Rainbow Tables. A second throw away comment is that these same principals used the same passwords on both their Google accounts and H B Gary’s internal systems. The comments beg one question however, and this is how did the attackers from Anonymous know what the hashes were. Above we mentioned that most modern systems lock out an account if someone is trying to brute force the password. This train of thought and other reports on the situation make it seem as if Google accounts are missing these simple lockout functions.

Is My Password Safe?

So then, is my password safe? The short answer is no. The long answer is, it depends. Some systems are using more secure hashing functions, others still rely on MD5 and its hard or impossible to know which any given system is using. It’s best to assume that any service that doesn’t say how your password is being stored is running MD5. So, now that we are sufficiently paranoid, how do we protect ourselves? First approach is, unfortunately, only a stop gap. Use a password that is not in a Rainbow Table and hope for the best. This means picking a password that is greater than 10 characters and contains upper cases, lower cases, numbers, spaces, and symbols. This will only continue to work until new Rainbow Tables are developed that cover these password rules too. A better form is two-factor encryption: The use of a password and a hard token for instance. These systems have flaws too, mostly they are too complex for the average user, and the companies that provide them can, and do get cracked. In the long run, the final answer is simple: long, strong passwords, and training computer users to understand basic security principals.

MD5 password hashes are dead

DigiNotar Roundups

kris-szabo — Sat, 10 Sep 2011 22:25:00 -0400

Early this week, I did a quick and dirty write-up trying to do a high level explanation of what is going on with DigiNotar and why it’s important. Since then there have been a lot of pieces that had dropped that are directly or indirectly related to the incident.

In Context

The ComodoGate hacker has ‘come forward’ claiming responsibility for the DigiNotar crack as well as claimed successful attacks on other Certificate Authorities (CA’s) including major world player GlobalSign. ComodoGate is the widely reported name given to a similar event earlier this year where a CA and anti-malware developer Comodo had a user account compromised, resulting in the issue of nine rogue signing certificates. In response to the allegations, GlobalSign suspended issuance of new certificates until at least Monday while hiring the same security technicians as DigiNotar to investigate the alleged breach.

The investigation has found evidence suggesting that a web server hosting the corporation’s website had been compromised. It must be stressed, however, that the server was always isolated from the rest of the company’s infrastructure; thereby making it no more of a jump point for attacking the server involved with their Certificate business than any other computer on the internet. Additionally, they have found no evidence of any compromises in the remainder of their systems. The fallout from this is yet to be seen. This was the same language used with relation to the Sony PlayStation Network credit card database attack, which to this day shows no suggestive evidence (much less conclusive) that the database was compromised or touched. Aside from a handful of anecdotal accounts from users, neither Sony nor any credit card company has seen fraudulent activity on cards; yet the fallout from the intrusion is at least evident even if the breaches were clouded in media hyperbole. This is not to say the breach at Playstation, or GlobalSign is not severe, but it has to be taken into context. Security is not about eliminating threats, but reducing the amount of threats and learning to live with the ones you can’t eliminate While data might have been accessed it was protected from being used in any meaningful way, and I think it’s both unfair and rather dangerous to suggests that either GlobalSign, DigiNotar, or Sony are any worse off than a majority of the companies running large computer infrastructures.

The Zilla Speaks Up

Mozilla, the makers of the Firefox Web browser, took other measures this week in response to the DigiNotar incident. As reported last week Mozilla, Microsoft, and Google all issued revocations of the programmed trusts of DigiNotar’s certificates last Friday (Sep 2^nd). In addition to this action, Mozilla has requested that all CA’s currently participating in the trusted CA program (that have a “root” trust in Firefox) perform security audits of their Private Key Infrastructures (PKI’s : The servers that run this whole show). Mozilla issued a set of requirements that are intended as guidelines for any CA’s wishing to continue their presence in Mozilla’s trusted CA Program, and extend to any third party CA’s that the root CA’s are essentially vouching for by signing the third party’s root certificate. All technical jargon aside, Mozilla is starting a discussion and potentially naming requirements to try to close up holes in the entire SSL system as it is today. Part of this discussion is already touching on the idea that most of the oversight and guidelines in place have a much stronger focus on governance, ITIL, and ETSI audits than actual security practices; a situation that is probably not appropriate when dealing with a company or department that is in the business of security. The big question is does Mozilla have enough clout to turn this discussion into action.

Of Apples and Indians

When beginning to work on this write-up, Apple was being singled out. As of Friday (Sep 9^th) morning (7 days following the revocation of DigiNotar Certificates by the major players in the web-browsing arena) Apple still had not revoked trusts to DigiNotar. Worse yet, security technicians from leading security groups were confirming that manual revocation within Safari wasn’t working as intended, and sites certified by DigiNotar were still showing up as valid. It seems being called out on the event had gotten a reaction as Friday afternoon a number of out of band security updates were implemented in an attempt to fix this oversight. The situation, however, underscores many of the security concerns with Apple, more than anything else.

Another security hole was upgraded to a critical issue a few weeks ago, as a denial of service attack tool was found in the wild for a major flaw that has been present in the Apache web-server and known for nearly a decade now. Apache is an open-source program that serves websites and makes up a majority of the internet today. Apache developers were quick to release a mitigation that could be made to the configuration until a patch was released; the patch was promised and released within 48 hours of the announcement. Even at the time of the announcement, there were concerns as Apple ships their own flavour of Apache with their operating systems and all patches end up going through Apple governance. In many cases patches for security issues have seen delays upon delays, and many fixes have never seen the light of day. At the writing of this article, conservatively nine days since the patch was released, a number of simple Google searches show that there are only two options available to users of Apache on OSX. Manually apply the patch and hope nothing breaks, or use the mitigation configuration. (As of yet I’ve not heard of anyone manually applying the patch).

SSL: Is it broken?

I wanted to touch a bit deeper on SSL and what it is. In the article previously I pointed out that SSL is a two part strategy for dealing with websites and services across the internet. One part of SSL is the ability to encrypt data so a third party cannot look at it, the other part is essentially giving the user the confidence that the website or services are who they claim to be. A critical discussion has been on-going for several years questioning if the SSL Regime is broken. The main argument has centered on the trust issue and asking who are these companies that we are trusting to tell us this website is legitimate? In the end that’s the flaw in the system and that’s what we, as users, need to manage. How much do we trust the site, or the person telling us to trust the site? Hopefully the Mozilla CA discussion will yield some movement in this arena that points the industry in the right direction.

As for why this is such a big deal, I propose the following situation. On April 8^th of 2010, for approximately 18 minutes, a “configuration error” at a Chinese telecom resulted in a reported 10% to 15% of the world’s traffic being routed through the Chinese internet and included US government and military traffic, among others. Allegations have flown that even larger and longer route poisoning incidents have taken place since. Consider if you will, a rogue nation poisoning routes and similarly hijacking all data destined for servers of MI6, one of Britain’s intelligence departments. Now imagine they have set up servers to replicate the behavior of MI6’s infrastructure and loaded SSL certificates from a compromised CA. People and automated services could then connect to these fake MI6’s and offload data to them in what appears to be a secured and safe manner. There are even methods available to simply use this technique to sit and watch the data without the information failing to make it to MI6’s servers. By the time MI6 or the party trying to connect to them has figured out they were being tricked, the data is already in the hands of this fictional rogue state. At this point, the only protection is hoping that the data’s useful lifespan is much less than the time it takes for the attacker to break whatever encryption might have been wrapped around the data in addition to the PKI encryption provided by SSL.

DigiNotar Certificate Authority Comprimise - Some Early Take-aways

kris-szabo — Thu, 08 Sep 2011 01:16:09 -0400

During the past week, the compromise of Dutch certificate authority DigiNotar has been keeping the security community watching the news. SSL certificates allow encryption of web-traffic between users and servers, and the certificate authorities’ job is to give people some reasonable confidence that the server a user is talking to is who they claim to be. As a result of this attack, several fraudulent certificates have been issued allows an attacker to make fake websites in the names of 531 (so far) high profile entities such as Microsoft, Windows Update, Mozilla, Google, the CIA, MI6, and Mossad to name a few. These fake websites are trusted by web-browsers because they seem to have been authorized by DigiNotar. In response to this attack, web-browser companies like Mozilla have been pushing critical updates to disable trust on these websites. While the situation is on-going, preliminary reports by the Dutch government point to wide spread use of unprotected computers, out of date software, poor password policies, and malicious software infections at a company that, until last week, exceeded some of the most stringent oversight and security standards in Europe.

Microsoft releases a Promo video for Windows 8.

kris-szabo — Thu, 02 Jun 2011 19:10:00 -0400

Microsoft releases a Promo video for Windows 8.

Wrist Communicator

kris-szabo — Fri, 08 Aug 2008 23:11:00 -0400

That person on the bus may not be late for his appointment after all. SMS Technology Australia has started production on its M500 line of GSM watches. The M500 is a classy looking square faced watch that runs on quad mode GSM technology. It features a 1.5 inch color touch screen, 128 MB of memory for contacts and files, and full sms support. While it does play MP3/AAC and MP4 video, my strong suspicion is these are use with contact identifying queues. USB support for recharging and utilizes U disk Technology. Communication is apparently through Bluetooth to a wireless headset.

All in all, I think that the phone looks rather nice, but I am not sure how many people will be hopping on this fashion item. Additionally, SMS recently announce the M501 Ladies watch.

http://www.mymobilewatch.com/index.php

Apple bleeding you dry.

kris-szabo — Mon, 24 Sep 2007 11:58:00 -0400

This morning’s “USA Today” (Ugh I know … its what the hotel left on the doorstep) is running a story on the front page about blood banks trying new techniques to get donors in the door. One of the options some blood banks are thinking of raffling off iPods. The article doesn’t go on to say whether Apple will be donating these ipods, or if they come through the normal supply channel. However, given Apple’s interesting methods for measuring sales metrics in the past; I wonder how many times each of these iPods will be counted.

Christopher Dawson discusses his Anti-Mac bias!

kris-szabo — Wed, 08 Aug 2007 23:12:00 -0400

Christoper Dawson, one of ZDnet’s educational bloggers, wrote last night about his Anti-Mac bias. Much like Mr. Dawson, I’ve faced the stigma of being “the wrong expert” when my friends ask me about what Laptop or desktop they should consider buying, and I rarely have Mac’s on the list.

Dawson points out that while Mac’s are great at what they do, it’s often overpowered for the average user. When looking at the starving college student or simply us overworked and underpaid s.o.b.’s, the economics simply don’t make sense. A high school or college student looking for a computer to write his homework on needs a word processor that can print. A $600 dollar laptop can handle that. Granted many people don’t want to hear this; to you I have to say be honest with yourselves and whoever you might be asking to buy you the device. If all you want is something to write papers, then say it. If you are wanting something to write papers, make movies and do all kinds of other activities, then say it.

For those that talk about needing Mac to work on creative challenges that Windows and Linux don’t fill; I am afraid I can’t really buy that argument. Especially not for the low end. Mr. Dawson points to a specific example of a friend who deals a lot with digital photography for work. Due to various issues, including her work environment she ended up going with a much cheaper PC based solution to adequately fill her needs when her old Mac was no longer up to the challenge. I am not too sure I buy it for the upper end either. Applications like Cinelerra and Maya are available free for Linux, and many have for-gone Mac for Linux shops that are cheaper to develop and operate.

Finally for those that like to remind me, that Mac is now simply a very advanced GUI running on top of BSD, I’ll say that it’s a very crippled version of BSD. When trying to trouble shoot network issues with a friends Mac in Terminal, I ended up frustrated in about 10 minutes of trying get the commands to work with the switches I am used to. I ended up booting off a copy of OliveBSD that I happened to have on the top of the pile of CD’s on my desk and booting off that to get back various switches to the networking tools missing from Tiger.

In short if you are willing to use the Mac, say that you are getting it because you want a Mac. If you are a starving student you won’t win any points crying that you don’t have enough money to by that 17” Macbook that you need to write up your composition class assignment. Know what you are getting your PC for and play to it.

Links :

My anti-Mac bias rears its ugly head by Christopher Dawson