RSS

Category Archives: passwords

iOS 4.2 is out! Update your iDevice!

23 Nov
Image representing Apple as depicted in CrunchBase

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:  http://support.apple.com/kb/HT4456

Related Articles

 
Leave a comment

Posted by on November 23, 2010 in Apple, crimeware, iPad, iPhone, iPhone HD, malware, mobile, passwords, RISK, Security, social engineering, Technology

 

Tags: , , , ,

Android and iPhone exploits revealed in past week

04 Aug

Over the weekend, a new Web-based jailbreak became available for iOS devices, offering users a simple method to open their devices to installation of unauthorized third-party applications.  An error in the processing of Compact Font Format (CFF) data within PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page using Mobile Safari.

This is applicable to any iOS 4 device (all new iPhone 4s, iPads and any upgraded iPhone 3G and 3Gs).  On of the main features of iOS 4 was the SandBoxing approach to applications.  This exploit bypasses the SandBoxing by exploiting a third party app.  I have to say this doesn’t help Adobe’s popularity in Cupertino.

Time will tell if Apple will release a patch to iOS to resolve the issue or if Adobe will have to update their code.  For the time being, the best advice is to browse “safely” (if that’s really possible anymore) or just not browse at all.

The Andriod exploit has a completely different twist on it.  Spider Labs released a DVD at Defcon last week that provided a method to root the device.  Once the exploit is applied the Android device acts as a bot for the hacker who has full remote-control over the device providing access to all the user information on it.  What makes this more interesting is that Spider Labs is an ethical hacking team using this approach to incentivize manufacturer to provide  a fix to the issue more quickly.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.  Percoco said it took the team about two weeks to build the malicious software.

CNET reported that there were ten companies had data compromised.  The list included Pepsi, Coca-Cola, Apple, and Google amongst others.  All information was solicited through one phone call to an employee of the company.

************** UPDATE Aug 5th **********************

CNET has posted that Apple has acknowledged the issue and already have a fix.  They did not mention when it would be released but a software update is imminent.

************** UPDATE Aug 11th *********************

Apple has released iOS 4.0.2 for iPhone and iTouch as well as iOS 3.2.2 for the iPad to address this vulnerability.  Of course the a side effect to addressing this vulnerability is that it now breaks the functionality of JailbreakMe 2.0.  Not that this should be a surprise.

 
Leave a comment

Posted by on August 4, 2010 in Android, Apple, crimeware, iPad, iPhone, iPhone HD, malware, mobile, passwords, RISK, Security, Technology

 

Tags: , , , , , ,

Russian spies are just like your average end user?

07 Jul

Funny as this may sound, it’s seems to be the case with the recently arrested Russian spies.

This article from Network World points out some of the issues the users had and how those issues helped get them caught.

As an IT or Security Professional, how likely are these scenarios in your workplace:

  • A 27 character password was enforced.  So the password ended up written down on a post-it.
  • Frustrated with trying to get a program to work, you turn to a complete stranger for help.  If that stranger happens to be an undercover FBI agent, handing him your laptop just made his day.
  • Waiting 2 months to get a new laptop and have it configured then being told you can get it fixed in 6 months if it doesn’t work.  Then telling your co-worker (or co-spy) “they don’t understand what we go through over here”.  Sound familiar?
  • Users/spies turn to off the shelf programs so they don’t have to wait for their IT department to install.
  • Having all new systems but not be able to run the programs necessary as it crashed or timed out before the application could finish.
  • Users/spies set up peer-to-peer wireless networks (without encryption) so they could transfer files easier.  Made it a lot easier to intercept those files during transfer too.

They seem so comical that it’s almost hard to believe they aren’t movie plot lines for Steve Carrell’s next Get Smart episode.

 
Leave a comment

Posted by on July 7, 2010 in passwords, RISK, Security

 

Tags: , ,

Older posts
Newer posts