Security News (124 Posts)

<< Next - First ... 9 10 11 12 13 . Last - Previous >>

Do what I say not what I do

#30 - Posted on 18 February 2011 - Author: SM - Category: Security, Hacking

Below is a very good article describing the recent battle between the Anonymous Hacking group and the HBGary company.

In a nutshell, a security company, “HBGary”, who is also working for the US government was about to release what they think were the identity of a hacking group called “Anonymous” who conducted some high profile hacks against large organisations who were against the wikileaks website. The hacking group response was swift and brutal, they hacked the HBGary websites, defaced them, hacked into the owner’s email account and grabbed lot of user personal information from one of the company’s related website, rootkit.com

It provides a good example of the old adage “do what I say not what I do” but this time in the world of IT Security. Of course you can almost never get IT Security 100% right, but in that case it would seem some of the security weaknesses that were exploited should have never been...
>>[READ MORE]

The world of Computer Forensics

#29 - Posted on 14 February 2011 - Author: SM - Category: Security, Conferences

I have recently attended a SANS Forensic course in London. It was the best training course I have ever been to, not only the content was really interesting and very well delivered but all the extra activities surrounding the training course were outstanding (presentations, challenges, social events, etc).

Forensic was new to me and I found the techniques taught as very good eye openers in two different ways:

–Forensic techniques can be applied to other area of IT security than just forensic investigations, such as malware analysis and DLP. The latter was a bit of a surprise to me, but by understanding some of the forensic techniques you can also understand how part of a DLP engine would work when searching for specific files on filesystems (at rest) and recognised/tagged when on the network (on the move). I will find it interesting to see if my new know...
>>[READ MORE]

New iOS Security attack, this time it looks bad!

#28 - Posted on 11 February 2011 - Author: SM - Category: Security, Hacking

Another attack on the iOS security has been published today and there are two recurring themes to the attacks I described in previous posts, namely: weaknesses with the Keychain and iOS encryption implementation.

But this time they have been used differently and seem to provide an attacker access to any passwords stored on an iOS device, even if it is passcode protected.
One main difference in this attack, is that the attacker would only requires the iOS devices and nothing else (as opposed to the relevant synced PC with previous attacks).

It also seems to prove Zdiarski’s concerns over the iOS encryption controls to be true.
The attack used some jailbreaking techniques to access the iOS device boot/ram, bypassing the passcode and using the OS to run a script to access the local keychain and all the passwords it may contain (email, VPN, web apps, etc)
It seems that the encrypted data is not linked to the user passcode, which means that if someone ca...
>>[READ MORE]

A Case Study, when Standard Security Certifications are not always your friend!

#27 - Posted on 10 February 2011 - Author: SM - Category: Security

When reviewing security products you often find they have some sort of Standard Security Certifications which should garantee a certain level of security.
Some certifications ensure adequate security controls are in place for audits, operational models, physical security, cryptography modules, etc.

The benefit of those certifications is that it should save you times and money to ensure some security requirements are met, they can also be used in contrat binding security controls, i.e.: you must comply with ISO XXXX.

There is however a drawback, an increasing number of vendors now hide behind those certifications and thus provide very little details about their security controls.
Likewise, many companies do not look further than a certification name on a paper to pass its security requirement reviews.

This is where the problem lies, how many Security professionals actually know what having such certifications actually means? to what part of the vendorR...
>>[READ MORE]

The increasing risk of 3G+ network within the corporate world

#26 - Posted on 8 February 2011 - Author: SM - Category: Security

I remember a time where access to the internet from the work place was only available from a couple of “Internet Stations” and where the Internal company network was just that, Internal with no external links! At that time, to get around those controls, one could set up dial up/ADSL lines under his desk and it was deemed as a risk to the Internal Network integrity from within the company’s premises. This was not widespread and required a specific intent to bypass the company’s network policy.

Then came Wi-Fi and hotspots started to flourish everywhere, often basic security was forgotten, such as not bridging it to the Internal Network or not enforcing adequate access controls. It was, and still is, deemed as a risk to the company’s network integrity. Although this is a more widespread practise there are controls in place and detection mechanisms to remediate the related security risks.

Both are examples of uncontrolled access to company res...
>>[READ MORE]

Follow-up on Apple iOS Full Disk Encryption

#25 - Posted on 7 February 2011 - Author: SM - Category: Security

Regarding my previous post I wanted to mitigate some of the risks I was describing.
In a nutshell, it is bad, but not that bad! :)

Escrow keybag
There is indeed a forensic issue with the escrow keybag feature, but because it requires the attacker to have both the targeted mobile device and the computer used to sync it with, That attacker would first need to break the computer’s security to access its filesystem.

Because that computer is used to sync the mobile device, most of the information it contains is likely to be on the computer as well.
For example, email accounts are likely to have been setup both on the computer and the mobile device, office files are likely to have been created on the computer, etc.

Therefore gaining access to the computer’s filesystem is likely to already give you access to most of the mobile device’s data.
Having said that, there is no garantee it will always be the case and some i...
>>[READ MORE]

Apple and their elusive Full Disk Encryption solution

#24 - Posted on 25 January 2011 - Author: SM - Category: Security

...
>>[READ MORE]

Full Disk Encryption Attacks

#23 - Posted on 25 January 2011 - Author: SM - Category: Security, Hacking

Although 3 years old, this is a good article and a link to a paper about coldboot attack against full disk encryption technology.

In a nutshell, it is related to data not being encrypted when stored in RAM and although it is volatile: “from 2.5 to 35 seconds to reach a Null State” when switched off, it can be recovered with a few techniques such as dropping the RAM temperature to slow down that “null state” or booting up the device through a very small kernel OS so only a small portion of the RAM is over written through a USB device for example.

What makes this attack even more powerful is that a lot of information “derived from the encryption keys” are stored in RAM, usually to speedup calculations.
The author then warn those attacks would be very difficult to prevent without a radical change in hardware architecture or “overhaul of the encryption process itself”.

...
>>[READ MORE]

Cellular Network Attacks

#22 - Posted on 17 January 2011 - Author: SM - Category: Security, Hacking

A few websites have been running a story today on an upcoming attack announcement/demo in next week black hat conference.

Instead of targeting the OS or a specific app, that attack would target bugs directly in a component used to send and receive calls, a baseband chip. Although technically it is still a software attack, the code used to control that chip, it would bypass any security measures in place at the OS level, and would especially be out of Apple/Google control. Such attack could be used to intercept calls or spy on a phone user by activating its phone microphone…

But then surely you would also need to find a bug in the microphone chip? Or elevate your privilege at the OS level from the baseband chip bug?
Anyway, eavesdropping on calls would at least be possible.

What makes this news interesting is both that duplicating a cell tower is becoming easier/cheaper (about $2k) and that you can’t secure and control everything, even in close sy...
>>[READ MORE]

Android vs iOS Security

#21 - Posted on 17 January 2011 - Author: SM - Category: Security

A sensitive topic but below is my initial view on the security offered by those two platforms.

My view is that Android, being a more open platform, offers more capabilities (flash, access to the root system, extension slots, etc). However, because of this it offers a less secured experience out of the box.

Apple, by not allowing certain technologies such as flash (flash security issues are endless) and by limiting access to its root system alsolimits its security exposure compare to android devices.

A very important security feature is then offered by the app store screening process. Although not perfect by any means, it still gets rid of obvious bad or flawed apps and protects iOS users further.

None of the devices are bulletproof and both suffered some security issues:
iOS: Worm on jail broken iPhone and phone lock bypass (fixed in iOS v4.2)
Android:Core libraries are open and apps can have deeper...
>>[READ MORE]