Category: Misc

Misc
by Florian Horsch

Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices

On Friday we released our latest technical newsletter with the fancy title “Sell Your Own Device – A Field Study on Decommissioning of Mobile Devices”. It is the result of a field study on decommissioned mobile business devices bought on eBay and about how stored data may be extracted in different ways.

As always we love to share plenty of practical advise: At the end of the newsletter you will find the mitigating controls to securely handle mobile devices at the end of their life cycle process.

Find the newsletter here.
And a digitally signed version here.

Special thanks go to Sergej Schmidt for performing the field study.

Talking about our great team: Meet the whole ERNW crew at TROOPERS12, or even better: Dig deeper into mobile security together with Rene Graf during the mobile security workshop. There are a few slots left.

Enjoy the newsletter & hopefully see you soon in Heidelberg!
Florian

Continue reading
Building, Misc
by Enno Rey

On the discussion about the iTunes 10.5.1 update

Currently there’s quite some discussion ongoing why it took Apple so long to fix a severe vulnerability in the update process of iTunes. A severe vulnerability which could easily be exploited by means of an automated tool called evilgrade which can be downloaded here (Hi Francisco!). Just one small note here: did you know that evilgrade was first shown and released at the 2008 edition of Troopers? We had a number of initial releases of tools in the last years (like wafw00f at the 2009 edition and VASTO at the 2010 edition) and we will continue this fine tradition in 2012. I can already promise that some nice code is going to be released for the first time at Troopers12…

stay tuned

Enno

Continue reading
Misc
by Enno Rey

Call me Snake

Once again there’s a reference to some action movie here, as some of you may have immediately spotted ;-).

For the record: this one is from “Snake Plissken”, the main protagonist in John Carpenter’s “Escape from New York”. There’s another well-known quote of the same character in the kind-of sequel “Escape from L.A.” which goes like: “The more things change, the more they stay the same”. I’m aware that this is not the initial source (but French novelist Jean-Baptiste Alphonse Karr presumably is, at the time in French ;-)); still this gives a nice  transition to today’s topic.

To make it short: there’s pieces of software out there which – regardless of ongoing attempts to patch or even rewrite them – just remain crap, security-wise. Regular readers of this blog may have seen (read) me mentioning some of those. Right now I’d like to draw your attention to another one of my all-time favorites in the “is crappy. has been crappy for a long time. will probably continue do to so for a long time” list. Curtain up! for ISC BIND.

ISC published this advisory today (in case you’re too lazy to follow the link, here some quick facts: “BIND 9 Resolver crashes after logging an error in query.c”; severity “serious”; exploitable “remotely”; CVSS 7.8). Apparently it’s exploited in the wild. It’s at least the 5th unauthenticated remote DoS in BIND 9 in the last twelve months (here’s their advisories). And here’s another quote, this time from the BIND 10 project page:

“The architecture of BIND 10 concentrates on these technical aspects: modularity, customizability, clusterization, integration, resilience, and runtime control.”

See what’s missing? You got it. So good luck to those of you still running BIND. Call it snake… oil…

thanks

Enno

 

Continue reading
Events, Misc
by Enno Rey

“What’s so special about Troopers?”

This week I stayed some days in Zurich, to give a workshop and to meet both clients and fellow researchers (kudos again to C. for the awesome office tour @Google). In the course of one of those dinners somehow Troopers was mentioned and a guy asked: “I’ve heard of the conference. What’s so special about it?”

Funnily enough I didn’t even have to respond myself as a 2011 attendee coincidentally present at the table jumped in and started praising the event (“best con ever. great spirit, great talks”). Obviously this gave me a big grin… but it reminded as well me that some of you might ask themselves the very same question.

In my opening remarks of the 2011 edition I tried to describe the Troopers approach and spirit. You can find it here. As for the speakers’ perspective I’d like to point you to this blogpost that Chema (Alonso) wrote before the 2010 edition. It pretty much summarizes how we take care of “our rock stars”…

Btw: the CfP will be open in some days. As in the previous years, there are only few slots left (as most are already assigned to hand-selected speakers).

See you there in 2012, have a great weekend

Enno

Continue reading
Misc
by Matthias Luft

Short iCloud Follow-Up

After the basic iCloud discussion in this post, I would like to add some more technical information. The following items are just a loose compilation of facts about the mentioned controls which allow the restriction of iCloud usage. The basic iCloud usage, consisting of backup, document sync, and photo stream, can be deactivated using the most recent version of the iPhone Configuration Utility:

Since there are no default settings for these values, it is necessary to include the disabled entries in existing configuration profiles.

Another new functionality which can be deactivated using configuration profiles is Siri. Even though this functionality is not directly related to the iCloud at first glance, it still bears a big threat potential. Looking at the SLAs of the iPhone 4s, the following paragraph gets relevant:
When you use Siri, the things you say will be recorded and sent to Apple to process your requests. Your device will also send Apple other information, such as your first name and nickname; the names, nicknames, and relationship with you (e.g., “my dad”) of your address book contacts; and song names in your collection (collectively, your “User Data”).

So Siri also uses cloud-based services in the background. The following screenshot shows the option to disallow the usage of Siri:

Thinking of this privacy relevant submission of data, another new option of the most recent tool version gets relevant: “Allow diagnostic data to be sent to Apple”. The two checked options in the following screenshots are also new features of the most recent version of the configuration utility:

That’s it for the short configuration option compilation of today, have a great week everybody,

Matthias

Continue reading
Misc
by Enno Rey

Today I feel like Stansfield

… the corrupt DEA agent in Luc Besson’s great movie “Léon (The Professional)”. I’m sure quite some of you, dear readers, know the plot…
Just before the final shootout, when sending the first men of the NYPD ESU team into Léon’s apartment, he tells them to “Be careful!”. After learning those men got killed he just comments: “I told you”.
[btw: before yelling to bring “EEEEEEEVERYONE!!!!”, as those familiar with the piece will certainly remember ;-)].

I’m fully aware that I risk playing “the arrogant scumbag card” today and that it’s generally not very nice to refer to one’s own earlier statements with an “I told you” attitude (especially if harm was caused to some party), but this is exactly how I feel when reading these news. And – pls believe me – it’s an expression of utmost despair.

How often do organizations have to be told that running Adobe Flash might not be the greatest idea in the world, security-wise? How many statistics like this one (see section “Vulnerabilities” in the bottom part of it) have to see the light of the world until people realize that (quoting from this blogpost) “running Flash on corporate desktops is simply asking for trouble. Asking for trouble loudly. Very loudly.”?

When we wrote this document on configuring IE8 securely we pointed out that using Adobe Flash required a risk acceptance, from our perspective. Man, how I was attacked! for this very statement afterwards in the customer environment that document was initially developed for. I’ve since mentioned Flash in this blog here, here and here.
Furthermore we’ll include a talk on Flash in next year’s Troopers line-up, I promise. And be it only to avoid this post sounding like a crusade of a bitter old man… (yes, this was a wordplay referring to some character from the movie ;-).

yours sincerely

Stansfield

 

Continue reading
Misc
by Enno Rey

Appstore security: 5 lines of defence against malware

A few days ago the European Network and Information Security Agency (ENISA) published this quite interesting document with the exact title. Here’s what it covers:

“The booming smartphone industry has a special way of delivering software to end-users: appstores. Popular appstores have hundreds of thousands of apps for anything from online banking to mosquito repellent, and the most popular stores (Apple Appstore, Google Android market) claim billions of app downloads. But appstores have not escaped the attention of cyber attackers. Over the course of 2011 numerous malicious apps were found, across a variety of smartphone models. Using malicious apps, attackers can easily tap into the vast amount of private data processed on smartphones such as confidential business emails, location data, phone calls, SMS messages and so on. Starting from a threat model for appstores, this paper identifies five lines of defence that must be in place to address malware in appstores: app review, reputation, kill-switches, device security and jails.”

Just read through it and while I’ve never been a big fan of STRIDE (mainly due the application centric approach which simply is not my cup of tea) I have to say it’s applied elegantly to the “app ecosystem” described in the paper.

The doc somewhat accompanies this one titled “Smartphones: Information security risks, opportunities and recommendations for users” (released by ENISA in late 2010), which is a valuable resource in itself.

Overall excellent work from those guys in Heraklion, providing good insight from and for practitioners in the field.

Have a great weekend everybody

Enno

Continue reading
Misc
by Enno Rey

Ross Anderson on Responsible Disclosure and Academic Freedom

Hi,

just a short, somewhat non-technical,  post today: I really like this response Ross Anderson gave to the “UK Cards Association” asking Cambridge University for taking offline a thesis of one of their students. It (the letter) pretty much summarizes how security research should be treated and backed by those interested in a more secure world we live in.

On a personal note I’d like to add that Ross’ main volume “Security Engineering: A Guide to Building Dependable Distributed Systems”, initially published in 2001 and updated in the interim with a second edition in 2008, has been the most influential security book for me on my long way in the infosec space (which started back in 1997, with some workshops on firewalls I gave for IT auditors). If I could take only one infosec book to a lonely island, it would be this one.

[not sure which one to take if I could only take one book at all 😉 … maybe Thomas Mann’s “Doktor Faustus”… will get back to this once I’ve figured an answer ;-)]

Back in a few days with the next part on IPv6, have a good one everybody

Enno

Continue reading
Misc
by Enno Rey

The OSSTMM 3 – What I like about it

Given the upcoming public release of ISECOM‘s Open Source Security Testing Methodology Manual (OSSTMM) version 3, I took the opportunity to have a closer look at it. While we at ERNW never adopted the OSSTMM for our own way of performing security assessments (mostly due to the fact that performing assessments is our main business since 2001 and our approach has been developed and constantly honed since then so that we’re simply used to doing it “our way”) I’ve followed parts of ISECOM’s work quite closely as some of the brightest minds in the security space are contributing to it and they come up with innovative ideas regularly.
So I was eager to get an early copy of it to spend some weekend time going through it (where I live we have about 40 cm of snow currently so there’s “plenty of occasions for a cosy reading session” ;-))
One can read the OSSTMM (at least) two ways: as a manual for performing security testing or as a “whole philosophy of approaching [information] security”. I did the latter and will comment on it in a two-part post, covering the things I liked first and taking a more critical perspective on some portions in the second. Here we go with the first, in an unordered manner:

a) The OSSTMM (way of performing tests) is structured. There’s not many disciplines out there where a heavily structured approach is so much needed & desirable (and, depending on “the circumstances” so rarely found) so this absolutely is a good thing.

b) The OSSTMM has a metrics-based approach. We think that reasonable decision taking in the infosec space is greatly facilitated by “reducing complexity to meaningful numbers” so this again is quite valuable.

c) One of the core numbers allows to display “waste” (see this post why this is helpful).

d) It makes you think (which, btw, is exactly why I invited Pete to give the keynote at this year’s Troopers). Reading it will certainly advance your infosec understanding. There’s lots of wisdom in it…
In many aspects, the OSSTMM is another “step in the right direction” provided by ISECOM. Stay tuned for another post on the parts where we think it could be sharpened.

thanks

Enno

Continue reading