iOS 4.2 is out! Update your iDevice!

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:

Related Articles

P.T. Barnum wasn’t wrong – Firefox Beta Links spread Malware

It should not come as a surprise to you that Firefox is available for free download from Mozilla (hence the Open Source Project).  This must not be apparent to users who are being fooled by a fake Firefox 4.0 beta download scam.  

The scam goes a bit like this:

  1. You want software but don’t want to pay for it (in this case a new version of the Firefox browser)
  2. You get email/see link/etc that a new Firefox browser is going to be out
  3. Email/Link/etc portends to provide either a software crack or a key generation file (items used to break registration of what should be purchased software).
  4. You download and run crack files
  5. You get infected with a Trojan

Reports note the following trojans have already been seen using this scam:

  • FraudTool.Win32.FakeVimes
  • Trojan-Downloader.Win32.CodecPack.2GCash.Gen
  • Trojan.DNSChanger.Gen
  • Virus.Win32.Parite
  • TrojanDownloader-Win32/FakeRean

Moral(s) of the story:

  1. Always check an authoritative source.  If you are interested in the Firefox 4 Beta, check out Mozilla’s site and download it there.
  2. It’s always a bad idea to pirate software.  Sites that host/distribute cracked versions of software and keygens are already operating in a shady area, don’t be surprised to get infected/attacked if that is a site you visit.  (As I tell my kids, don’t touch that, you don’t know where it’s been).
  3. Patch and Update.  For at least the few noted pieces of malware being spread here, if your system is patched and your AV updated you should be okay.  However, this can change at any moment, so don’t test it.

Android and iPhone exploits revealed in past week

Over the weekend, a new Web-based jailbreak became available for iOS devices, offering users a simple method to open their devices to installation of unauthorized third-party applications.  An error in the processing of Compact Font Format (CFF) data within PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page using Mobile Safari.

This is applicable to any iOS 4 device (all new iPhone 4s, iPads and any upgraded iPhone 3G and 3Gs).  On of the main features of iOS 4 was the SandBoxing approach to applications.  This exploit bypasses the SandBoxing by exploiting a third party app.  I have to say this doesn’t help Adobe’s popularity in Cupertino.

Time will tell if Apple will release a patch to iOS to resolve the issue or if Adobe will have to update their code.  For the time being, the best advice is to browse “safely” (if that’s really possible anymore) or just not browse at all.

The Andriod exploit has a completely different twist on it.  Spider Labs released a DVD at Defcon last week that provided a method to root the device.  Once the exploit is applied the Android device acts as a bot for the hacker who has full remote-control over the device providing access to all the user information on it.  What makes this more interesting is that Spider Labs is an ethical hacking team using this approach to incentivize manufacturer to provide  a fix to the issue more quickly.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.  Percoco said it took the team about two weeks to build the malicious software.

CNET reported that there were ten companies had data compromised.  The list included Pepsi, Coca-Cola, Apple, and Google amongst others.  All information was solicited through one phone call to an employee of the company.

************** UPDATE Aug 5th **********************

CNET has posted that Apple has acknowledged the issue and already have a fix.  They did not mention when it would be released but a software update is imminent.

************** UPDATE Aug 11th *********************

Apple has released iOS 4.0.2 for iPhone and iTouch as well as iOS 3.2.2 for the iPad to address this vulnerability.  Of course the a side effect to addressing this vulnerability is that it now breaks the functionality of JailbreakMe 2.0.  Not that this should be a surprise.

Cell phone security best practices – keeping your personal information personal.

In presentations I give on security, I have become accustomed to a pattern of presenting the information.  Step one, pose questions or situations that allow your audience to immediately identify with you or the subject.  Step two, provide case studies or scenarios that provide examples to support the subject.  Step three, give the audience some actionable items.

This article is all about supporting step three.  If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…

But I digress…   Most all the offline questions I have received from my last article have had a common theme:

  • I did this, did I get a virus?
  • My insert_model_phone_name_here is acting funny what do I do?
  • I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid.  You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

  1. Loss is your biggest risk, don’t lose your phone.  Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location.  Maintaining physical control of the device is the best thing you can do to avoid losing your information.
  2. Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device.  This is the single biggest thing that users complain about the inconvenience of.  If anyone were to pick up your device, do not leave it wide open for anyone to read.  Protect it.
  3. If your device offers encryption of the device and any removable media, use it.  If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information.  Make it difficult for someone to get the data.
  4. Just because you can download hundreds of applications, does not mean you should.  Be aware that many free applications are made to get personal information from you (again see my other post on this).  Others may actually be malicious.
  5. When downloading applications, be especially careful of banking applications. Only download them from trusted sources.  If you can download directly from the bank, that is your best option.  If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
  6. Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
  7. If your device supports WiFi, only connect to secure and trusted networks.  A network called “FreeWiFi” usually is not the best option.
  8. Limit the amount of data you store on your phone.  If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it.  Limiting the amount of data on the device limits your risk if the device is lost or stolen.
  9. From a financial liability standpoint, inquire about cell phone insurance from your provider.  In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
  10. If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost.  If you remove all the data, you can limit your loss to just the device itself.
  11. Inquire with your provider and check with device manufacturer for device patches and upgrades.  Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
  12. If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone.  If you follow these steps, chances are you should be okay.  In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off.  But for the average person, you’re going to be okay.

Why we need the iPad

I will disclaim that I am a fan of almost all products made by Apple.  I often try not to read any information on the days of product launches and instead wait until I can get the video and actually watch Steve (Jobs) sell me on why I need the next big thing.  However, when I watched the iPad launch, I felt… well, underwhelmed.

Time has since passed and having used an iPad I can definitely see a use for it.  It’s convenient, intuitive and most of all necessary.  Ok, I probably had you right up until necessary right?

Most post I’ve read are arguing about the convenience of this device vs a laptop or even a smartphone, that the lack of multitasking kills the usefulness, or that they can’t adapt to the keyboard.  That’s well covered everywhere else and I don’t have the background to weigh in on those concerns.


For the average user  (I’m going to put that number at 80-90% of people using some personal computing device) whatever they have  for a pc or laptop does far more than they need.  The openness of those systems, flexibility, the power to meet most any need make it challenging for the casual user to maintain and have meet their needs.  Power users will have specific applications that require more advanced hardware and in doing so, they sign themselves up for the challenges of maintaining that device.  Netbooks were the first (dare I say feeble) attempt to fill this market space.  They were something inexpensive that gave people access to the Internet and allowed them to send and receive email.  Good concept, poor execution.

Along came the iPad.  After giving it some thought, I think the iPad is exactly what we need.

Allow me to digress…  Every day I learn something.  Being in Information Security, usually that’s something that makes it more difficult for me to sleep at night.  Vulnerabilities increase, threats become more aggressive and better at defeating security measures, and I begin to wonder if we aren’t fighting a losing battle.

Which makes me wonder…  What if… What if the iPad really is what we need?

A constrained device (yes this is a good thing), with controlled application deployment (yes still a good thing), where all applications have very limited access to the operating system?  I say, yes.  Absolutely.  PLEASE!  There is a tremendous market for this (which Apple certainly knows). Many more tech savvy users are screaming blasphemy as their screens as they read this, however having a PC with unlimited capabilities, interfaces, and expand-ability is only a requirement for a percentage of users (and I dare say that percentage is probably lower than most initial guesses).  Even those users, as intelligent and well intentioned as they may be, tend to do things that allow themselves to be compromised everyday.  Trust me, I see it.

The majority of users want a simple device that works and can offer some level of assurance of stability and data protection.  Remember “it just works!”  🙂

No more OS patches that break applications (well not the ones that Apple is allowing on the device anyway), no more security applications that accidentally break the operating system (hello McAfee? hows that XP thing going for you?), just a highly controlled computing environment that’s set up to meet the needs of most users.  Most users are not aware of these issues anyway and honestly don’t want to be bothered.  They often only find out about much of this once they’ve experienced a significant system issue and even then, they don’t care, they just want their system back and working.

Will these devices eventually become as much of a target as “normal” systems?  Probably.  But I believe they are well suited to be managed more easily and better protected from threats.  They will be more limited in function than a PC, yes, but the end users will express a higher satisfaction rate regardless.

While everyone will continue to argue over the size, shape, wether or not it has a camera or can be a giant phone.  I say they’ve missed the point.  We really do have a game changer here.

Hacker Disables More Than 100 Cars Remotely

Hacker Disables More Than 100 Cars Remotely

I would like to say this surprises me.  But unfortunately I’ve heard rumblings for more than a year now about incidents like this.

There are various sites about hacking your onstar system so you can utilize the GPS unit.  But that’s a local hack that is truly just a sophisticated modification to your own vehicle (regardless of how much GM dislikes it).  However the hacking (or any abuse) of the onstar service would have far broader ramifications.

The fabled ultimate attack on theses systems is a supposed penetration into the onstar service network.  Understanding that the system has the ability to track and perform fuctions in your car like stopping the engine (in the case of a stolen vehicle) or locking/unlocking doors (if the owner is locked out), imagine the widespread panic if all onstar vehicles were to have their engines disabled and all doors locked.  If this happened on a massive scale all at once, you would strike terror across the country and completely tank confidence.

We know the highest government agencies are under constant attack.  We know that some attacks are successful and they have a tremendous number of resources available to help prevent these attacks.  We also are quite aware of attacks on private corporations every day.  With GM being somewhere between these two entities (and onstar likely somewhere inbetween t00), what is the probability?  We already acknowledge it’s possible.

In the case of the WebTech Plus service, they users were informed to remove the device from their vehicles until the issue was resolved with the network. I’m not proposing that you do it, but should one consider disabling their onstar unit in their vehicle?  Yes I understand it’s there also for a rare safety incident, but does that imply that all those without onstar service are at a higher risk driving their vehicles?  Perhaps this is a case where an once of prevention well outweighs the cure.

If you need me… I’ll be in the garage.