Category Archives: Technology
The dark art of iOS app hacking presented at Black Hat.
There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.
“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.
He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.
All due to a double-edged sword.
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)
Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.
A great illustration of how developers need to understand the need for security trumps all.
- 19% Of iOS Apps Access Your Address Book Without Your Permission… Until iOS 6 [Report] (cultofmac.com)
- Apple investigating iOS in-app purchase hack (zdnet.com)
The GUI for Windows Server will eventually be no more. Here’s what Don Jones, over at RedmondMag.com, had to say about this eventuality.
- The full GUI experience on the Windows Server OS is now optional. Software meant to run on a server should not assume a GUI will be there, nor should it take for granted any of the many other dependencies that the full server OS has traditionally included. My analysis on this: It’s Microsoft’s shot across the bow. You’ll see a stronger position on this sometime in the future — maybe a few years off, but sometime. They want server apps to assume they’re running on what we used to call “Server Core.”
- The recommended way to run the Server OS is without the GUI. Didja see that? No, you don’t have to think it’s a good idea — I’m not pushing acceptance. I’m pointing out what’s happening. These are the facts on the ground.
- Microsoft has taken a (what I think is a very good) middle-ground step by introducing a “minimal GUI” mode in the server OS. That means you can have your GUI tools on the Server OS, as well as on your client computer, provided those GUI tools play by a few basic rules and don’t assume too many dependencies (like the presence of IE). They’ll have the full .NET Framework at their disposal, for example, which should help — especially if they’re tools based on the MMC architecture. So this gets you a “lighter” version of the Windows Server OS, but still lets you manage right on the console.My opinion, for what it’s worth: Anyone who thinks “minimal GUI” mode is anything more than a holding measure is crazy. To me, this clearly says Microsoft is trying to get us off the console for good. They know we’re not ready to give it up completely, so this is them trying to wean us off. Maybe I’m wrong on this — it’s happened before — but it sure seems that way when I look at the big picture.
- Notwithstanding the “minimal GUI” mode, Microsoft is recommending to software developers to not assume a GUI will be present. The full, rich GUI experience happens on the client. Not allowed connect to your servers from your client computer? The suggestion appears to be “rethink your architecture.”
In other words make sure you know command line interface and how to remote into a server because before long that will be your only way to access Microsoft Server.
My opinion is that Microsoft is pointed toward a world of “headless servers:” Minimal functionality from the console, rich management from a client computer. This is a step in that direction, and it’s intended to put us, and software vendors, on notice. Me, I’m going to take the hint. I hope y’all do as well. Windows Server “8” is a chance to start getting on board with what Windows will become — it’s not throwing us directly into the fire, but I think we have to take the opportunity to start adapting to this new direction.
- In Windows 7 and Server 2008 R2, the DES encryption types for the Kerberos authentication protocol are disabled by default. (itworldjd.wordpress.com)
- Windows Admins Need To Prepare For GUI-Less Server (tech.slashdot.org)
- CTU 2012 – Windows Server 8 Active Directory Overview (chengandrew.wordpress.com)
- Windows Server 8: Server Applications and the Minimal Server Interface (blogs.technet.com)
It’s that time again where CompTIA updates its’ Network+ exam.
CompTIA released its updated CompTIA Network+ exam (English only, initially) on Dec. 1. The revised Network+ objectives address virtual networking and give increased attention to network security and coverage of the seven-layer OSI (Open System Interconnection) model. Click here to download a breakdown of exactly what is covered on the new exam.
Here’s what ComTIA’s research showed:
CompTIA research on US Small and Medium Businesses (SMBs) found that network efficiency and robustness were among the top items SMBs plan to address immediately, paving the way for other strategies such as cloud computing or unified communications.
Forty-eight percent of server technicians surveyed by CompTIA say that deeper networking knowledge is required when supporting servers in a cloud environment.
Among server technicians and managers of server technicians, 28% say that virtualization is a current focus, but 60% say that it is becoming a larger focus.
So you’ve applied for that IT job and you’ve made it to the interview stage. Here are some tips from Venture Loop CEO Jeremy McCarthy on how to make it a successful interview.
Regardless of how you view this prospective opportunity, always do your best in the interview for you never know where it may lead you. Some of his other suggested tips:
1) Research: With everything literally at our fingertips today, it’s close to blasphemy to enter an interview without having searched and studied as much about the history, fact and figures of the company with whom you are interviewing as possible. Savy online searching can turn up valuable information to prove to an employer they’d be hiring an expert in their industry.
2) Review your triumphs and faults: You can almost guarantee that typical questions such as your vision for five years down the road, strengths, weaknesses, tough work situations and best type of person to work for will be asked, so why not write down your answers ahead of time to review rather than spin your wheels while sitting in ‘hot seat.’
3) Behavioral question awareness: More firms rely on behavioral interviewing techniques to see how candidates answer when asked for specific examples of past professional situations. McCarthy presents some typical queries to prepare for ahead of time:
- How you handled not meeting a deadline
- How you dealt with conflict with a co-worker or boss
- What you did when someone else’s actions caused failure
- When did you show initiative
- What did you do when a customer was upset with you
- What did you do when a co-worker blamed you unfairly for something
For the rest of Mr. McCarthy’s tips check out the source.
- Strange interview questions tech companies ask revealed (zdnet.com)
- Job Search Tip: How to Eliminate Anxiety before an Interview! | Ashley Ellis (skillsinfo.wordpress.com)
This could be handy in snow areas like Wisconsin.
A new alarm clock application for the iPhone and Android wakes you earlier if it snowed last night. Called simply, “Winter Wake-Up,” the app lets you configure its settings to wake you up earlier than your scheduled alarm depending on weather conditions, with separate settings for both “Frost” and “Snow.”
There’s also an optional setting – a checkbox – which you can select that says “don’t bother to wake me if the weather’s too bad. I’ll work on Saturday.” (Or, as is more likely in today’s world, you’ll work from home that same day…just maybe a little later).
Is it something you would use?
- Winter Wake-Up Automatically Wakes Your Up Earlier if it Snows [Alarm Clocks] (lifehacker.com)
- Mobile app wakes users earlier on days with wintry weather (springwise.com)
Today of course is “Black Friday” and like every retail outlet across America, Host Gator is offering INCREDIBLE savings today only.
If you are in need of hosting for you website(s), look no further than Host Gator. In case you aren’t aware Host Gator is one of the top recommended hosting sites for WordPress. And the tech support is awesome, which contributes to the great reputation for hosting WordPress blogs and sites.
Here’s the details:
Save 50% on ALL hosting services
Until 11:59 CST on Friday, November 25 you can get 50% OFF on ALL hosting services. This includes shared hosting, reseller hosting, VPS hosting, Dedicated servers and Windows hosting! However, this does not include domain names.
Here’s what that means:
Competitively priced web hosting at Host Gator gets even more competitive!
Shared hosting: As low as $4.95 Now only: $2.48/month (pre-paid)
Reseller Hosting: As low as $24.95 Now Only: $12.48/month (pre-paid)
VPS Hosting: As low as $19.95 Now Only: $9.98/month (First Month)
Dedicated Servers: As low as $174 Now Only $87/month (First Month)
Note that the discount of 50% applies to only the first month on the VPS and Dedicated Servers plans as these are billed monthly. Also note that this is valid for new hosting plans only so existing customers can’t use it on plan renewals (though you could add a plan to your account).
So head on over to Host Gator to get in on this GREAT hosting services deal.
- Black Friday 2011: the best apps and services for holiday shoppers (venturebeat.com)
- Black Friday Now Featuring Mobile Madness (whitehouse.gov)
Great piece over at the CompTia blog regarding the “private cloud”:
What is the “private cloud?” Well, it’s where the IT department is where the company itself provides all of the cloud-based services, but from within its own firewall. Remember when the term “Intranet” was coined to describe how IT could provide the best Internet-based services behind the firewall? Private cloud computing is basically the same sort of approach. Again, some folks think that private cloud computing is an oxymoron. Like Eric Knorr over at InfoWorld, I think the definition of the “private cloud” is a bit fuzzy, but it’s worth talking about.
The private cloud involves virtualized services offered as a service independent of any single hardware platform, usually through a Web browser. When offered privately, cloud services remain behind the firewall, and they are offered on a metered basis. This means that the IT department becomes the “X as a service” provider.
As well as skills that one should have to be an expert in the “cloud”:
If you want to become a private cloud computing expert, check out the following skills you should learn:
- Understand business issues, including the concepts of the Service Level Agreement (SLA), and chargeback. Yes, chargeback. Yeah, it’s kind of a weird word. The first time I heard it back in 1997, I thought someone was talking about some sort of new defensive lineman position for the NFL. Basically, chargeback means metering services and then charging departments, making your IT department a business within your business. This way, your IT department becomes less of a cost center and more of a revenue generator, in a sense. Pretty cool idea if you can get it to work.
- Know how to read a bill from a cloud provider, no matter which side of the firewall it comes from. From the people I’ve talked to, the numbers change pretty radically
- Learn virtualization.
- Get some consulting skills.
- Cloud computing: Gaps in the ‘cloud’ (physorg.com)
- Silicon Alley Insider: What Is Cloud Computing? (businessinsider.com)
- Shared security flaws of cloud computing (ritcyberselfdefense.wordpress.com)