Blog Archives

Hacking Alive and Well When It Comes To iOS

 

The dark art of iOS app hacking presented at Black Hat.

 

Español: Este es un logo para IOS (Apple). Más...

(Photo credit: Wikipedia)

 

There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.

“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.

He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.

 

All due to a double-edged sword.

 

The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)

Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.

Source: iOS app hacking alive and well | The Download Blog – CNET Download.com.

 

A great illustration of how developers need to understand the need for security trumps all.

 

 

 

Winter Wake-up app

This could be handy in snow areas like Wisconsin.

A new alarm clock application for the iPhone and Android wakes you earlier if it snowed last night. Called simply, “Winter Wake-Up,” the app lets you configure its settings to wake you up earlier than your scheduled alarm depending on weather conditions, with separate settings for both “Frost” and “Snow.”

There’s also an optional setting – a checkbox – which you can select that says “don’t bother to wake me if the weather’s too bad. I’ll work on Saturday.” (Or, as is more likely in today’s world, you’ll work from home that same day…just maybe a little later).

Is it something you would use?

Enhanced by Zemanta

Undefeated at the hacking competion

Looks like if you want a smart phone that wasn’t hacked at the Pwn2Own competition go with a phone that utilizes Android or Windows 7.

And when it comes to a web browser Chrome and Firefox may be the way to go.

From the results of the Pwn2Own hacking competition, it looks like Android and Windows Phone 7 are tough nuts to crack.

It took only two days for hackers to crack into the Apple and Blackberry operating systems during the three-day Pwn2Own tournament last week, while Android and Windows Phone 7 models were abandoned and left unhacked by the end of the contest.

Is this because their operating systems are more secure? Yes and no.

“The survival of a target at Pwn2Own does not automatically declare it safer than a target that went down,” last year’s Internet Explorer Pwn2Own winner Peter Vreugdenhil cautions.

So how does the competition work?

Vreugdenhil says many different factors determine how hard a target is to hack. There’s the safety of the software itself, the exploit mitigations that are already in place for that software, and then the amount of research that has already been conducted (which can speed up the process of writing an actual exploit).

But just because those for products were undefeated don’t be to quick to jump on the respective products’ bandwagons.

The contestants who were lined up to beat the Android and WP7 devices in the competition withdrew for a variety of reasons.

 

Firefox and Chrome web browsers were also left undefeated because contestants withdrew from Pwn2Own.

And then there’s this little tidbit.

Safari, Chrome, iPhone, Android and Blackberry all use WebKit in their browsers, which means that they are all susceptible to exploitation through the browser — and that’s exactly how the iPhone and Blackberry were attacked.

Go to the source to see how to determine a safe smartphone, since ultimately no device is ever really unhackable.

 

Enhanced by Zemanta

 

Security holes in mobile bank apps

This is not good.

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

“Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,” research firm viaForensics wrote in a post on its site. “The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly.”

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal‘s iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA’s Android app stored copies of Web pages a user visited on the phone; TD Ameritrade’s iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo’s Android app stored user name, password, and account data in plain text on the phone; Bank of America’s Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase’s iPhone app stores the username on a phone if the user chose that option, according to the report.

While most of the companies scrambled to update their apps this tidbit is concerning.

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

As pointed out by Andrew Hoog of viaForensics:

“Our appWatchdog service clearly highlights the secure aspects of the financial apps we tested. Unfortunately, in the security world (especially when you access your bank account or provide credit card numbers), providing security most of the time is simply not good enough. For mobile app providers, there are no shortcuts to protecting customers’ data. It must be engineered from the start and thoroughly tested after any change in the app or underlying OS (i.e. iPhone iOS or Google Android).” (Source: CNET News)

While technology advancement has made life easier in many respects, security can not be sacrificed.

 

Powered by ScribeFire.

Enhanced by Zemanta

 

Enterprise: Securing iPads

iPad is a Wi-Fi 64 GB version (another one beh...
Image via Wikipedia

IT organizations have come to a stunning realization: There is no stopping the great iPad enterprise invasion. Risks abound as companies must deal with securing iPad apps without much help from Apple, says Julie Palen, senior VP of mobile device management at Tangoe, a telecom expense management software and services provider.

Palen’s group develops software that helps companies such as Wells Fargo and Coca-Cola manage BlackBerrys, iPhones, Android devices, and iPads — any devices connecting to a company’s back-end computing environment via Active Sync, BES, and Good Mobile Messaging.

The iPad, in particular, has had a rapid rise in enterprise adoption. More than 65 percent of Fortune 500 companies are deploying or piloting the iPad, Apple said during its most recent earnings call. Around 60 percent of Tangoe’s new business deals in the last quarter involve companies that have already deployed iPads or are planning to do so.

But the iPad isn’t really enterprise ready, in terms of manageability and security, says Palen, a 10-year veteran of mobile device management. She says IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. (Source: InfoWorld)

Be sure to read the entire interview.  Very interesting that the biggest obstacle to “security” in the enterprise with iPad’s is Apple itself.

Powered by ScribeFire.

Enhanced by Zemanta

 

It’s Mobile Fest week …

over at HootSuite.

It’s a big week here at HootSuite with a gaggle of new mobiles releases coming down that will have Hoot fans rather giddy. You already heard that all HootSuite mobile apps are free and now the nest is filling up with a bevy of FIVE flavors of mobile apps. Some are completely new to the group, while others are familiar favorites with an update for your social media enjoyment. We think you’ll find each a welcome addition to the family.

With all these new owls hatching, it just *feels* like a festival – so get out your party hats to celebrate new mobile apps. We’ve also added a contest to help you get your fingers on new owls stickers featuring these new flying feathered friends.

For mobile fest, we’ll launch a new mobile platform flying out each day this week – is a fest after all! Get a sneak peek at what’s coming and visit daily for the owl du jour.

New owl tools for the Ipad, Blackberry and Android just to name a few.

From an Android perspective hopefully the new owl will be better than Hootsuite Lite.

Powered by ScribeFire.

Enhanced by Zemanta

 

Interesting technology articles …

Image representing FriendFeed as depicted in C...
Image via CrunchBase

from FriendFeed.

Microsoft Backtracks, Extends XP Availability to 2011 – CIO.com – Business Technology Leadership – http://www.cio.com/article…
Nielsen: Twitter Grows User Base Almost 1,500 Percent in May – CIO.com – Business Technology Leadership – http://www.cio.com/article…
Emulation Or Virtualization? – CIO.com – Business Technology Leadership – http://www.cio.com/article…
China to Google: No porn, or else | Digital Media – CNET News – http://news.cnet.com/8301-10…
Could Opera Unite be a botmaster’s best friend? | Security Central – InfoWorld – http://www.infoworld.com/d…
Security researchers develop browser-based darknet – http://searchsecurity.techtarget.com/news…
Protecting Your Most Critical Information : Information Security Resources – http://information-security-re…
Security Risks Accompany New Technologies : Information Security Resources – http://information-security-re…
Anti-Phishing with Two Factor Authentication : Information Security Resources – http://information-security-re…
HTTP Longevity During DoS ha.ckers.org web application security lab – http://ha.ckers.org/blog…
Financial security pros expect improved funding in second half of 2009 – http://searchfinancialsecurity…
Tweeting, video chatting atop North America – http://news.cnet.com/8301-13…
Vuln: IBM AIX ‘rpc.ttdbserver’ Remote Buffer Overflow Vulnerability – http://www.securityfocus.com/bid…
Vuln: Microsoft Word Record Parsing Buffer Overflow Vulnerability – http://www.securityfocus.com/bid…
Comcast Lengthens IPv6 Lead – http://www.cio.com/article…
Data Center Switch Scales to 648 40G Ports – http://www.cio.com/article…
Retiring application data to the cloud – http://news.cnet.com/8301-13…
Secrets Stolen, Fortunes Lost: Part I – http://information-security-re…
At Craigslist ‘camp,’ Facebook takes on Twitter – http://news.cnet.com/8301-17…
Microsoft confirms Nvidia ‘Tegra’ chip for Zune HD – http://news.cnet.com/8301-13…
IBM services get supercomputers up and running faster – http://www.infoworld.com/t…

Reblog this post [with Zemanta]

Cyber criminals targeting Twitter

Image representing Twitter as depicted in Crun...
Image via CrunchBase

Beware of links that you click on.

Cyber criminals are setting snares that move at the speed of news.Panda Security, a Spain-based antivirus maker, has been monitoring an onslaught of links with malicious software, or “malware,” on Twitter that tag hot topics such as the Air France crash, the NBA finals, “American Idol” runner-up Adam Lambert and the new iPhone.

“Cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs,” Sean-Paul Correll, a threat researcher for Panda Labs, wrote recently on a blog for the company.

The growing sophistication of malware attacks mirrors the growing threat — and cash — generated by online crime. Already, cyber crime is estimated to cost companies and consumers more than $100 billion worldwide. Some officials claim it has now eclipsed illegal drugs as a criminal moneymaker. (Source: Twitter message could be cyber criminal at work – CNN)

Reblog this post [with Zemanta]

Recent article highlights 6/9/09

Image representing FriendFeed as depicted in C...
Image via CrunchBase

From FriendFeed:

Ice Energy to cool data centers – http://news.cnet.com/8301-11…

Spam reduces following Pricewert shutdown, reports say – http://news.cnet.com/8301-10…

DTV transition: Avoiding an e-waste ‘tsunami’ – http://news.cnet.com/8301-11…

CNET: Can $99 iPhone make Apple affordable? – http://www.cnn.com/2009…

New iPhone to hit stores June 19 – http://www.cnn.com/2009…

Juniper revs Ethernet to 100Gbps – http://news.cnet.com/8301-10…

UK hacker asks judges to stop extradition to US – http://www.wbay.com/global…

Apple Unveils Faster iPhone, Drastic Price Cuts – http://www.foxnews.com/story…

Reblog this post [with Zemanta]

Recent article highlights …

Image representing FriendFeed as depicted in C...
Image via CrunchBase

from FriendFeed:

Will a new iPhone be announced today? – http://www.cnn.com/2009…

Internet advertising slumps in first quarter – http://news.cnet.com/8301-10…

Down Under gets first dibs on Windows 7 – http://news.cnet.com/8301-10…

Why Writers and Bloggers Should not Rely on the Internet – http://www.problogger.net/archive…

Intel ‘Braidwood’ chip targets snappier software – http://news.cnet.com/8301-13…

Federal Trade Commission shuts down rogue ISP – http://news.cnet.com/8301-10…

Scammers using search optimization on Twitter, Google – http://news.cnet.com/8301-10…

Reblog this post [with Zemanta]
%d bloggers like this: