If you ever wanted to work for a UK secret intelligence organisation, GCHQ, they are running a contest until the 11th of December, where you need to decipher some code to get a password. Once submitted, that password will redirect you to their recruitment website.
The password is probably “ifyoudon’twanttoworkforuswewillfindyou”…
If you fancy your chances, here is the site: http://www.canyoucrackit.co.uk/
There is a good article on TECHNET on Next Generation Firewall (NGF) and the fact that most, if not all, companies accept port 80 in/out meaning traditional F/W are less and less effective against malware using this port as a mean to call home or come in.
The Article nicely summerize the need to look for more than IP/PORT/PROTOCOL but also for the type of Payload going through.
Although not a new technology, the evolution of Malware is a growing issue which makes that technology more and more relevant.
Two vulnerabilities in iOS5 have recently been discovered, one is affecting the iPad2 and the other the new iPhone 4S. In both cases it allows anyone to bypass any lock/passcode to gain unauthorised access to the device.
1) iPad 2 + iOS5 + SmartCover = Anyone can unlock your iPAD
This only affects iPad2 with iOS5 and the smart cover set to automatically lock the device.
With a locked iPad2, keep pressing the power button until you see the screen telling you to swipe to turn off, close the smart cover, reopen it and push the CANCEL button.
This will give you access to the latest application that was used. It means that if you were on the application listing screen you will be able to see all the applications installed on the iPad, but you will not be able to open any other applications. This is because you are in the “finder”/”Explorer” application.
But it also means that if before you closed your smart cover to lock your device you were in the mail application, using this technique would give you full access to the mail app and your emails.
To fix the issue you need to disable the smartcover autolock feature, until Apple fixes this bug.
2) iPhone 4S + SIRI
With SIRI enabled, even if you have locked your phone with a passcode, you can hold the HOME button and SIRI will be activated allowing you to speak commands such as call someone, send a text or an email, etc.
Although you cannot open applications this way, you can still do unauthorised actions as mentioned above.
To fix this issue you need to disable SIRI, until Apple fixes this bug.
What is somewhat surprising is that it is taking so long for Apple to fix these issues, They have been know for more than a week…
The Inquirer recently ran a story about a group targeting Facebook and their use of your personal information. This group called “Europe Vs Facebook” claims that Facebook not only stores information about you even after you have deleted it, in other words it never really get deleted, but that they also create ghost profile of users who opted not to be on Facebook in the first place.
I find this very interesting because technically it is quite possible… Even if someone is not on Facebook their photo can be uploaded and their name tagged to it. It would require much more intelligence though to be able to correlate some information about that person discussed in Facebook mails/messages but it is in theory possible.
Although many people have warned in the past about Facebook big brother attitude, its deletion policy emphasizes the fact they were right!
The Europe Vs Facebook website explains how to request Facebook for all the data they have on you.
The best advise regarding Facebook is to consider all the information in it as public, even if you are restricting your information to a selected few friends. Once you have told a story or shared a photo online, you do not control it any more.
Now the question really is, what about other social media sites? Twitter and co?
This is a bit of an unusual post for this site because it is not directly related to IT Security, but I have recently watched a video of a lecture by Rearden CEO Steve Perlman that I found truly inspiring!
Steve Perlman is the Steve Job of Engineering.
He has participated/invented/funded many different cutting edge technologies and gave an overview of 3 of them in his lecture. What strikes me is how all those technologies are linked together even if isn’t necessarily obvious. It would be tempting to say it is all driven by his apparent interest in gaming but that would be too simplistic, it is driven by a desire to invent new technologies and not being afraid of rewriting the rules!
1. The first technology he spoke about is MOVA, which apparently rewrote the rules on how computer generated 3D characters were done (and more if you look at his last example about Batman). It is impressive to see the list of films that are now using that technology, from “The curious case of Benjamin Button” to the latest “Pirates of the Caribbean”. I actually thought they were using real actors and a mask for Benjamin Button…
It was also interesting to see that studies show the human brain doesn’t like “almost perfect” images of human. In fact, we prefer a cartoon face over a very good but still not quite real 3D face. Something I believe we all sensed when watching some animated movies a few years ago which although technically impressive were just not quite right.
2. Then he spoke about ONLIVE, a technology which is primarily aimed at streaming HD and power hungry gaming experience to terminals such as TV, tablets, phone, etc…
Basically this is gaming in the cloud, but really, it is so much more!
I liked his analogy that today’s cloud solutions are more hybrids than complete solutions. You have a range of applications that are hosted in different “clouds” and some online storage stored in some other “clouds”, etc.
What they have designed is a huge power backend that “just” stream video/audio to a terminal.
But for this to be usable they invented a new video compression technology which is very performant. Apparently the requirements are 3 to 5 Mb/s (soon to be 2Mb/s) for HD video and 0.5 to 2Mb/s for phones/tablets quality, which can be obtained on 3G!
You also need to be within 1,000 miles of one of their datacenters: 3 in the USA and only 1 in Europe (Autumn 2011).
Not only do their gaming offering is already impressive and has been running for a year in the USA but he also demonstrated the use of MAYA directly from an iPad.
So you could always question how useful that can be to use such a complex application on such a small device which does not necessarily has the right human interface to interact efficiently… but that technology also works on MAC or PC and not everyone has a computer fast enough to handle such type of applications.
The great thing about their technology is that you do not need to upgrade your device to catchup on the latest CPU or GPU requirements in future applications.
It would be interesting to find out more about how they handle file sharing among applications and what security they can offer to protect your hosted data.
3. Finally, he presented a new wireless technology which sounds pretty impressive. One that apparently breaks Shannon’s law in regards of the shared spectrum capacity as it could offer 10x to 1000x times what is available today. Furthermore, it has a wider coverage than TV, with at least 30 miles coverage. It is also much faster than 4G with much less latency, consumes less power, costs less, etc…
It does sound too good to be true, but with Steve Perlman’s track record I am happy to believe him.
This is apparently possible because we should not be considering airwaves like strings or wireless telephone lines, he made an analogy with a cell bubble around a telephone which I didn’t really understand, but then I don’t think anyone in the audience did! There is a white paper HERE.
It is called DIDO for Distributed Input Distributed Output
According to Steve this is a completely new way to look (I should really say listen ;) at airwaves propagation and if you were to look for DIDO traffic with standard radio equipment you would not see anything but noise.
This got me thinking, if this technology is so new, has such a huge and yet unknown coverage, cannot be detected with today’s radio technology… shouldn’t someone speak to SETI so they can listen to this “advanced” communication method ;)
Seriously though, this is all very impressive. It is a long video, about 1h30, but as I said at the start of this post Steve is an amazing source of inspiration. What a great attitude and great achievements!
He created a technology to produce life like animations, a technology to provide those graphics and more to everyone and finally a transport medium which could deliver all this almost anywhere in the world. This may be a loose link between all those inventions but a link nonetheless!
I am looking forward to see those new technologies hopefully blossom and to his future inventions!
In the never ending story that is more issues/concerns with Dropbox, there is an interesting article discussing the recent changes of Terms and Conditions with using Dropbox:
In a nutshell, Dropbox is trying to protect themselves with what they do and can do with your data hosted in their data centre. So it means granting Dropbox and those they work with “worldwide, non-exclusive, royalty-free, sub-licensable rights to use, copy, distribute, prepare derivative works “ from your data.
The TechRepublic article stresses that it is already the case with sites such as Facebook. There is however a big difference. Facebook is mainly used for social content, personal “stuff” (to use Dropbox’s term). Dropbox is not only used for personal “stuff” but also for professional “stuff”.
It sounds as if Dropbox could now use any intellectual property stored on their servers. I am not sure many companies who have users syncing work related documents would be very happy with sharing it to the world.
So, to add to the data leakage risks related to the previous security issues there is a new data loss concerns with Dropbox. Not only do they have the keys to your data but you must agree they can use/reuse it how they see fit.
This raises the question if Dropbox is fit to be used at an enterprise level. From all the above, clearly not. If their claim of having 25 Million users is true, then there is bound to be sensitive information on their servers. If hacker groups go after the likes of Dropbox, they would not target just one company, instead they would impact many.
Dropbox could just be the perfect modern Trojan horse, while companies are busy securing their perimeter they could be loosing control of their data being stored outside those defences.
Dropbox is a very convenient way to synchronise data across locations and devices, it is one of the leader for in the cloud storage solutions. However, it has lately gathered some attention for the wrong reasons.
There has been a recent upset about the false claims (or incorrect depending where you stand on this) that no-one could decrypt your data on their data centre, including their staff. Well, it turned out it was no-one *excluding* their staff.
As explained in this article on TECHREPUBLIC
That’s fair enough, so as long as they have the right processes and due diligence in place your data should be safe into their hands, you can trust their staff.
Or can you?
Today, it appeared that while updating their backend code, anyone could connect to any user account without a password.
This, is pretty bad! one can question how really secure they are and will be! if the risk mitigation of their staff accessing your data is that they have good security processes in place how does that translate into testing and signing off their code. If anything, it shows a lack of robust basic QA processes at the core of their product!
Dropbox does provide some TIPS TO SECURE DROPBOX so you can use some 3rd party encryption tools such as EncFS (Free but only Linux and MacOS through MACFuse), SecretSync and BoxCryptor (only windows and Linux, but also compatible with EncFS).
I never thought this was really needed on Dropbox, until now!
There is also a mention of Truecrypt, but I don’t think it is a good option… As highlighted in the article, Dropbox’s performance is enhanced by the fact it only transfer delta changes. So for this storage technology not to be crippled, any encryption mechanism must follow the same delta changes update rule. With true crypt the whole encrypted volume will have to be updated and only after it has been unmounted.
There has recently been an increase in blackhat attention to Apple products.
It would seem that what has been predicted for some time is about to be tested:
that one of the main reason for Mac/OSX to be more secure than windows is because it did not get the same attention from hackers.
This had to happen, and I believe that the time is right.
Indeed, Apple products are gaining more and more market shares and their hippy/cool image is being eroded by both their very strict view of the world and exponantial user base growth.
(On a non security related note, one could wonder how long can Apple be seen as different/cool if everyone has their product!)
This gives every reasons for hackers to take their attention to Mac OSX and iOS.
Recently a fake anti virus software for MAC was discussed on the excellent Intego blog and many other sites
And a few days ago it was discovered (as expected) that the defenses Apple brought to fight back are not really working, furthermore is has also started to change name as it latest iteration is now called Mac Shield.
Another sign of increased hacking activity is the availibility, for the first time, of a hacking framework being sold on closed underground forums, the Weyland-Yutani BOT
It allows users to inject payload through Firefox exploits on MAC, but there is already a plan to extend the scope of that framework to target iOS devices and through Chrome/Safari as well
This is certainly not good news for Apple customers, but it will be interesting to see how this develops from now on and if Apple’s claim that their OS are more secure than the competition is proven true… or not!
My prediction? it isn’t true and we should be seeing much more damaging security breach/issues stories related to Apple product this year.
The LavaRND project is a very interesting take on providing a cryptography strong random generator framework.
Both in terms of plans for physical devices to software library.
If only I had more time I would love to try building one of their device, nevertheless, I highly recommend this website as it is full of very interesting information related to randomness and they even have some interesting demo using their random framework. You do not require an interest in cryptography to appreciate the work done.
Next time I need a strong random generator algorithm, I will know where to look :)
