Invest in the Community… Schuyler Towne and Open Locksport

One of the best thing about the InfoSec community is the people. Sure like everywhere there are the idiots, big headed know it alls, and the leachers, but in general we are a supportive bunch, and happy to share.

So this brings me to this blog post. Many of you will know that one of my other interests is Lock Picking, and there is this guy called Schuyler Towne (@shoebox), and he likes lock picking… just a little bit :)

So why am I sharing this information, well he has set up a Kick Starter project to help get some funding to release his own customer made picks. Now you may be thinking you have got picks, and thats great. However custom made picks can improve your picking, they look funky, and hey your supporting the community.

I think the pledging opportunity is over at the end of September, so get in now and play your part. Oh and there is also something in it for you.

Click the image below and check out the video for the full story…

Patching Windows XP SP2 for the Shortcut LNK Vulnerability MS10-046

So we all know that on the 13th July 2010 Microsoft support for Windows 2000 Service Pack 4, and Windows XP Service Pack 2 came to an end.

Then on the 16th July they release a Microsoft Security Advisory 2286198 regarding a critical vulnerability that could allow remote code execution. This was then updated to  Security Bulletin and out of band patch MS10-046.

The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

So Microsoft then release the patch for XP SP3 and above, which is fine and great. However many organisations still have XP SP2, and this is a pretty good vuln, so you really would want to patch it. So obviously the best thing to do is pull your finger out and get upto XP SP3, as these sort of issues will continue and you need to be on a supported platform. Easier said than done for some companies, but we really should put the effort in.

However….. I was speaking to a friend who will remain unamed and he informed me that his company have been issued with a patch for XP SP2 to resolve the shortcut LNK vulnerability (MS10-046). So we start talking to our Microsoft reps, and apparently they is no such thing, etc etc. So I speak to my friend some more and get the filename and hash for the file. Then speaking to Microsoft some more, still denial, but they they say, oh well there is something like that, but its for embedded systems only.  Security Update for Windows XP Embedded (KB2286198)

So I think to myself, well I will check with my friend, and he confirms the hash’s are the same, and its the same file. I look at the properties and it says its ok for XP SP2, nothing about being embedded. So I grab a spare XP SP2 machine and install it. All verifies ok, and installs. Reboot. No problem. So this should work right???

Time to test.

Below is a simple quick and dirty video of an XP SP2 VM (This was the home edition I had handy, but have also checked on professional edition with the same results) where I use the Metasploit MS10-046 exploit to get a shell, I then patch the the KB2286198 patch mention above, and guess what no more shell. I am not sure why Microsoft are not sharing this info openly, but I guess at the same time it is there to test and download. Perhaps they don’t to set an out of support patching, bite them in the arse type situation.

Apologies the video is abit blurry, but this was a quick job, I recommend going HD on it for a little more clarity.

So basically this patch seems to fix the vulnerability in Windows XP SP2. So what now?? I recommend people carry out there own testing, and then if appropriate look to apply this patch as an interim measure. However it is still important to update your systems to XP Service Pack 3 or to Windows 7, as this issues will continue, and you may not be so lucky next time.

I have not seen this information anywhere else, so please spread the word and lets get these machines fixed.

iOS4 Is released, and fixes 64 iPhone Security Issues

At 6PM GMT Apple released its anticpated iOS4 software. This software apples to the iPhones and iTouch and in the not to distant future the iPad.

Apple have not really said to much about its Security updates, and they dont seem to be that easy to find. However if your interested here is the link to check out the 64 updates covered under iOS4.

As you can see there is alot of information about fixed vulnerabilities, but not what I was expecting an hoping for. I was looking forward to information on general security improvements, encryption, configuration and enterprise level stuff, not just a list of fixed vulns. Time for a good read through this, and further investigation for the corporate use case.

iPhone Security.. Does it exist??

I am not currently an iPhone user, but its clear that for many reasons they are a smart phone of great desire. Many of the customers I work have have shown an interest in deploying iPhones in their corporate environment. The reason being… well that often seems to be a difficult one for them to answer. I dont think they know really, perhaps they like the idea of developing some internal apps, or perhaps they like the idea of a trendy device.

Now I am all about helping people make an informed decision regardless of if I agree or not, so this got me into looking at the state of iPhone security (pre iOS4) and its not so good. Personally I think the iPhone is great for the user on the street (33% of smart phones globally are iPhones), but letting it lose in the corporate environment, against established Black Berry devices and alike, is surely madness?

I am not going to go into any great detail here, as a blog post is really not the place, but hopefully the information below will paint a small picture of concerns about using an iPhone in the corporate environment. If your interested in doing more research check out iPhone Forensics by Jonathan Zdziarski, as well as checking out his tutorials online. There was also a recent SANS Webcast on iPhone security also, and this also shared the same thoughts that I have, from investigations and information found online. I will also be doing another post on the security benefits iOS4 has brought, and how it does or doesn’t change the iPhones suitability in a corporate environment. Also check out CESG’s declaration of no iPhones allowed in Whitehall posted on The Register.

My main issue with iPhones for corporate environments, aside from the below is that there is no real enterprise management tooling. Yes some things can be improved with the use of the iPhone Configuration Utility, but this is a local process, and requires other tooling to distribute the config files. You can get some more additional control and reporting if you incorporate exchange, and maybe MobileMe. Also dont forget iTunes is also required, how many corporate standard builds feature iTunes?? I just cant see why companies consider the iPhone when compared to established offerings like Black Berrys, with its full enterprise suite of tools.

iPhones can be Jailbroken – This is the term associated with unlocking the restrictions applied to an iPhone, allowing any code to be run regardless of its approval by Apple or any other organisation, another advantage is that a Jail Broken iPhone also removes the ability for the remote removal of applications via Apple. Its is estimated that around 10% of iPhones globally are Jail Broken, the reason for this is most likely that others are worried about the voiding of warranty, as well as restricting the application of future updates from Apple. As well as opening your iPhone to using more programs, and enhancing its use, Jail Breaking also reduces the security of your iPhone if you are not security savvy. This was
demonstrated in late 2009 when a hacker released a worm targeting Jail Broken iPhones, there have also been other reports of viruses on Jail Broken iPhones compromising banking
transactions.

iPhone OS (pre iOS4) – All popular operating systems have security issues, and the iPhone OS has its fair share of vulnerabilities. The latest OS updated 46 currently known vulnerabilities; the reality is that as the iPhone grows in popularity and becomes adopted by organisations the incentive and reward to find and exploit vulnerabilities will continue to grow. A new feature or some would say security flaw with the iPhone OS that was discovered in May 2010 is the automatic mounting of the iPhone’s memory when connected via USB to a Linux based machine. This bypasses any controls, PINs and encryption set on the device and gives a limited access to the iPhones storage. I believe the primary goal was to allow iPhones to be used easily with Linux distributions, however obviously this brings with it serious security concerns.

The Apple App Store – The Apple App Store provides the single official point of contact for all applications on the iPhone. The idea behind this is to ensure that all applications are safe for use, and there are currently around 235,000 applications approved for download. Apple have confirmed that around 10% of applications submitted to the App Store have components within them that will aim to steal data. With this in mind, I would suggest that it is unlikely that Apple are able to 100% guarantee that all applications available have been fully tested and defined as safe. In fact it has been known that Apple occasionally remove applications from the App Store, and people’s devices, after making a decision to recall specific applications for various reasons. There are also various theories on how an application could be made available on the App Store, and obfuscate its real intention to steal data. The point to be made here, is that applications could potentially steal corporate data, regardless of their supposed safety approvals from Apple.

Passcodes and Pin Numbers – Most smart phones use a passcode, or PIN number to restrict the physical access to the device. iPhones do have this feature, however it is restricted as standard to only being 4 digits. This is obviously not a good situation, however the situation is made worse with multiple ways to bypass the passcode requirement all together. Some methods require the use of a computer, while others can be done stand alone in less than two mintues. This then gives full access to the device, contacts, emails etc, as if you have
entered the appropriate code.

Encryption – Until the release of the iPhone 3GS there was no encryption available on the device. The 3GS now features full hardware encryption of the device’s contents. Once again
with physical access it is possible to make a copy of the entire contents of the device, and circumvent the encryption, all of this is easily possible in fewer than 5 minutes. Just check out YouTube.

System Data – The iPhone stores a lot of data classified as system data. Even though applications run in a sandboxed / isolated environment there is still some leakage that occurs
when obfuscation is used within a program’s code. The system data contains a large amount of information, email parameters, names and addresses, but no passwords or messages. In
addition all keyboard entries (except for password fields) are cached and stored, along with address book entries, the last 20 sites browsing history, WIFI network history, as well as
images and their associated data, time, data, location. An interesting feature is that every time the home button is pressed on the iPhone to return to the home menu a screen shot is
taken, containing all the information on the screen for that application at the time, this is also saved and stored as system data. In addition to this VoiceMails can also be stored as system data. All of this system data can be accessed and backed up with physical access, as discussed before with encryption bypassing. An application that steals data would also have
access to this data, and could transmit the information over a Wifi network, or mobile Internet.

Finally, just as a reminder, these are just my opinions and thoughts, based on research and findings. I do like Apple products, I have a few :) However I am still not sure its ready for the corporate environment. Perhaps after reading about ALL the proposed iOS4 updates I will change my mind.

Time to wave goodbye to XP Service Pack 2 Support

If you are still running Microsoft Windows XP Service Pack 2, then here is some bad news if you didn’t hear about this last year. From the 13th July 2010 Microsoft will be removing support. So this means no more security updates, hotfixes etc.

So now might be a good time to update to Service Pack 3, its only been out 2 years so might be nice to be an early adopter :) If you are feeling really adventurous you might want to consider moving with Microsoft Windows 7??

If your running XP SP2 on you embedded systems you have until Jan 2011 to do the necessary.

If you are interested in Microsofts Support Life Cycle check out the information below:

Me and the Eurotrash Security Podcast Crew @ BruCon 2010

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

The conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc…..

Look out Belgium, all the Eurotrash Security crew are going to be in attendance at BruCon 2010 in September.

Myself (Dale Pearson) and Craig Balding will be presenting, and Chris John Riley and Wim Remes will also be in attendance at the conference. The Eurotrash Security team will also be taking part in the podcasters meet up. So feel free to come along and buy us a drink :)