Tuesday, September 24, 2013

Apple Lock-screen woes continue

After the lock screen problems with IOS6 where you could bypass the lock screen using the emergency call function, now IOS7 has a lock screen problem all it's own.

With IOS7 you can bypass the lock screen and access, transfer, view, email, tweet and facebook all the pictures on the phone. From the photo app you can access the contacts including their phone numbers and email addresses. You can also send out career-ending tweets or facebook posts. You can turn on Air-Drop and "drop" all their pictures to another phone if you think of turning it on prior to unlocking the phone!

Videos online show the procedure but don't readily give an idea of how to reproduce it because timing is everything. Here's the HOW:

1) Push the home button to wake up the phone if it's turned off.
2) Slide the photo icon up from the bottom of the screen (this will activate the camera app if they phone user end-tasked it previously
3) Push the home button to go back to the locked home screen
4) Flick the bottom panel upward
5) Click calculator (calculator app opens)
6) Push the top button for about 5 seconds until the phone presents you with the "Slide to power off" message and more importantly the "Cancel" button at the bottom of the screen
*** Do these two things as one step and try to get the timing right ***
7) Click cancel - push the home button twice (the push of the home button must happen about 1/2 of a second after the push of the cancel button... and the second click of the home button is about 1/2 second after the first home button click. The way I do it is say out-loud Click-Click clicking the button with each verbal cue)
8) You can scroll through open apps but the only app that lets you in is the calculator and apps available through the home-slide function

If you have an iPhone with IOS7 I'd recommend keeping it with you physically. If you do have to leave it somewhere you will need to edit your settings and turn off access to the control panel in the lock screen. (this option allows you to still use the control panel in unlocked mode) And of course, watch for an OS update and install it asap when it's available!

Wednesday, February 06, 2013

The New Face of Pen Testing

A recent pen test changed my viewpoint on the industry standard practices.  The old ways are no longer working.  Not only are industry standard pen tests not working they are providing a false sense of security.

Given the latest generation of firewalls that are adaptive and resistant to scanning we would expect that port scanning and repeated door knocking would be less effective.  So why are we still being charged for a type of scan that is ineffective?

Recently a fortune 500 company performed a costly pen test on a network segment running critical systems and returned no results at all.  Thinking that was impossible I ran a few tests of my own with the same tools that they used.  I got two ports on the first IP and then nothing after that.  I tried to mix it up using NMAP with the most stealthy settings.  I decided to pwn them using my Nessus skills and even tried a zombie and spoofing different addresses and nothing worked.  I was shut out.  Nessus and other tools failed to get anything from our ninja-like firewall.

Now that I had established that the standard tool-set was producing almost nothing except false warm fuzzies I broke out "my" set of tools.  And I did what I do very well... break the rules.  We know that companies on the net are spying on us in unprecedented ways and without restriction.  Why not take advantage of their legally sanctioned espionage and leverage their data sets to reflect our own systems?

A day and a half later with 138 vulnerabilities and counting and a full network diagram including IPs, servers, web sites, email addresses, technologies, phone numbers, all laid out in perfect searchable and browseable order.  A couple hours of hand testing and searching some specific vendor sites and I found even more issues not determined by any of the new "black hat" tool-sets that I use.

I realized five very valuable lessons:
1) The cost of a pen test does not predict its effectiveness
2) Standard pen tests against active firewalls are useless and give a false sense of security
3) Standard pen tests use tools that are basically out-dated in four ways
    a) they rely heavily on port scanning
    b) they rely heavily on CVE lists and CVE lists don't have a monopoly on vulnerability info
    c) they don't leverage the Google factor enough
    d) they require firewall exceptions which distort the important "view of the hacker"
4) We need to use the tools hackers actually use, not the ones we're sold by security intelligencia
5) There never will be a substitute for hand testing

David Cross

Sunday, January 13, 2013

Java Security Woes

Rapid 7 published an exploit for Java versions prior to 7.7 which gives an attacker full control of the affected computer.  All that needs to happen is to lure a user to a web site that has a particular set of code running on it.  Now that this exploit is in the wild (available in public to hackers and wannabe's alike) you need to take action.

Lately Oracle has had a bad run of security issues with Java.  For years vulnerability testers have focused their efforts on Windows or other high visibility targets, but now that Java runs on more machines world wide than any other technology, hackers are taking notice.

Recently the US government, apparently a new source of computer security wisdom, (yes I am fully aware of the irony) is recommending turning Java off.  Curiously though, given all the machinations Java had to go through to get around Microsoft's proprietary protections, uninstalling it is rather more difficult than it would seem.  Java runs outside of the normal task-managed applications.  You can't just pop up task manager and kill java apps.  You can't just turn it off with one browser setting either.  There are many ways to invoke java by HTML and half a dozen ways you need to stop it using registry tweaks and IE settings.

So now what can be done?  If it's so hard to turn off that you can't be certain you've shut them all down you may want to simply uninstall the entire JRE (Java Runtime Environment).  That gets kind of inconvenient if you're a Java developer.  If you're not it's probably the best alternative to ensure that you're actually safe for the time being.  YouTube is a good resource for understanding the removal process and does a better job than 100 static screen shots.  How to uninstall Java from Windows  Uninstall Java from Mac

If that solution doesn't sound good you or your child runs Minecraft and is complaining the next day you have the option of upgrading to JRE to 7.11 and praying really hard. If you like that option here is the link to install JRE 7.11. (yes 11 major security patches in a year - YIKES!)  http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html So upgrade and take your chances is always an option.

For now I've uninstalled JRE on my PC and will probably break down and install the update on my sons' computer for Minecraft.   

I hope this helps!  I wish there was an easier way.  Personally I think that disabling Java is the least recommended course of action because it leaves you open to feeling secure even though there is likely some way to still invoke Java by the browser that remains in place.  Additionally, leaving the vulnerable version on your computer even if it's turned off is a risk because at some point in time it will likely get turned back on and it will be in an ideal state for cyber criminals to take advantage of.

If you choose "the road less traveled by" and it makes "all the difference" please let me know.


BTW you'll want to patch up to 7.12 now. Good luck!