iPhone/Android/Blackberry Latest Vulnerabilities

Millions of e-mail addresses and passwords may have been stolen from Trapster, an online service that warns iPhone, Android, and BlackBerry owners of police speed traps, the company announced January 19. California-based Trapster has begun alerting its registered users and has published a short FAQ on the breach. "If you've registered your account with Trapster, then it's best to assume that your e-mail address and password were included among the compromised data," the FAQ stated. Trapster downplayed the threat, saying it was unsure the addresses and passwords were actually harvested. "While we know that we experienced a security incident, it is not clear that the hackers successfully captured any e-mail addresses or passwords, and we have nothing to suggest that this information has been used," Trapster said. 

Source: http://www.computerworld.com/s/article/9205660/Trapster_hack_may_have_exposed_ millions_of_iPhone_Android_passwords

In the Blackberry arena, PDF vulnerability found in Blackberry Attachment Service. Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered "high" in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM-supplied fix. The vulnerability affects BES Exchange, IMB Lotus Domino and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange-only 5.0.2 are also affected. 

Source: http://gcn.com/articles/2011/01/19/vulnerability-in-blackberry-attachmentservice. aspx

Security in 2020

There's really no such thing as security in the abstract. Security can 
only be defined in relation to something else. You're secure from 
something or against something. In the next 10 years, the traditional 
definition of IT security -- that it protects you from hackers, 
criminals, and other bad guys -- will undergo a radical shift. Instead 
of protecting you from the bad guys, it will increasingly protect 
businesses and their business models from you.  

Ten years ago, the big conceptual change in IT security was 
*deperimeterization*. A wordlike grouping of 18 letters with both a 
prefix and a suffix, it has to be the ugliest word our industry 
invented. The concept, though -- the dissolution of the strict 
boundaries between the internal and external network -- was both real 
and important.  

There's more deperimeterization today than there ever was. Customer and 
partner access, guest access, outsourced e-mail, VPNs; to the extent 
there is an organizational network boundary, it's so full of holes that 
it's sometimes easier to pretend it isn't there. The most important 
change, though, is conceptual. We used to think of a network as a 
fortress, with the good guys on the inside and the bad guys on the 
outside, and walls and gates and guards to ensure that only the good 
guys got inside. Modern networks are more like cities, dynamic and 
complex entities with many different boundaries within them. The access, 
authorization, and trust relationships are even more complicated. 

Today, two other conceptual changes matter. The first is 
*consumerization*. Another ponderous invented word, it's the idea that 
consumers get the cool new gadgets first, and demand to do their work on 
them. Employees already have their laptops configured just the way they 
like them, and they don't want another one just for getting through the 
corporate VPN. They're already reading their mail on their BlackBerrys 
or iPads. They already have a home computer, and it's cooler than the 
standard issue IT department machine. Network administrators are 
increasingly losing control over clients. 

This trend will only increase. Consumer devices will become trendier, 
cheaper, and more integrated; and younger people are already used to 
using their own stuff on their school networks. It's a recapitulation of 
the PC revolution. The centralized computer center concept was shaken by 
people buying PCs to run VisiCalc; now it's iPads and Android smart phones.
 

he second conceptual change comes from cloud computing: our increasing 
tendency to store our data elsewhere. Call it *decentralization*: our 
email, photos, books, music, and documents are stored somewhere, and 
accessible to us through our consumer devices. The younger you are, the 
more you expect to get your digital stuff on the closest screen 
available. This is an important trend, because it signals the end of the 
hardware and operating system battles we've all lived with. Windows vs. 
Mac doesn't matter when all you need is a web browser. Computers become 
temporary; user backup becomes irrelevant. It's all out there somewhere 
-- and users are increasingly losing control over their data. 

During the next 10 years, three new conceptual changes will emerge, two 
of which we can already see the beginnings of. The first I'll call 
*deconcentration*. The general-purpose computer is dying and being 
replaced by special-purpose devices. Some of them, like the iPhone, seem 
general purpose but are strictly controlled by their providers. Others, 
like Internet-enabled game machines or digital cameras, are truly 
special purpose. In 10 years, most computers will be small, specialized, 
and ubiquitous. 

Even on what are ostensibly general-purpose devices, we're seeing more 
special-purpose applications. Sure, you could use the iPhone's web 
browser to access the *New York Times* website, but it's much easier to 
use the NYT's special iPhone app. As computers become smaller and 
cheaper, this trend will only continue. It'll be easier to use 
special-purpose hardware and software. And companies, wanting more 
control over their users' experience, will push this trend. 

The second is *decustomerization* -- now I get to invent the really ugly 
words -- the idea that we get more of our IT functionality without any 
business relationship. We're all part of this trend: every search engine 
gives away its services in exchange for the ability to advertise. It's 
not just Google and Bing; most webmail and social networking sites offer 
free basic service in exchange for advertising, possibly with premium 
services for money. Most websites, even useful ones that take the place 
of client software, are free; they are either run altruistically or to 
facilitate advertising. 

Soon it will be hardware. In 1999, Internet startup FreePC tried to make 
money by giving away computers in exchange for the ability to monitor 
users' surfing and purchasing habits. The company failed, but computers 
have only gotten cheaper since then. It won't be long before giving away 
netbooks in exchange for advertising will be a viable business. Or 
giving away digital cameras. Already there are companies that give away 
long-distance minutes in exchange for advertising. Free cell phones 
aren't far off. Of course, not all IT hardware will be free. Some of the 
new cool hardware will cost too much to be free, and there will always 
be a need for concentrated computing power close to the user -- game 
systems are an obvious example -- but those will be the exception. Where 
the hardware costs too much to just give away, however, we'll see free 
or highly subsidized hardware in exchange for locked-in service; that's 
already the way cell phones are sold. 

This is important because it destroys what's left of the normal business 
relationship between IT companies and their users. We're not Google's 
customers; we're Google's product that they sell to their customers. 
It's a three-way relationship: us, the IT service provider, and the 
advertiser or data buyer. And as these noncustomer IT relationships 
proliferate, we'll see more IT companies treating us as products. If I 
buy a Dell computer, then I'm obviously a Dell customer; but if I get a 
Dell computer for free in exchange for access to my life, it's much less 
obvious whom I'm entering a business relationship with. Facebook's 
continual ratcheting down of user privacy in order to satisfy its actual 
customers -- the advertisers -- and enhance its revenue is just a hint 
of what's to come. 

The third conceptual change I've termed *depersonization*: computing 
that removes the user, either partially or entirely. Expect to see more 
software agents: programs that do things on your behalf, such as 
prioritize your email based on your observed preferences or send you 
personalized sales announcements based on your past behavior. The 
"people who liked this also liked" feature on many retail websites is 
just the beginning. A website that alerts you if a plane ticket to your 
favorite destination drops below a certain price is simplistic but 
useful, and some sites already offer this functionality. Ten years won't 
be enough time to solve the serious artificial intelligence problems 
required to fully realize intelligent agents, but the agents of that 
time will be both sophisticated and commonplace, and they'll need less 
direct input from you. 

Similarly, connecting objects to the Internet will soon be cheap enough 
to be viable. There's already considerable research into 
Internet-enabled medical devices, smart power grids that communicate 
with smart phones, and networked automobiles. Nike sneakers can already 
communicate with your iPhone. Your phone already tells the network where 
you are. Internet-enabled appliances are already in limited use, but 
soon they will be the norm. Businesses will acquire smart HVAC units, 
smart elevators, and smart inventory systems. And, as short-range 
communications -- like RFID and Bluetooth -- become cheaper, everything 
becomes smart. 

The "Internet of things" won't need you to communicate. The smart 
appliances in your smart home will talk directly to the power company. 
Your smart car will talk to road sensors and, eventually, other cars. 
Your clothes will talk to your dry cleaner. Your phone will talk to 
vending machines; they already do in some countries. The ramifications 
of this are hard to imagine; it's likely to be weirder and less orderly 
than the contemporary press describes it. But certainly smart objects 
will be talking about you, and you probably won't have much control over 
what they're saying. 

One old trend: deperimeterization. Two current trends: consumerization 
and decentralization. Three future trends: deconcentration, 
decustomerization, and depersonization. That's IT in 2020 -- it's not 
under your control, it's doing things without your knowledge and 
consent, and it's not necessarily acting in your best interests. And 
this is how things will be when they're working as they're intended to 
work; I haven't even started talking about the bad guys yet. 

hat's because IT security in 2020 will be less about protecting you 
from traditional bad guys, and more about protecting corporate business 
models from you. Deperimeterization assumes everyone is untrusted until 
proven otherwise. Consumerization requires networks to assume all user 
devices are untrustworthy until proven otherwise. Decentralization and 
deconcentration won't work if you're able to hack the devices to run 
unauthorized software or access unauthorized data. Decustomerization 
won't be viable unless you're unable to bypass the ads, or whatever the 
vendor uses to monetize you. And depersonization requires the autonomous 
devices to be, well, autonomous. 

In 2020 -- 10 years from now -- Moore's Law predicts that computers will 
be 100 times more powerful. That'll change things in ways we can't know, 
but we do know that human nature never changes. Cory Doctorow rightly 
pointed out that all complex ecosystems have parasites. Society's 
traditional parasites are criminals, but a broader definition makes more 
sense here. As we users lose control of those systems and IT providers 
gain control for their own purposes, the definition of "parasite" will 
shift. Whether they're criminals trying to drain your bank account, 
movie watchers trying to bypass whatever copy protection studios are 
using to protect their profits, or Facebook users trying to use the 
service without giving up their privacy or being forced to watch ads, 
parasites will continue to try to take advantage of IT systems. They'll 
exist, just as they always have existed, and -- like today -- security 
is going to have a hard time keeping up with them.

Welcome to the future. Companies will use technical security measures, 
backed up by legal security measures, to protect their business models. 
And unless you're a model user, the parasite will be you. 

This essay was originally written as a foreword to "Security 2020," by Doug Howard and Kevin Prince.http://www.amazon.com/exec/obidos/ASIN/0470639555/counterpane/

Free City Cash Scam Spreads on Facebook

Free City Cash scam spreads on Facebook. A new survey scam is rapidly propagating on Facebook by promising users free virtual currency for use in Zynga’s latest hit game CityVille. "Woohoo! Thanks CityVille I got my 1,000 City Cash! http[colon]//apps[dot]facebook[dot]com/[censored]" or "CityVille is giving 1,000 City Cash for a limited time only! Grab Yours Now! http[colon]//apps[dot]facebook[dot]com/[censored]," the messages promoting this scam read. City Cash is one of several in-game currencies which can be used to build special buildings, expand the city’s land, and perform other actions. City Cash can be either earned or bought with real money. However, this is nothing more than one of the many rogue application-based survey scams that have plagued Facebook for the past half year. Opening the spammed links takes users to a well-designed page bearing the CityVille logo, but clicking on the button to claim the alleged prize prompts a permissions request dialog from an app called "Giveaway Promo." The application wants access to users’ profile information and to post on their walls in order to spam their friends. 

Source: http://news.softpedia.com/news/Free-City-Cash-Scam-Spreads-on-Facebook- 177588.shtml

Aging simulation scam hits Facebook users

Facebook scammers are tricking users into taking surveys by promising them an app that can simulate what their appearance would be 20 years from now. According to Facecrooks, the spam messages associated with this latest scam read "Wow, how creepy, LOL i look scary as an old person! - http[colon]//bit[dot]ly/[censored]" and share a page called "AGE yourself! See what you will look like in 20 years!" Clicking on the link takes users to a page which displays the picture of a girl and how she would allegedly look 20 years into the future. The images seem to have been copied from a real aging simulation service available at in20years.com that scammers deemed interesting enough to attract users. A message on the rogue page instructs users to click on the image to begin the simulation process. However, doing this will prompt a permissions dialog from an app called "OMG - How could this happen?" that wants access to post on people’s walls in order to spam their friends.

Source: http://news.softpedia.com/news/Aging-Simulation-Scam-Hits-Facebook-Users-%20177371.shtml

Researcher uses Amazon cloud to hack WPA-PSK passwords.

A security researcher in Germany is warning Amazon’s cloud service can be used to brute force weak passwords used to protect Wi-Fi security. Short and weak passwords would be vulnerable to a brute force attack, especially at the speeds offered by Amazon’s services, which is capable of testing 400,000 potential passwords every second. The researcher claims to have found the key for a network in his neighborhood using his method and Amazon’s service. The brute force attack took about 20 minutes to get the correct key, but he is making changes to his code which he reckons could bring the time down in such a case to about 6 minutes. He will distribute his software publicly and give demonstrations on using it at the Black Hat conference in Washington, D.C. He is releasing it to convince skeptical network administrators that such attacks will often be successful against protected networks.

Source: http://www.afterdawn.com/news/article.cfm/2011/01/11/security_researcher_uses_ama%20zon_cloud_to_hack_wpa-psk_passwords

Microsoft Repairs Critical Windows Flaw, Issues Temporary IE Fix

 Microsoft issued two security bulletins Tuesday, repairing two
critical flaws that affect all versions of Windows. The software
giant also updated a security advisory, issuing a temporary automated
workaround that if deployed, would block attackers from exploiting an
Internet Explorer zero-day vulnerability.

The January updates repaired three vulnerabilities in Microsoft
Windows and Windows Server. It was a quiet month compared to
December, which saw a record breaking 17 bulletins.
Source:http://go.techtarget.com/r/13151461/7882181

US Government Strategy to Prevent Leaks... has been leaked.

The US government's 11-page document on how to get various US government agencies to prevent future leaks has been leaked to MSNBC. It doesn't get any more ironic than that. After the various leaks made by WikiLeaks, the US government understandably wants to limit the number of potential leaks, but their strategy apparently isn't implemented yet. Here's the crux of the memo, which was sent this week to senior officials at all agencies that use classified material:
"Each initial assessment should be completed by January 28, 2011, and should include the following with respect to the attached list of self-assessment questions:"

1. Assess what your agency has done or plans to do to address any perceived vulnerabilities, weaknesses, or gaps on automated systems in the post-WikiLeaks environment.
2. Assess weakness or gaps with respect to the attached list of questions, and formulate plans to resolve the issues or to shift or acquire resources to address those weaknesses or gaps.
3. Assess your agency's plans for changes and upgrades to current classified networks, systems, applications, databases, websites, and online collaboration environments ­ as well as for all new classified networks, systems, applications, databases, websites or online collaboration environments that are in the planning, implementation, or testing phases - in terms of the completeness and projected effectiveness of all types of security controls called for by applicable law and guidance (including but limited to those issued by the National Security Staff, the Committee on National Security Systems, the National Institute for Standards and Technology).
4. Assess all security, counterintelligence, and information assurance policy and regulatory documents that have been established by and for your department or agency.

It's clear that the Obama administration is telling federal agencies to take aggressive steps to prevent further leaks. According to the document, these steps include figuring out which employees might be most inclined to leak classified documents, by using psychiatrists and sociologists to assess their trustworthiness. The memo also suggests that agencies require all their employees to report any contacts with members of the news media they may have.

Source: http://www.techspot.com/news/41889-leaked-us-government-strategy-to-prevent-leaks.html

Passive Automotive Systems Bypassed.

Car thieves of the future might be able to get into a car and drive away
without forced entry and without needing a physical key, according to
new research that will be presented at the Network and Distributed
System Security Symposium next month in San Diego, California.

The researchers successfully attacked eight car manufacturers' passive
keyless entry and start systems—wireless key fobs that open a car's
doors and start the engine by proximity alone.

Source:http://www.technologyreview.com/computing/27037/

Flash Player sandbox can be bypassed.

Flash applications run locally can read local files and send them to an online server - something which the sandbox is supposed to prevent. Flash includes a number of sandboxes which impose restrictions depending on the origin of, and access rights for, the SWF file. Local SWF files, for example, run within the local-with-file-system sandbox, are permitted to access local files. They are not able to access the network, so a malicious SWF applet should not be able to send local data to a remote server. However, an H Security specialist has determined that Adobe controls access to the network using a blacklist of protocol handlers. Protocols such as HTTP and HTTPS are blacklisted. He reports it is in principle possible to send files to a server using the file: protocol handler, but that this is only possible within the local area network. He has identified another protocol handler which can be used to send data to remote servers - mhtml.

Source: http://www.h-online.com/security/news/item/Flash-Player-sandbox-can-bebypassed-%201164376.html

Exploit for critical vulnerability in Microsoft Office appears in the wild

An exploit has been discovered in the wild that can successfully attack a critical vulnerability in the way Microsoft Office handles Rich Text Format data, allowing remote execution of code on a victim computer. Microsoft released a patch for the vulnerability, known as CVE-2010-3333, in November 2010, and no widespread outbreaks of exploits have yet been reported. The public availability of an exploit lowers the bar for attackers, however, and increases the urgency for seeing that affected software is patched.

Source: http://fcw.com/articles/2011/01/04/ms-office-rtf-exploit.aspx

Microsoft issues IE advisory, warns on FTP flaw

Microsoft's security team announced late December 2010 that it is investigating two proof-of-concept flaws in Microsoft's Web-related software. One of the flaws offers a possible avenue for remote code execution attacks via Internet Explorer (IE). The other flaw could enable denial-of-service attacks by exploiting a vulnerability in Internet Information Services FTP 7.5, which runs as a part of Windows 7 and Windows Server 2008 R2. The IE proof-of-concept flaw potentially affects all versions of Microsoft's Web browser. It supposedly works by bypassing protections normally enabled by Microsoft's address space layout randomization (ASLR) and data execution prevention (DEP) technologies. Microsoft described the problem in a blog post in December 2010, suggesting that users could deploy Microsoft's Enhanced Mitigation Experience Toolkit (EMET) as a workaround.

Source: http://fcw.com/articles/2011/01/04/ecg-microsoft-investigating-ie-and-ftpsecurity-%20flaws.aspx

New Stealth Rootkit Steals Windows 7, Server 2008 Privileges On The Fly.

A European researcher has created a rootkit that can evade detection in Windows 7 and Windows Server 2008 machines and reset user passwords. The rootkit was initially a project meant for training purposes. But its designer, a security expert for Deloitte in Hungary who works on penetration testing and forensic cases, says he eventually discovered he could perform new types of attacks with the rootkit, which he plans to deliver to antivirus firms as well as to the International Council of E-Commerce Consultants (EC-Council) for its certified hacker training program. He demonstrated the rootkit for the first time at the recent Hacker Halted conferences in Miami, Florida, and Cairo, Egypt. One particularly powerful module of the rootkit is based on the concept of a cached data attack. The cached data attack has to do with how the operating system caches data in physical memory. It lets an attacker clear and reset passwords in memory without being detected by the operating system.

Source: http://www.darkreading.com/authentication/167901072/security/vulnerabilities/229000%20060/new-stealth-rootkit-steals-windows-7-server-2008-user-privileges-on-the-fly.html

Microsoft Warns of Thumbnail Hole in Windows

In a security advisory, Microsoft warns of a new, previously unknown security hole in Windows which can be exploited to inject and execute arbitrary code. Sample code that demonstrates how to go about an exploit is already in circulation. In December 2010, two people gave a presentation entitled "A Story about How Hackers' Heart Broken by 0-day" at the "Power of Community" security conference. Their presentation documents describe a security hole in Windows that is connected to the display of thumbnails and can reportedly be exploited locally via Explorer as well as remotely via WebDAV. Displaying a file with a specially crafted thumbnail is all that is required for a successful attack. The vulnerability is exploited by setting a negative number of colour indexes in the colour table (biClrUsed). According to Microsoft's security advisory, all versions of Windows except Windows 7 and Server 2008 R2 are vulnerable. Microsoft say that they are currently not aware of any attacks which try to exploit the reported vulnerability. However, this could soon change, as a Metasploit module for creating suitable malicious files was released almost simultaneously with Microsoft's advisory.

Source: http://www.h-online.com/security/news/item/Microsoft-warns-of-thumbnailhole-%20in-Windows-1163562.html

I have returned...

Sorry for the long hiatus.  I accepted a new position and took a couple of weeks off to relocate across the country.  Uneventful trip, nearly all settled in and I will get back to posting the Security Daily information.