Jorge Orchilles

Virtual Machine Escape by NSA (video)

2011-02-16T12:06:00.002-05:00

The NSA released a video demonstrating many attack vectors including VMEscape. The video stars ShmooCon's Bruce and Miami's Immunity Canvas software.

Check it out.

Hacker Halted 2010 Presentations

2010-10-29T10:39:00.002-04:00

Hacker Halted 2010 presentations are up. If you were able to attend you know there were a few good talks. The event went way better than last years and EC-Council is making Miami, FL their home town for this conference. Check out the presentations here.

Till next time,
Jorge Orchilles

Windows 7 Service Pack 1 (Release Candidate)

2010-10-27T12:14:00.003-04:00

Microsoft announced today the Release Candidate (RC) of Windows 7 and Windows Server 2008 R2 Service Pack 1 (SP1) to the public. For those unaware of how these software rollouts "work," the RC release generally signals that a final build is almost ready. The only new features added to the SP1 are the Windows Server 2008 R2-related virtualization technologies, Dynamic Memory and RemoteFX, and while Windows 7 SP1 will enable PCs to take advantage of these server-based features to provide a more scalable and richer VDI experience for end users, there are no additional new features specific to Windows 7.

If you do choose to install this Release Candidate make sure to backup your system. Microsoft usually makes you uninstall the RC before installing the final build of the service pack.

Download here.

VMware vCloud Director Security Hardening Guide

2010-09-27T19:20:00.003-04:00

VMware has released a technical white paper titled: VMware vCloud Directory Security Hardening Guide which may be downloaded here. If you are looking into this technology definitely look into this:

"The VMware® vCloud™ Director Security Hardening Guide helps users who are embarking into the journey of cloud computing understand key security elements and technologies found in VMware’s vCloud Director product. It also provides guidelines and best practices for installation, configuration and operation of secure clouds based on VMware’s vCloud Director."

I have skimmed the document and it has many important points to consider at just 37 pages it isn't the definitive guide on cloud security but definitely a start.

Till next time,
Jorge Orchilles

Running ESXi 4.1 on VMware Workstation 7.0 and above

2010-09-26T18:21:00.002-04:00

VMware is ditching ESX for ESXi which is smaller and, best of all, free. I have been running ESX 4.0 as a virtual machine in Windows using VMware Workstation for some time now but was never able to get ESXi to run as a virtual machine. One of the students in the SANS Security 577: Virtualization Security Fundamentals class asked me if it was possible to run ESXi on VMware Workstation. Which made me wonder, now that ESXi will be the main hypervisor being pushed by VMware, would it be possible?

The answer is YES! But with a few prerequisites:

VMware Workstation 7.0 or above (7.1.1 officially supports vSphere 4.1 guests)
Dual-Core or better CPU with Intel VT or AMD-V support (may have to turn on in BIOS).
At least 2GB of free RAM (I suggest 4GB-8GB)

Once you have downloaded VMware ESXi 4.1 and installed VMware Workstation you are ready to begin:

Open VMware Workstation
File-New-Virtual Machine...
Custom
Hardware compatibility: Workstation 6.5-7.0
Installer disc image file (iso): Click Browse... and select the iso file for VMware ESXi that you downloaded. Click Next.
Click the VMware ESX check box and select ESX Server 4.0 from Version drop down. Click Next.
Select the Virtual machine name and location. Click Next.
Processors must be at least 2 processors with 1 core each. Increase if your system can handle it. Click Next.
Memory must be at least 2048MB but if you can increase it, go for it. Click Next.
Select what type of network connection. Click Next.
For I/O Adapter select LSI Logic for SCSI Adapter. Click Next.
Create a new virtual disk. Click Next.
Virtual disk type: SCSI. Click Next.
Select the size of the disk. Remember you will be running virtual machines with local storage so plan accordingly. I recommend storing as a single file for performance. Click Next.
Specify the disk file name and location. Click Next.
Select Customize Hardware.
Click Floppy-Remove. Then add more network adapters if desired. Click OK
Click Finish.
Install ESXi as usual.

If this does not work for you or you have questions or comments please comment below.

I will be teaching the SANS Security 577: Virutalization Security Fundamentals course as a co-mentor with Robert Rounsavall in Miami, FL on Thursday October 28, 2010 6:00pm-8:00pm through Thursday November 18, 2010 at Terremark's NAP of the Americas. Register early!

Till next time,

Jorge Orchilles

I'm Back!

2010-08-23T14:08:00.002-04:00

After a long break from blogging mostly due to the fact that I finally published Microsoft Windows 7 Administrator's Reference, finished a Master's of Science in Management Information Systems, and was hired by a Fortune 20 financial institution to perform vulnerability assessment/ethical hacking/penetration testing, I am officially back to blogging!

Many things coming soon:

SANS Security 577 Virtualization Security Fundamentals course review
Speaking engagement and presentation at Hacker Halted titled "Vulnerability Ass... Penetration What?
Hacker Halted conference. If you want to attend email me for a student code!!!!! $100 before September 15.

Glad to be back and hope you are too.

Till next time,

Jorge Orchilles

South Florida Information Security Community

2010-04-14T02:12:00.004-04:00

As you know, I am attempting to become more involved in the Information Security community and giving back to it as I have taken so much. One area I found to be lacking was that I kept sending users here for information about the next local event because there was no single resource providing information on the next meetings, events, or conferences. With the support of some local organizations (South Florida ISSA, South Florida OWASP, Hack Miami, more coming) we are soft launching:

The South Florida Information Security Community – http://www.SFInfoSec.com/

Please take a look and provide feedback.

The groups on the left are the organizations in the area with links to the site and a brief description. The events in the center provides the main content that brings people to the site. The rest of the site is a community where members can blog; ask questions in the forums; view videos, presentations, and/or photos from past local events; and connect with other members in the area.

Please provide feedback of all kinds as we plan to launch soon.

Until next time,

Jorge Orchilles

South Florida ISSA April 15th Meeting

2010-04-13T02:08:00.002-04:00

The South Florida ISSA April 2010 meeting will be held on April 15, 2010 from 3:30pm - 5:30pm at Nova Southeastern University - Carl DeSantis Bldg - Room TBA.

As always, two great talks lined up. Daniel Molina from Kaspersky will talk on the cyber-threats that matter to your business followed by Kevin Noble's Tool Talk on security visualization.

Talk Title: Protecting Against Cyber-threats That Matter to your Business

IT Departments, unbeknownst to them, are empowering cyber-crime. Kaspersky Lab will present the 7 things that IT may be doing in your organization to enable cybercrime.

Daniel J. Molina, CISSP, is a Field Marketing Manager for Kaspersky Lab, and is considered a thought leader in the security arena. His view on security maturity has made him a sought-after resource to help explain and justify, in business terms, what users, businesses, and government entities require.

Tool Talk Title: Security Visualization

This talk will cover how to convey information security data in a graphical or visualize form. Visualized Data can be created for systems, networks, timelines, and important security concepts. Kevin will demonstrate the value of tools that run the gambit from excel and visio to mindmaps and directed node graphs, GNUplot.

This will not be a powerpoint slideshow but will demonstrate as many of the tools and instances where these tools can best represent the information. In some situations, visualized data or graphing does not get the point across, and time permitting we will look at instances of failure and not just success.

Kevin Noble has been an active member of SFISSA for 7 years and has present on a wide range of topics from malware analysis to VoIP security. Kevin is the Director of Engagement Services for Terremark’s Secure Information Services and leads an experienced specialized team in the areas of incident response, computer intrusion and various aspects of vulnerability assessments including penetration testing. Kevin and his team respond to clients needs around the world in the areas of medicine, finance, manufacturing, education, and government services.

CLICK HERE TO REGISTER

FREE CPE CREDITS! Did you know you earn 2 CPE credits for attending an ISSA Meeting? If you are a CISSP and you provide your CISSP number at registration, we will submit your CPE credits automatically for you.

This event will be held at:

NOVA SOUTHEASTERN UNIVERSITY
Room TBA, Carl DeSantis Building, Main Davie Campus

3301 College Ave Fort Lauderdale, FL 33314-7796
Phone: 800-541-NOVA (6682)

South Florida HIMSS Event 4/8/10

2010-04-07T20:24:00.002-04:00

I will be speaking tomorrow, April 8th, 2010 at the South Florida HIMSS event on Emerging Threats to Infrastructure followed by a panel discussion. Here is the info:

Join us for our next SFLHIMSS meeting on Apr. 8, 2010 from 5:30 PM - 8:00 PM at VITAS and hear what the industry experts have to say about IT Security.
Location:
Vitas
100 South Biscayne Blvd.
Suite 1700
Miami, FL 33131

Speakers include:
G. Mick Walsh, U.S. Secret Service, Miami Electronic Crimes Task Force, Miami Field Office
Gregorio Chavarria, CIO Miami Police Department
Fernando Martinez, Chief Technology & Security Officer, Broward Health
Jorge Orchilles, Security Analyst, Terremark Worldwide, Inc.
Gary Reiss, Director of Security, Memorial Healthcare System - South Campus

We will also have a comprehensive panel discussion where you can ask the experts about their experience and recommendations.
More information will be on our website to register for the event.

Out of band Microsoft patch for Internet Explorer

2010-03-30T16:53:00.002-04:00

Microsoft released a cumulative security update which resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. So patch now!

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights as reported earlier today.

This security update is rated critical for all supported releases of Internet Explorer:
Internet Explorer 5.01
Internet Explorer 6 SP1
Internet Explorer 6 on Windows clients
Internet Explorer 7
Internet Explorer 8 on Windows clients.
For Internet Explorer 6 on Windows servers, this update is rated Important. And for Internet Explorer 8 on Windows servers, this update is rated Moderate.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL.

Till next time,

Jorge Orchilles

Windows 7 is safer as a standard user

2010-03-30T09:57:00.002-04:00

This should be common sense and not require a whole research paper but Beyond Trust released a study stating that Windows 7 is safer when using it as a standard user.

I highlighted this fact in my book but would like to share the results of the study as well:

Microsoft and their partners regularly identify new security vulnerabilities in Microsoft software. In 2009 Microsoft published nearly 75 security bulletins documenting and providing patches for nearly 200 vulnerabilities. By examining all of the published Microsoft vulnerabilities in 2009 and all of the published Windows 7 vulnerabilities to date, this report quantifies the continued effectiveness of removing administrator rights at mitigating vulnerabilities in Microsoft software.
Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

90% of Critical Windows 7 vulnerabilities reported to date
100% of Microsoft Office vulnerabilities reported in 2009
94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
64% of all Microsoft vulnerabilities reported in 2009

So please, use a standard user for day to day use like most Mac and *nix users do!

South Florida OWASP Meeting 3/31/2010

2010-03-30T08:51:00.004-04:00

I am looking forward to the South Florida OWASP meeting and hanging out with the local InfoSec people tomorrow Wednesday March 31, 2010 at 6pm at Nova Southeastern University Carl DeSantis Building Room 1124.

The presentation is titled: Adon't be an Adobe victim: An overview of how recent Adobe-related flaws affect your web application by Josh Stabiner. The talk will examine recent threats posed by PDF and Flash vulnerabilities to web applications and users. It will also examine ways to mitigate the potential threats to organizations due to these vulnerabilities.

Josh Stabiner is a manager in Ernst & Young's Advanced Security Center specializing in attack and penetration advisory services. He manages and executes assessments of web applications, external, internal and wireless networks, as well as physical security and social engineering.

Hope to see you there,

Jorge Orchilles

Final edits in! Microsoft Windows 7 Administrator's Reference

2010-03-23T00:22:00.002-04:00

Today I turned in the final revisions and edits to my first book coming out in the end of April: Microsoft Windows 7 Administrator's Reference! If you are a Windows power user or system administrator or want to be one this is the book for you!

It is available for pre-order and purchase at:

Writing a book and getting it published is a long journey but I can say I am one step closer to making this dream a reality.

Till next time,

Jorge Orchilles

South Florida Information Security Events - March/April 2010

2010-03-20T14:47:00.004-04:00

Until I find another portal or means to share South Florida Infomation Security events I will use this forum.

This is the March and April 2010 edition:

March 27, 2010 - 1pm - Hack Miami - Pizza Mansion
March 31, 2010 - 6pm - South Florida OWASP meeting - Talk titled: Adon't be an Adobe victim: An overview of how recent Adobe-related flaws affect your web application by Josh Stabiner at Nova Southeastern University
April 8, 2010 - 5:30pm - South Florida HIMSS - IT Security - I will be speaking on Emerging Threats to Infrastructure for Health Care IT - Vitas in Downtown Miami
April 10, 2010 - 1pm - Hack Miami - I will be talking on Emerging Threats and doing a few live demos. - Location TBA
April 15, 2010 - 3:30pm - South Florida ISSA - Nova Southeastern University
April 17-23 - InfoSec World 2010 - Orlando, FL

Podcasts

2010-03-20T14:07:00.004-04:00

Jorge Orchilles is now podcasting! I am co-hosting the SMB Minute podcast with Tim Krabec and Aaron. The SMB Minute podcast is aimed at the Small and Medium Business market. Whether you are the designated IT guy/gal or own your own business, this podcast will give you an insight of what is going on in the Information Technology/Systems/Security world. You can subscribe to it on iTunes and it will automatically sync with your iPod every week when the podcast is released. Season 2 will begin release this week.

These are other podcasts I listen to in no particular order:
SANS Audiocasts with John Strand
PaulDotCom Security Weekly
Exotic Liability
Social Engineer
Security Justice
The Hacker News Network
Network Security Podcast
ThreatPost
Security Wire Weekly

And if you want to hear almost all of these people doing a podcast at ShmooCon 2010, check out the Podcaster's Meetup

Emerging Threats to Infrastructure

2010-03-18T18:44:00.009-04:00

I recently presented my talk on Emerging Threats to Infrastructure to the Jacksonville ISACA chapter and targeted it for auditors. Thanks to all that made that possible and Blue Cross Blue Shield of Florida for hosting the event (loved the campus). It is the first time I present this topic and will be modifying it for a presentation April 8th for the South Florida HIMMS chapter. I will also be presenting it April 10th at the Hack Miami hacker space and will make it much more technical with include more technical demos.

I recorded the first talk and am debating whether to post now or after the other presentations although they will be different.

Emerging Threats to Infrastructure

View more presentations from Jorge Orchilles.

Till next time,
Jorge Orchilles

South Florida Information Security

2010-01-14T13:19:00.003-05:00

South Florida has a great Information Security community with different organizations targeting different aspects of the field. 2010 promises many good InfoSec events, conferences, and meetings in the area.
Here is my list of South Florida Information Security events with the name, date, and topic:

South Florida ISACA 3rd Annual WOW! Event - January 15, 2010 - Security and Governance
Hack Miami - January 16, 2010 and every other Saturday - Hacker Space
South Florida ISSA January 2010 Meeting - January 21, 2010 and every 3rd Thursday of the month - Best Practices for Security Incident and Case Management
South Florida OWASP January 2010 Meeting - January 27, 2010 - Zeus Botnet Research Presentation
SANS 2010 - March 6-15, 2010 - InfoSec Training
2010 Bank Info-Security Group Conference - April 12-15, 2010 - Banking InfoSec
22nd Annual FIRST Conference - June 13-18, 2010 - Forensics

Seven events already planned and the year is just getting started! Note that South Florida ISSA, OWASP, and Hack Miami have one or two events each month.

If I am missing any other InfoSec related event in the South Florida area please let me know.

Till next time,
Jorge Orchilles

Windows 7 Book Announcement and "God Mode"

2010-01-04T16:56:00.005-05:00

I have been slacking on the blog posts recently due to a few projects I am/was working on.

First I would like to announce that I am finishing a Windows 7 book titled: Microsoft Windows 7 Administrator's Reference. My publisher is Syngress and the book is expected to be available March 2010.

Second, I have completed the Master's of Science in Management Information Systems program at Florida International University. This program is aimed at working professionals and people with experience in both management and information systems. I recommend this program to anyone in the South Florida area. It is Saturday's only for a full year and worth every penny.

Lastly, as I have been working on the Windows 7 book I was waiting to release the how-to for Windows 7 GodMode. Since news and blogs are releasing it already, I decided what the heck, here it is:

Microsoft developers included a so called “God Mode” in Windows 7. In reality this is not a mode but a simple and single container with multiple shortcuts to Windows 7 options that are available through other methods. This may be helpful for administrators and power users alike to configure and manage single Windows 7 desktops.

To create a God Mode shortcut:
1. Right click on the Desktop or anywhere in Windows Explorer where you would like this shortcut.
2. Select New – Folder
3. Name the folder: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
4. The folder icon will change to a Control Panel icon

To use God Mode, simply double click the Control Panel icon just created called “GodMode”. A Windows Explorer window will open with shortcuts for many different configuration options in Windows 7. All of these options are available through other methods, mostly though the standard Control Panel shortcuts.

Warning:
The “GodMode” hack appears to work on Windows 7 32-bit and 64-bit versions. It also seems to work on 32-bit versions of Windows Vista and Windows Server 2008. Many users have reported problems with “GodMode” in 64-bit editions of Windows Vista and Windows Server 2008. If “GodMode” crashes the system, rebooting to safe mode and removing the shortcut should solve the issues.

Till next time,
Jorge Orchilles

July 4th DDOS Revisited

2009-11-03T16:05:00.005-05:00

Remember the July US and South Korea DDOS Attacks I reported on back in July?

According to South Korea the attacks were launched from a Chinese IP leased to North Korea's Ministry of Post and Telecommunications. MSNBC reports North Korea source of DDOS and The Sydney Morning Heraldreport of South Korea Spy Chief blames North Korea and South Korea seeks Chinese help tracking DDOS all suggest two things:

1. North Korea was behind the attacks.
2. North Korea is preparing an army of cyber warfare.

If we remember back to July 4th, North Korea was immediately blamed for this attack. After real research and removing the FUD, Information Security Professionals determined this could not be confirmed. The most that I remember was 6 command and control machines in Europe with an expert suggesting the master server located in Britain. Now, somehow, South Korean Spy Chief reports it was the North? I want proof!

A quote I do believe is true from MSNBC: "South Korean media reported at the time that North Korea runs an Internet warfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service, and that the regime has between 500 and 1,000 hacking specialists."

In other words, cyber warfare is real!

Thankfully, the US government is doing something about it:
MSNBC: Security center opens to battle cyber attack
TGDaily: US Government opens $9m Cyber Security Center

However, the US government alone is not enough! Everyone must be in on this. It begins with keeping your own computer secure, then your friends and families.

Till next time,
Jorge Orchilles

Time to change your password

2009-10-06T09:26:00.003-04:00

The BBC has released these three articles in the last two days suggesting that over 20,000 Microsoft web-based email accounts have been hacked. This includes Hotmail and Live email accounts. The third article suggests that GMail is being targeted as well:

Here are some best practices for passwords and email use:

Do change your passwords on a regular basis (every six months or so)
Do use long complex pass-phrases rather than passwords where you can
Do change all of your passwords if you notice something suspicious
Do take identity theft seriously
Do use up-to-date anti-virus and a firewall
Do NOT click on links in emails, EVER
Do NOT use the same password at multiple sites

Hope your accounts have not been compromised!

Till next time,
Jorge Orchilles

Windows 7 Security Video

2009-09-21T17:35:00.001-04:00

I have posted the video of the Windows 7 Security presentation I did for South Florida ISSA. Enjoy

Windows 7 Security Presentation from Jorge Orchilles on Vimeo.

Windows 7 Security Presentation

2009-09-18T14:27:00.002-04:00

Yesterday I had the honor of presenting to the South Florida ISSA my talk on Windows 7 Security. Here is the presentation.

Windows 7 Security

View more presentations from jorgeorchilles.

2010 US Census Information and Awareness

2009-08-28T01:49:00.004-04:00

I work in security so am allowed to be ultra paranoid. However I think everyone should be a little aware of the 2010 US Census to not be victims of fraud or Identity theft. Additionally one should spread the awareness in good faith to avoid friends, family, or loved ones to be victimized.

Malicious Viewpoint
Since everyone knows there is a Census and people are going to knock on doors, I will dress like a Census worker (what do they look like anyways) and go around a neighborhood knocking on doors. When someone opens I will be extremely nice (social engineering?), ask for all of the person's information (including Social? Credit Card? Bank account?), and then proceed to perform identity theft, credit card fraud, etc!
Obviously this is a fictional scenario but I am sure in practice one will get a LOT of information.

So don't let it happen to you or your friends, family, etc... continue reading, copied from a source I can't cite at the moment.

2010 U.S. Census Cautions to avoid Fraud or Identity Theft

With the U.S. Census process beginning, the Better Business Bureau (BBB) advises people to be cooperative, but cautious, so as not to become a victim of fraud or identity theft. The first phase of the 2010 U.S. Census is under way as workers have begun verifying the addresses of households across the country. Eventually, more than 140,000 U.S. Census workers will count every person in the United States and will gather information about every person living at each address including name, age, gender, race, and other relevant data. The big question is - how do you tell the difference between a U.S. Census worker and a con artist? BBB offers the following advice:

A· If a U.S. Census worker knocks on your door, they will have a badge, a handheld device, a Census Bureau canvas bag, and a confidentiality notice. Ask to see their identification and their badge before answering their questions. However, you should never invite anyone you don't know into your home.

B· Census workers are currently only knocking on doors to verify address information. Do not give your Social Security number, credit card or banking information to anyone, even if they claim they need it for the U.S. Census. While the Census Bureau might ask for basic financial information, such as a salary range, it will not ask for Social Security, bank account, or credit card numbers nor will employees solicit donations.

Eventually, Census workers may contact you by telephone, mail, or in person at home. However, they will not contact you by Email, so be on the lookout for Email scams impersonating the Census. Never click on a link or open any attachments in an Email that are supposedly from the U.S. Census Bureau.

Till next time,
Jorge Orchilles

iPhone and SMS hack - what does it mean?

2009-07-31T05:51:00.004-04:00

Countless news articles are floating around about the iPhone and SMS hack. I will explain it here in "normal" terms and explain what all this means to you.

Introduction
Yesterday, Thursday 7/30/09, two security expert (also known as hackers), presented a way to hack an iPhone by sending it a specially made SMS (text) messages. This presentation was held at Black Hat which is one of the largest hacker conference in the world. Since Wednesday all the buzz has been around this iPhone hack with a lot of speculation and rumors flying all over the place. Here are the facts I have captured.

What is the hack?
An attacker can send an iPhone or other vulnerable device a specially made SMS message. You will notice a single character, blank, or carrier SMS text coming from 611 or somewhere unknown. In the background the phone will be controlled by the attacker.

How does it work?
The attack occurs by a memory corruption in the way the iPhone handles SMS messages. For the hack to work the attacker must send hundreds of SMS control messages which you do not see. You would only see one SMS message coming in. In the background you will be receiving the control messages that have the ability to do many different things.

What can be done with this hack?
An attacker could exploit this security hole to make calls, steal data, send text messages, and do more or less anything a person can do on their iPhone. Speculation around being able to put a virus on your phone before you can turn it off have been thrown around as well. Basically not a good thing if you receive a message like this.

Does this only affect the iPhone?
No this hack works in conjunction with the way GSM networks work. GSM networks in the USA include AT&T and T-Mobile. The hackers also showed an Android phone (which Google claims they have already fixed the issues) and a Sony Ericsson phone beeing hacked in a live demonstration. Here are the images. BlackBerry's have not been addressed but it is doubtful this hack works on those devices.

Who can do this?
Currently only a limited amount of hackers have the capability to do this. However they will be releasing a tool that uses these vulnerabilities to the general public on August 15th through Cydia (the App Store for Jailbroken iPhones). So consider yourself semi-safe until that day.

What about Apple? Do they know about this? Fixing it?
According to the researchers they notified Apple as long as 6 weeks ago about this vulnerability. Apple claims to be working on a fix. The hackers also notified the GSM alliance which has been working to fix this issue as well. Our best hope is that the fixes come out before August 15th.

How do I know this is happening to me and what can I do?
You will receive a text message from 611 or a strange number that looks weird, it might have one character or a message like the example the hackers gave: "You've received a free $20 credit..." or "New settings received. Install?". If this happens to you the only thing you can do to stop it is to turn off your phone immediately! Even then it might be too late.

I am paranoid is there a fix now?
The only claim to fix this now on the iPhone involves disabling SMS text messages altogether. You would need to jailbreak your phone and log in via SSH. If those two sentences made sense, feel free to read the how to over at quickpwn.com.

Further Reading
News articles: ZDNet or The iPhone Blog or AP News.
White paper on Hijacking Mobile Data Connections and a detailed blog on the presentation.

As you can see this can become a huge issue if Apple and GSM carriers do not fix the issue prior to August 15th. As soon as the newest iPhone software is released, update your phone, no questions asked. I will keep you updated on the latest findings.

Till next time,
Jorge Orchilles

Following BlackHat from home - Day 2

2009-07-30T21:09:00.004-04:00

As Black Hat comes to an end we will begin to see all of it's content posted on the internet and have more than enough to read for the coming weeks. Today a lot has been released and I have filtered through most of the talks and presentations and would like to provide you with the best content organized in no order:

Apple iPhone and other GSM phone hack - This topic is hitting the news all over the place, here are the ones with the best content

Live Blog: Blackhat 2009 Day 2 from Security Monkey <- Best information on this topic
Introduction to the SMS hack the day prior to the presentation. Via ZDNet
A good overview of the presentation from Threatpost.com
SMS attack is not just for the iPhone from theiphoneblog.com
Images of the iPhone and Sony Ericsoon hack from Information Week.

Cloud Computing

Overview of Cloud Computing presentation by Alex Stamos via InformationWeek. Says the the term cloud computing is useless! Going to have to see this one for myself.
Link to podcast

US Cyber Security - the government really wants hackers to work for them!

Hackers: Uncle Sam wants you! via Internetnews.com
US falling behind on catching up with Cyber Security via Internetnews.com
Not part of Black Hat but have you heard of the US Cyber Security challenge? Three challenges aimed at recruiting the top 10,000 US Hackers!

SSL

Summary of presentation to spoof SSL certificates by Moxie via the Register
Video by Moxie on More Tricks for Defeating SSL same presentation as previous.
PKI Hack Demonstrates flaws in digital certificate technology via darkreading.com presentation was by Dan Kaminsky
Verisign response to both SSL presentations.
Bonus blog by Schneier on new AES Attack

Parking Meters Hacked

San Francisco parking meters hacked via PC World
Second good article via cnet news, this one has pictures
"Smart" Parking Meter Implementations, Globalism, and You presentation via crypto.nsa.org.
Pictures of presentation and small explanations thanks to PC World.

Misc

The Pwnie Award Winners
Mac OS X Rootkit Debuts via InformationWeek. Only a proof of concept.
Jeremiah Grossman presentation on Mo' Money Mo' Problems - Making even more money online the black hat way

Other full day roundups and blogs

Network World NetFlash: Black Hat roundup (has repeat content from here, all links are NetworkWorld.com)
Security4all Blog: Day 2 collection of #blackhat articles Also some repeat content.
Follow live pictures from the event via TwitPicWall.

When you are done catching up come back as DefCon is just getting started and more content will be posted as the conferences wrap up.

Till next time,
Jorge Orchilles