Apple have not really said to much about its Security updates, and they dont seem to be that easy to find. However if your interested here is the link to check out the 64 updates covered under iOS4.

As you can see there is alot of information about fixed vulnerabilities, but not what I was expecting an hoping for. I was looking forward to information on general security improvements, encryption, configuration and enterprise level stuff, not just a list of fixed vulns. Time for a good read through this, and further investigation for the corporate use case.

Now I am all about helping people make an informed decision regardless of if I agree or not, so this got me into looking at the state of iPhone security (pre iOS4) and its not so good. Personally I think the iPhone is great for the user on the street (33% of smart phones globally are iPhones), but letting it lose in the corporate environment, against established Black Berry devices and alike, is surely madness?

I am not going to go into any great detail here, as a blog post is really not the place, but hopefully the information below will paint a small picture of concerns about using an iPhone in the corporate environment. If your interested in doing more research check out iPhone Forensics by Jonathan Zdziarski, as well as checking out his tutorials online. There was also a recent SANS Webcast on iPhone security also, and this also shared the same thoughts that I have, from investigations and information found online. I will also be doing another post on the security benefits iOS4 has brought, and how it does or doesn’t change the iPhones suitability in a corporate environment. Also check out CESG’s declaration of no iPhones allowed in Whitehall posted on The Register.

My main issue with iPhones for corporate environments, aside from the below is that there is no real enterprise management tooling. Yes some things can be improved with the use of the iPhone Configuration Utility, but this is a local process, and requires other tooling to distribute the config files. You can get some more additional control and reporting if you incorporate exchange, and maybe MobileMe. Also dont forget iTunes is also required, how many corporate standard builds feature iTunes?? I just cant see why companies consider the iPhone when compared to established offerings like Black Berrys, with its full enterprise suite of tools.

iPhones can be Jailbroken – This is the term associated with unlocking the restrictions applied to an iPhone, allowing any code to be run regardless of its approval by Apple or any other organisation, another advantage is that a Jail Broken iPhone also removes the ability for the remote removal of applications via Apple. Its is estimated that around 10% of iPhones globally are Jail Broken, the reason for this is most likely that others are worried about the voiding of warranty, as well as restricting the application of future updates from Apple. As well as opening your iPhone to using more programs, and enhancing its use, Jail Breaking also reduces the security of your iPhone if you are not security savvy. This was
demonstrated in late 2009 when a hacker released a worm targeting Jail Broken iPhones, there have also been other reports of viruses on Jail Broken iPhones compromising banking
transactions.

iPhone OS (pre iOS4) – All popular operating systems have security issues, and the iPhone OS has its fair share of vulnerabilities. The latest OS updated 46 currently known vulnerabilities; the reality is that as the iPhone grows in popularity and becomes adopted by organisations the incentive and reward to find and exploit vulnerabilities will continue to grow. A new feature or some would say security flaw with the iPhone OS that was discovered in May 2010 is the automatic mounting of the iPhone’s memory when connected via USB to a Linux based machine. This bypasses any controls, PINs and encryption set on the device and gives a limited access to the iPhones storage. I believe the primary goal was to allow iPhones to be used easily with Linux distributions, however obviously this brings with it serious security concerns.

The Apple App Store – The Apple App Store provides the single official point of contact for all applications on the iPhone. The idea behind this is to ensure that all applications are safe for use, and there are currently around 235,000 applications approved for download. Apple have confirmed that around 10% of applications submitted to the App Store have components within them that will aim to steal data. With this in mind, I would suggest that it is unlikely that Apple are able to 100% guarantee that all applications available have been fully tested and defined as safe. In fact it has been known that Apple occasionally remove applications from the App Store, and people’s devices, after making a decision to recall specific applications for various reasons. There are also various theories on how an application could be made available on the App Store, and obfuscate its real intention to steal data. The point to be made here, is that applications could potentially steal corporate data, regardless of their supposed safety approvals from Apple.

Passcodes and Pin Numbers – Most smart phones use a passcode, or PIN number to restrict the physical access to the device. iPhones do have this feature, however it is restricted as standard to only being 4 digits. This is obviously not a good situation, however the situation is made worse with multiple ways to bypass the passcode requirement all together. Some methods require the use of a computer, while others can be done stand alone in less than two mintues. This then gives full access to the device, contacts, emails etc, as if you have
entered the appropriate code.

Encryption – Until the release of the iPhone 3GS there was no encryption available on the device. The 3GS now features full hardware encryption of the device’s contents. Once again
with physical access it is possible to make a copy of the entire contents of the device, and circumvent the encryption, all of this is easily possible in fewer than 5 minutes. Just check out YouTube.

System Data – The iPhone stores a lot of data classified as system data. Even though applications run in a sandboxed / isolated environment there is still some leakage that occurs
when obfuscation is used within a program’s code. The system data contains a large amount of information, email parameters, names and addresses, but no passwords or messages. In
addition all keyboard entries (except for password fields) are cached and stored, along with address book entries, the last 20 sites browsing history, WIFI network history, as well as
images and their associated data, time, data, location. An interesting feature is that every time the home button is pressed on the iPhone to return to the home menu a screen shot is
taken, containing all the information on the screen for that application at the time, this is also saved and stored as system data. In addition to this VoiceMails can also be stored as system data. All of this system data can be accessed and backed up with physical access, as discussed before with encryption bypassing. An application that steals data would also have
access to this data, and could transmit the information over a Wifi network, or mobile Internet.

Finally, just as a reminder, these are just my opinions and thoughts, based on research and findings. I do like Apple products, I have a few However I am still not sure its ready for the corporate environment. Perhaps after reading about ALL the proposed iOS4 updates I will change my mind.

So now might be a good time to update to Service Pack 3, its only been out 2 years so might be nice to be an early adopter If you are feeling really adventurous you might want to consider moving with Microsoft Windows 7??

If your running XP SP2 on you embedded systems you have until Jan 2011 to do the necessary.

If you are interested in Microsofts Support Life Cycle check out the information below:

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Brussels, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

The conference tries to create bridges between the various actors active in computer security world, included but not limited to hackers(*), security professionals, security communities, non-profit organizations, CERTs, students, law enforcement agencies, etc…..

Look out Belgium, all the Eurotrash Security crew are going to be in attendance at BruCon 2010 in September.

Myself (Dale Pearson) and Craig Balding will be presenting, and Chris John Riley and Wim Remes will also be in attendance at the conference. The Eurotrash Security team will also be taking part in the podcasters meet up. So feel free to come along and buy us a drink

• 3M Gold Privacy Filters provide twice the level of effective privacy protection and 14% higher clarity than standard black out privacy filters
• User sees more clearly than ever while onlookers see nothing but a vibrant orange/golden screen

So why would you want a privacy filter?? Well if your a regular traveller and you don’t want the person next to you having a good peep whilst playing minesweeper, this will certainly help. Oh and of course those documents you work on containing sensitive data. It essentially just gives you some screen privacy and stops the shoulder surfers getting a look see.

There is not really alot to say, and I will let the below video demo do the talking. It does what is says on the tin, its easy to install and can be left in place 100% of the time. I will certainly be using this when travelling in the future. I do have one gripe with the product, but its most likely a personal thing. I have a matte screen, as reflections drive me mad, with the privacy filter in place, its glossy reflection city, and as its not something I am used to any more I couldn’t leave it on every day. I believe the previous version had gloss and matte sites, but this one seems the same both sides, still it does what it needs to do well, and serves its purpose, perhaps they mate release a matte version in the future.

The Cyber Security Challenge UK is a not for profit organisation run by public and private sector leaders in information security.

I had heard about this before, but was given a hand out at Infosec 2010 so thought I would pop a quick post up about it.

Cyber Security Challenge UK will work with recognised experts to develop a series of professional ‘games’ that replicate the problems cyber security professionals have to deal with every day. They will require contestants to use all their talent and know-how.

To successfully proceed to the next round of each challenge contestants will be required to display quick, intelligent and creative thinking and the potential to develop the cyber security skills the UK needs to employ. Competitions will be open to all ages and skills levels, some will be targeted at school leavers and undergraduate students. Successful candidates can expect places in regional workshops and the best will receive offers of scholarships, places in mentoring schemes within leading private and public sector organisations and other career enhancing opportunities. It doesn’t stop there, ongoing communications will keep contestants informed about the best cyber security courses and jobs, with some contestants being introduced to the appropriate colleges and employers for their skill set.

For more information on the UK Cyber Security Challenge and to get involved visit the site.

So on the 27th April I boarded the train down to London and Earls Court to attend Infosecurity Europe 2010. I have not been for a few years, but I had heard good things from people that since moving to Earls Court there had been a big improvement, so I thought I would check it out.

So if you have not heard of this exhibition, here is a brief intro. Its been going for 15 years, there are around 300 vendors, along with keynote speeches, seminars and work shops, and with around 12,000 visitors it get busy. Basically its an event to speak to lots of vendors to find out what they are working on, and to see what’s of interest, as well as meet and network with alot of people, and sit down for some quick talks. Oh and don’t forget the freebies, lots of pens if your into pen testing

So what did I think of the event? I agree the location is better than previous so thats a good thing, however I feel the event lacked a common theme that I have been used to in the past. I am not sure if this is a good thing or bad really. For example in the past vendors would have been focusing on DLP or something, but this year it all just felt more like everyone was in their own silo,  might be just me though.

I did get to meet some old faces, and met some new ones that I had only conversed with online, or who listen to the Eurotrash podcast so that was nice. I got to meet with some of the vendors I do some work with here and there, and some of the PR folks, and I hope to have some more interesting mini reviews coming along from the event.

So out of all these vendors who did I speak to, and was anything interesting going on. I went and listened to Ian Mann talk about social engineering (out of head hacker curiosity). Its only a 20 min talk, so not really alot of detail can be gained, but he gave a nice little overview of involving people at the target company, making them feel special, and the use of the fake get out of jail free card that I have mentioned myself. He did plug his book abit (I wont mention it here, you can find out for yourself) but I have not read it of received a review copy so cant comment on how good it is, and what answers it gives. Ian came across as a nice guy though.

I didnt really have much time between meeting with other vendors and people to attend any of the other talks, perhaps this is why others attend for all 3 days, I just dont have the free time to take 3 days out. I checked out the 3M stand who were giving a nice demo of a new micro projector, and a new version of their privacy screens for laptops and mobiles (more on this soon). I popped along to the Syngress stand and met Angelina for the first time, they had some good deals on their books and they seemed to be doing a good trade, I did miss Justin who was coming along to sign copies of his SQL book, another top infosec guy.

I met Steve Armstrong for the first time, some may know him from SANS (they had a stand there also), but he was at infosec to talk about Certified Digital Security which is a standard he has developed to provide a simple and easy to understand way for companies to get on the security trail. Its all freely available on the website, and if you want you can pay to become certified by an independant auditor, all sounds good to me.

I met up with the guys at IronKey for a demonstration of their new online banking solution. Its essentially a restricted trusted platform that can be used for your banking and other secure online transactions. It creates an isolated browser environment, with a secure vpn connection to carry out your online transfers. In the demo it worked really well, bypassing keyloggers etc. They also talked to me about their OS on a stick, which does what is says on the tin really, a custom Linux or Windows OS running from your IronKey. I also asked about the D series of IronKeys as I have had some questions about that, and we discussed how the D series use cheaper memory and are a little slower than the S series IronKeys. With regards to all of this I hope to get review units to do some testing myself and share the results.

I also spoke to PGP, obviously as everyone is aware they are now under the ever growing Symantec umbrella. I am not sure how this will impact their offerings. MessageLabs where also at the show with their new Symantec branding, and I do know many people feel the MessageLabs offering and customer service has gone down hill a little since the acquisition, time will tell I guess.

I also popped along to the DESLock+ guys who had my review on the stand for people to take away, so thanks for that guys, and I also go to meet the lovely Annette Finch from C8 Consulting who does their PR.

I also spoke with SmoothWall, M86, Cisco, Blockmaster, DiskShred, MXI Security, SAINT and Webroot to name a few more. So all in all I had a good trip out, aside from missing my scheduled train home, so it really was a long day. So thanks to all the great people I spoke with and met, and to vendors where I got a couple of pens and some sweets

The Social Engineering Tool Kit by Dave Kennedy has been updated to 0.5, Return of the Lemon

I have only just updated my version this morning, so have not yet had time to try out the new features myself, but I have to say I am excited by what the new version brings. Here are the high lights:

• Harvesting of Credentials
• Reporting Engine
• SET HakSaw
• Many Many Bug Fixes

I am excited about the new ability to harvest usernames and passwords from my cloned web pages, this really does bring a new and beneficial element to this approach. The HakSaw is also good news, allowing the SET to go more mobile. I look forward to seeing how this develops, especially with regards to any automation around autorun disabled clients. Keep up the awesome work Dave, and all that have helped along the way.

For full details of this release visit the Social Engineer Blog.

I am not one for politics, but I did actually find myself listening to this discussion in parliament yesterday. There was some interesting and valid points made and discussed, however the end result is as expected, the green light has be given, and the bill is pretty much in its intended form.

So if you live in the UK what does this bill mean to you?

Mainly it means your going to get a letter of caution from your ISP if a copyright holder suspects you have been illegally downloading and sharing content. This can lead to being disconnected and legal action.

It also makes you responsible for all activity on your Internet connection. This means home users, offers of free wi-fi or similar are held responsible for all activity and will be taken to court for any illegal files downloaded.

The Government, with court backing will also be able to block access to any site that hosts, provides the ability or is “likely to” access copyright material. So basically any site can be blocked.

All of this can be done based on assumption / accusation. Seeing as search engines provide the ability to access this information, I wonder if these will be blocked in the UK

So interesting times ahead. I am sure there is alot more to all of this, and maybe last minute changes may still occur. Once everything is fully official then will be the time to have a good read through and fully understand.

So Kon Boot, its awesome. I mean how awesome does it feel to be able to walk up to a machine and crack the password, pretty cool. Is it not then ever cooler then to just boot from a CD or USB and not have to bother?? I think so.. Kudos baby , not to mention the support benefits also. So the initial release of Kon Boot gave us the ability to boot for a floppy or CD, but we ran into issues if the system wasn’t 32bit. Now Kon Boot gives us support of 32 and 64bit, and the ability to boot from USB also.

So before I get into the demo vids of Kon Boot doing its thing, I will make a few things clear. The original version of Kon Boot was a prototype by the guys at Kryptos Logic, Kon Boot is now a commercial product. Now before you start getting upset, its cheap as chips for what it is at $15.99 (£10.51 excl VAT) for a personal license, and with that you get 6 months support and free upgrades. A commercial license is also available for $75.99 (£49.97 excl VAT) and this gives you 12 months support, free upgrades and for multiple use within an organisation. Its not subscription based so you don’t need to renewed. So basically its a good deal in my mind. However to sweeten the deal I can offer you guys a 20% discount code for Kon Boot v1.1 making it even cheaper. So when you go to buy Kon Boot v1.1 simple enter code dalereader20 for 20% off.

Now the science part You pop your media into a Windows PC and you boot it. The Bios is hooked by Kon Boot, and the magic begins. The kernel is modified temporarily to not require authentication once the OS is loaded. You get prompted for a password, you simply press enter and go about your activities. When done, shut down, remove the media, and everything is back to normal at next boot.

It is important to understand that even though this product has been tested and developed with many common bios versions supported, there may be the occasional issue. However this is what support is there for, and the guys at Kryptos Logic are quick to respond and helpful. I can say this as they have been working with me on an unsupported bios version I found whilst testing.

The video below will demonstrate Kon Boot working on a 32bit VM Installation via ISO, 32bit and 64 via USB. We know the CD and Floppy works from before anyway. Enjoy