Monday, November 19, 2007

POC iPhone hack

Aside from the rant and the usual "Apple is secure" backlash - an article on the Wired Blog ran recently about a proof of concept hack for the iPhone. This particular hack enabled the remote user to listen in, record from the microphone, read stored emails and even see calling history on the iPhone. While the particular vulnerability that was used to exploit the iPhone has already been patched by Apple - the tide is coming in for this device and it's only a matter of time before another un-patched exploit is used in the wild. So, which of your users has an iPhone?

Friday, November 9, 2007

All the buzz about Abe Torkelton: a followup

Since my post about "Abe Torkelton", a web form submission bot, we've had a lot of hits on the site and a few comments. I thought that a few of them were worth responding to here, as some of the details might be useful:

chuckn wrote:

"...[site] which doesn't have any linkage yet - so i'm not too sure how they found me."
The bot is likely either randomly or sequentially scanning IP space, or is checking registered hostnames via a registrar. In either case, even un-advertised system may be probed. Since the bot appears to look for web submission forms, the only way to hide from it will be to have some sort of human recognition system or pre-existing userID in place.

Thanks to Kate and Wes, we have IP addresses:
"The ID address I got was" resolves that to a ThePlanet IP range, which is different from what I originally saw. Kate posted and saw, which is a IP.

So we know that the Abe Torkelton bot is coming from multiple IPs. What we don't know is if it is tool, a bot, or the early stages of something more malicious. I have yet to see a report of the registrations being used for more than posting to a site.

How can you prevent it? Well, thus far it appears that human input required systems such as CAPTCHAs. Since the IP address is changing, you likely can't block it via IP, and blocking bots with derivations of "Abe Torkelton" will only save you until the name changes.

I'll keep tracking this here, so keep throwing what you find into the comments. Thanks folks!

Wednesday, November 7, 2007

Forensic tools: WiebeTech HotPlug

Engadget has a short writeup of WiebeTech's HotPlug forensic system - in short, a tool for moving powered on systems, either by powering their power strip, or for injecting power into their power cord or outlet.

If you're doing police forensics, this looks like a tool to investigate!

Friday, November 2, 2007

It's the simple stuff really

You know, it's a little frustrating to have taken exams with hundreds of questions about the obscurities and specifics of information security just so that I can prove that I know my stuff. I get these little letters after my name that impress the HR drones. That’s right I’m am information security professional! Banded together we geeks can enjoy a lively conversation on encryption for data at rest across disparate systems...“If we make cipher text on a system in an ASCII character set then transport it to a system using EBCDIC...” and so we digress. Ah, the upper echelon of geekdom.

However, it’s the simple stuff that makes or breaks your information security program. In the news recently was a decent account of the “Khaki Bandit” and his ability to walk right into a corporate setting and fill his bag with their laptops – and then walk right back out. Better yet, there’s an account here where a reporter walked into a major mail sorting facility in the UK and took up a position by simply claiming he already worked there.

In both incidents simple procedures could and would have stopped these individuals in their tracks. Sadly, neither was asked for proper ID nor escorted to their purported hosts. I’m not aware of any major loses or data breaches directly linked to these events, still both had the potential to wreak havoc on an organization and its clientèle. Not to mention its public image and brand trustworthiness.

Every organization should take a look at these stories and ask “what if?” Of course smaller organizations will have an easier time addressing unknown individuals while larger ones will struggle with adequate controls. However, it’s all about the simple controls – “Who are you? Who are you here to see? I’ll call to make sure they’re in. This person will escort you to them.” Funny, that reminds me of my introduction to Kerberos.