Saturday, November 28, 2009

The Speedy Evolution of iPhone Worms

The popularity of iPhone worms targeted at jailbroken iPhones with the original SSH password that I described recently continues to grow. The exploits have also become more threatening, moving from the Rickrolling ikee worm (whose creator was recently hired by an Australian iPhone software development Mogeneration) to the more threatening worms, including one that grabs your private data from the phone.

In chronological order so far worms have been:

  • Held iPhones hostage for 5 euros (November 2nd, ihacked)
  • Rickrolled affected users (November 8th, ikee)
  • Stolen personal data such as contacts, email, SMS messages, photos, music, and other users data (November 10th, iPhone/Privacy.A)
Of note, Sophos provides a very nice writeup and commentary on ikee.

Of course, as theappleblog notes, this threat could be much worse in future generations, as the technique is quickly improved and as more iPhone aware coders take advantage of the platform. Right now, a lot of the techniques used by Windows worms haven't shown up - the self replication capabilities are rudimentary, if there at all, and the concealment methods are largely simply based on file location.

The good news continues to be that the worms only go after phones with the default jailbroken SSH password, and that changing that password on a jailbroken phone will prevent the exploit. The bad news is that malware writers are likely now building toolkits that will easily integrate with the next iPhone exploit - and all that is really needed is an OS level vulnerability that can be remotely exploited to make iPhones a treasure trove of data for successful attackers.

The iPhone will continue to be an attractive target, both because of the desire of the user base to expand the phone's capabilities via jailbreak, and because of the user data and network access that a hacked iPhone can provide. I expect to see more concerted attacks on the iPhone's OS and applications over time, meaning that security and IT staff can expect to have new threats appearing on their networks - pocketable devices scanning for other devices and infecting each other may very well be our next big user initiated threat vector.

Tuesday, November 17, 2009

NIST 800-53 v3 controls in database form - No Extra Charge!

Have you ever been asked to implement standards for your organization - only to find out that they are buried within a gazillion page document with tables and appendices that you must pull actionable items out of? Top that off with your organizations's risk scores, cross referenced controls for the defined risk get the picture. I think we all have and we can agree that it isn't much fun. This morning, a colleague pointed me to a new release from our friends at NIST. Enter NIST SP 800-53 v3 in database format. From the readme:

The NIST SP 800-53 reference database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The priority and minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.

The download is about 42MB and is available here. After a quick decompression, you are ready to roll. However, this beta is limited to Windows support. If you're not familiar with the NIST SP 800 family of publications, you should be. They provide a great set of knowledge, vetted security controls and are available at no extra cost.

The application itself requires no installation, and therefore, will run without administrative control over the machine you are using it on (hint - you can share it with folks like legal counsel or developers so they can enjoy ease of access). To further protect the integrity of the data, the instance runs as read only. Once up and running, you are presented with a fairly busy interface that takes a bit of browsing to understand. However, after a few minutes you can quickly find the controls you need, according to your risk impact scores, with all the supporting information at your fingertips. This truly is a helpful tool to have in your cache.

Monday, November 9, 2009

First iPhone Worm in the wild - for Jailbroken iPhones only

PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.

The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.

Thursday, November 5, 2009

Risky Behavior: Making Risk Assessment Fun

The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.

Sunday, November 1, 2009

Visualizing a Risk Vocabulary's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:

The map for computer virus is also interesting:

I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.