Monday, September 21, 2009

Cyber virus targets online banking log-ins

CYBER criminals have created a highly sophisticated Trojan virus that steals online banking log-in details from infected computers.

The Clampi virus, which is spreading rapidly across hundreds of thousands of computers in Britain and the United States, infects computers when users visit websites that host a malicious code.

Once on the computer, the virus sits unnoticed until the user logs on to bank, credit card or other financial websites. It then captures log-in and password information and sends it to a server run by the attackers.

They can then tell the compromised computer to send money to accounts that they control, or they can buy goods with the stolen credit card details.

The Trojan has a list of more than 4500 finance-related websites that it monitors, including British high street banks. Security experts warned that it was one of the stealthiest and most pervasive threats to computers using the Microsoft Windows operating systems.

Orla Cox, security operations manager with Symantec, the online security company, said: "Clampi is a complex threat. People are only just beginning to understand how it operates."

Researchers have found that the list of sites that Clampi is monitoring includes banks, credit card companies, online casinos, e-mail, wire transfer services, retail sites, utilities, share brokerages, mortgage lenders and government sites.

Ms Cox said: "The first big wave was in the US in July, but it is spreading around the world, particularly English-language countries. We have seen samples of it targeting UK high street banks. There is potential for another wave to come."

It is estimated that more than 1000 out of 40,000 or more infected computers have been in Britain. Only computers running Microsoft Windows are affected. Most of the infections seem to have occurred among small and medium-sized businesses, many of which have been reluctant to reveal how they have fallen victim.

In America, $US75,000 ($86,610) was stolen in July from Slack Auto Parts, a car parts supplier in Gainesville, Georgia. In August, criminals used Clampi to steal online banking details for the public school district in Sands Spring, Oklahoma.

The attackers then submitted a series of false payroll payments, totalling more than $US150,000. The attack was one of a series on American schools in which criminals hired unsuspecting money mules -- people who transfer money or fraudulently obtained high-value goods -- to receive the transfers of stolen cash and then wire the money out of the country.

Cyber criminals stole more than $US700,000 from the Western Beaver School District in 74 fraudulent electronic transfers, The Washington Post reported.

Clampi is one of a new wave of viruses to target the online banking system. Its emergence came as security experts warned that malicious websites hiding Trojan viruses were no longer confined to sites such as gambling and pornography.

A recent report by IBM security systems found an increase in malicious content such as viruses on trusted sites, including popular search engines, blogs, online magazines and mainstream news sites.

The number of links to malicious web pages rose by more than 500 per cent in the first half of this year. Last week, attackers placed a virus in an advert on the website of The New York Times.

Trojan viruses such as Clampi accounted for 55 per cent of all new malicious software in the first half of the year, IBM said, up from 46 per cent for the same period last year. Researchers say that variants of Clampi -- also known as Ligats or Ilomo -- have been around since 2005, but the new version appears to be spreading more quickly.

Wednesday, September 16, 2009

Online Fraud: An Insider's View of Today's Top Threats

RSA Researcher Shares Insights on Fraudsters, Tools of Their Trade

Linda McGlasson, Managing Editor
September 14, 2009

Trojans. Harvesters. Mules. They're the backbone of the underground fraud economy, which is "vibrant" and worth billions, according to one international researcher.

And don't be swayed into a false sense of security by the recent indictment of Albert Gonzalez, who is charged with masterminding the Heartland Payment Systems breach of 130 million credit and debit cards. Gonzalez is but one representative of a thriving hidden network of fraudsters who are plying ever trickier tools of the trade, says Uri Rivner, lead researcher at RSA's Anti-Fraud Command Center in Israel.

"When I started my research, I believed, as many others did at the time, that a single fraudster could perpetrate fraud on their own," says Rivner. But after a decade spent researching the fraud economy, he now sees a sophisticated business model, replete with specializations and multi-levels of participants. "It's no longer the romantic notions of Matthew Broderick's character in 'War Games' penetrating the Pentagon's war computer."

Indeed, fraud is an international business - preying upon businesses internationally.

RSA alone stopped $1.2 billion worth of online fraud in 2008, Rivner says - and this represents what experts believe to be just a fraction of the crime's extent. "The economy of fraud is estimated into the billions, just in the U.S. alone," he says. "It is a very big issue."

Careers in Fraud

The two main "career paths" in the online criminal economy are harvesting and cash-out, Rivner says.

Harvesting is where criminals are after credentials -- typically from a single user. These credentials are gained through skimming, phishing and trojans. "The harvesting fraudsters are interested in one thing -- access credentials to online bank accounts, pin numbers, account numbers, credit card numbers," Rivner says. Rivner says the number of incidents hitting regular online users each month is in the millions.

There are forces, such as the group Gonzalez is accused of masterminding, that, rather than focusing on individuals, try to breach payment processors and retailers such as Heartland and TJX. "These fraudsters are bent on getting into large databases to try and get as much information as possible, sometimes using an insider in the retail side or company," he observes.

The harvesting fraudster's weapons of choice are phishing kits and Trojans. Once the harvesting is done, Rivner says, "At the end of the day, they have to empty these accounts they've taken. They have stolen 1000 credit card numbers, but they don't know how to cash them out. Or they have information on 10,000 online bank accounts, but they don't have the infrastructure to cash in on those accounts."

The harvester will then turn to sell the information to the cash-out side of the criminal model. Cash-out fraudsters are adept at getting money either through ecommerce transactions or online banking transfers, without leaving a trail that can be traced back to them.

How the fraudsters do this is by using the cards online. Or in the case of ATM fraud, if they have the pin number, they clone the card and use it to remove money from ATMs. In online banking, they remove the money from the victim's account and send it into an account that they control. It does not have to be their own account, otherwise they would be caught very quickly, Rivner says. "But, instead, the cash-out fraudster will use another online banking account (hired money mules) to transfer the money to the fraudsters.

Sadly, Rivner says, most times the unwitting money mules don't realize they are part of a money laundering ring until their bank or law enforcement agencies contact them. Typically, money mules are recruited, "given some story, receive money transfers, take the money out and wire it internationally to a money drop. Then the money goes to the cash-out fraudsters," he says.

The two sides of the fraud economy -- the cash-out and the harvesting fraudsters -- know each other only virtually, Rivner says. "They do all of their business online, they collaborate, establish business relationships in fraud forums or chat rooms." There are dozens that are active these days, with thousands of users all looking for business ventures. The fraudsters share tools, give advice, sell information and basically do business on these sites. All makes for an interesting "dark" economy that has sprung up in the last couple of years.

Tools of the Trade

Most recently, fraudsters have moved away from phishing to Trojans, Rivner says. Trojans are invisible, hard to detect, and the infection rates are very high. They also are very sophisticated and can be tailored to counter specific defenses, making them the malware of choice for the fraudsters. Examples: Two trojans being sold in the online underground are Zeus, typically sold for $1,000, and Limbo, which goes for $350.

How they work: Zeus and Limbo do not breach a bank or lead a customer to a spoofed website. Instead, "[the Trojan] is running on the same html of the bank web site, but right before the session starts, Limbo injects extra fields into the page," he explains. The session is real, it is recorded locally, and sent over to the hacker, who can record everything the bank customer is doing while on the site.

RSA's Anti Fraud Command Center set up a dummy online banking website to test the trojans. Limbo added two extra fields on the site -- the ATM number and the ATM Pin number. "If an average consumer is asked for additional information, they'll become a little suspicious," Rivner says. "If they are technology savvy, they'll click on the yellow lock and see it's the real SSL session."

Not many people are aware of the sophistication of these new trojans, Rivner observes. What is more worrying is the speed at which they are spreading. On a weekly basis, "there are thousands of sites that are infected, and if visitors don't have the most updated security, then they'll most probably be infected," Rivner says. "The fraudsters are very good about adding these vulnerabilities, and end up infecting users visiting these sites until a patch is released."

Other forms of infection are legitimate websites that have been infected by malicious code. Anyone browsing these pages may get infected if they have certain vulnerabilities. This is known as "Drive by Infection." Mitigation is mainly via making sure one's operating system automatically patches itself with the latest security patches, and that the antivirus and firewall are up to date. This reduces the risk of infection dramatically.

Fighting Back

The security industry has set up prevention measures such as phishing takedown services and anti-trojan services. These services are also augmented with information from malware labs, Rivner says. The shutdown operations monitor the fraudsters, how they move information. Through intelligence monitoring of cash-out operations, these services often are stopping the transactions from taking place, and implementing adaptive authentication methods that change the questions or add a third method of authenticating the transaction.

Knowledge-based authentication is also used, especially in other cross channels such as the telephone, which is also being hit with heightened fraud attempts.

When a customer calls and asks for something out of the ordinary or high risk, then the customer service rep will ask questions that only the customer would know, i.e. previous assets that they owned, or previous addresses lived at, says Rivner.

These emerging threats are here to stay, and the arms race is on, Rivner says. "The best bet is to have a flexible framework to respond to emerging threats," he adds. "It is a celestial alignment for fraudsters: So much better technical infrastructure, so much better infection, and the poor economy makes it easy to recruit the mules ... the atmosphere is right for fraud."

Sunday, September 13, 2009

7 Reasons Websites Are No Longer Safe

Many sites you visit are laden with malware. Here are 7 reasons why, and advice on how to protect your systems.

By Bill Brenner , CSO , 09/09/2009

Conventional wisdom is that Web wanderers are safe as long as they avoid sites that serve up pornography, stock tips, games and the like. But according to recently gathered research from Boston-based IT security and control firm Sophos, sites we take for granted are not as secure as they appear.

Among the findings in Sophos' threat report for the first six months of this year, 23,500 new infected Web pages -- one every 3.6 seconds -- were detected each day during that period. That's four times worse than the same period last year, said Richard Wang, who manages the Boston lab. Many such infections were found on legitimate websites.

In a recent interview with CSOonline, Wang outlined seven primary reasons legitimate sites are becoming more dangerous.

Also see 10 IE Browser Settings for Safer Surfing

1. Polluted ads

Many legitimate sites rely on paid advertisements to pay the bills. But Wang said recent infection statistics gathered by his lab show that they are often hiding malware, without the knowledge of the website owner or the user.

"A lot of sites supported by advertisers, rather than contracting directly with the advertiser, work through ad agencies and network affiliates," Wang said. "Some of these affiliates are less than diligent in reviewing content for flaws and infections."

Ads that incorporate Flash animation and other rich media are often rife with security holes attackers can exploit. When the user clicks on the ad, the browser can be (and often is) redirected to sites that download malware in the background while the user is reading the legitimate site. Someone in the ad-providing supply chain can be the culprit, though tracing a compromise back to them can be exceedingly difficult, Wang said.

Whatever the case may be, a downloaded Trojan is then free to gather up usernames, passwords and other sensitive banking data.

2. SQL injection attacks

SQL injection attacks are among the most popular of tactics and have been used in several high-profile incidents in the last couple of years. For example, see "SQL Injection Attacks Led to Heartland, Hannaford Breaches."

SQL injection is a technique that exploits a flaw in the coding of a Web application or page that uses input forms. A hacker might, for example, input SQL code into a field that is intended to collect email addresses. If the application doesn't include a security requirement to validate that the input is of the correct form, the server may execute the SQL command, allowing the hacker to gain control of the server.

"The hacker essentially takes advantage of flaws related to shoddy site development," Wang said.

3. User-provided content

It doesn't take a genius to write a comment to a blog posting or something they see on a social networking site like Facebook or Twitter. The bad guys know this and are therefore taking the opportunity to pollute discussion threads and other sources of user-supplied content with spam-laden links. (See "Seven Deadly Sins of Social Networking Security".)

"You can get comment spam, completely irrelevant comments including links to sites trying to sell you stuff," Wang said. "They can also try posting full links to malicious sites or work in a little scripting, depending on the filter they are trying to work around."

4. Stolen site credentials

Using the types of malware and social networking tactics described above, as well as other means, attackers can steal the content provider's log-in credentials. From there it's no sweat logging into the site and making changes. It typically is a change so subtle and small that it escapes notice. The tiny bits of code added in can then steal the site visitor's credit card or other data.

5. Compromised hosting service

This one is similar to number 4, where the credentials of the content provider are stolen and hackers log in to make sinister changes. Through this vector, Wang said the bad guys could potentially poison thousands of sites the provider is hosting in one strike.

6. Local malware

The website you visit may be perfectly safe, but if there's malware hidden on your own machine you can unwittingly become part of the attack, Wang said. For example, the user can visit their online banking site, and when typing in a user name and password the Trojan is there to record that information and pass it back to the attacker, allowing him to go in later and empty out your account or that of others.

7. Hacker-engineered fakes

Finally, there's the problem of hackers trying to sell you fake merchandise that includes phony security software. If a box appears warning that your machine may have been infected and that you must immediately download a particular security tool to remove it--a common occurrence if you have visited a site that surreptitiously downloads malware onto your computer--it's a sure sign of trouble.

"You spend your $39.95 and you get a worthless piece of software, and at the same time you have given them your credit card data," Wang said.

What is one to do if their website relies on ads and open access? Wang suggested IT security administrators use security scanners against anything coming in by way of third-party hosts and, for in-house apps and other online property, that developers redouble efforts to write more ironclad code.

For those who heavily rely on third-party forums, a wise practice is to take a daily scan of vulnerability reports that may affect those providers and to keep up to date on security patches that will harden your own environment against these threats, he added.

Monday, September 7, 2009

Court allows suit against bank for lax security

Citizens Financial Bank should have offered strong authentication, plaintiffs claim

Jaikumar Vijayan

September 2, 2009 (Computerworld) A couple whose bank account was breached can sue their bank for its alleged failure to implement the latest security measures designed to prevent such compromises.

In a ruling issued last month, Judge Rebecca Pallmeyer, of the District Court for the Northern District of Illinois, denied a request by Citizens Financial Bank to dismiss a negligence claim brought against it by Marsha and Michael Shames-Yeakel. The Crown Point, Ind. couple -- customers of the bank -- alleged that Citizens' failure to implement up-to-date user authentication measures resulted in the theft of more than $26,000 from their home equity line of credit.

The negligence claim was one of several claims brought against Citizens by the couple. Although, Pallmeyer dismissed several of the other claims, she allowed the negligence claim against Citizens to stand. She noted that the couple had shown that a "reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs' account against fraudulent access."

The ruling highlights an issue that security analysts have been talking about for a long time: the need by companies to show due diligence in protecting customer data against malicious and accidental compromise. Security analysts have warned that companies that can't prove they took adequate measures to protect data could find themselves exposed to legal liability after a data breach.

Numerous lawsuits alleging such negligence have been filed against companies over the last two years. Most of those cases, however, involved payment card data breaches in which large numbers of accounts were compromised and in which victims want compensation. Courts typically sided with the breached entities in such lawsuits, and in many cases summarily dismissed the claims.

The decision in the Shames-Yeakel case was first reported on Digital Media Lawyer Blog, which is written by David Johnson, a lawyer specializing in digital media law with Jeffer, Mangels, Butler and Marmaro LLP in Los Angeles. The case shows how the failure to expeditiously implement state-of-the-art security measures can open companies to negligence claims, Johnson wrote.

The ruling shows that a "failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care," he warned.

The dispute stems from a February 2007 incident in which an intruder gained access to the Shames-Yeakel's equity credit line account using their username and password. The intruder then proceeded to take an advance of $26,500 from the account and transfer it to a bank in Austria. The fraudulent transaction wasn't discovered by the couple until 10 days later, by which time it was too late to recover the money.

Citizens held the couple responsible for paying back the money, and claimed that under its online terms and conditions it had no liability for any unauthorized transactions that were made using legitimate usernames and passwords. It said there was no liability unless it had been notified in advance about the possibility of unauthorized use and had been given a reasonable opportunity to act on that notice.

Citizens also had claimed that its online banking services were being provided and protected by a highly reputable company. In addition to the third-party security services, Citizens said it had its own measures for protecting access to user account.

But the Shames-Yeakels claimed those measures were inadequate. They said that at the time of the breach, Citizens was still relying on usernames and passwords to control access to accounts while others had begun using two-factor authentication, including token-based authentication, that is considered more secure. They pointed to a 2005 document by the Federal Financial Institutions Examination Council (FFIEC), which called single-factor authentication inadequate and recommended the use of two-factor authentication by banks.

In her ruling, Pallmeyer noted that Citizens had begun implementing stronger authentication measures in 2007 but supported only single-factor authentication at the time of the theft. The apparent delay in complying with the FFIEC's recommendations could indicate that the bank had breached its duty to protect account holder information, she wrote.

Although the judge has cleared the case for trial, no court date has been set, and Citizens' officials declined to comment on the pending litigation.

Sunday, September 6, 2009

The Move Toward Multifactor Authentication

For extra protection, companies are using two or more security methods for authenticating a user's identity.

John Edwards

Like the man who wears both a belt and suspenders, the owners of Web sites and applications protected by multifactor authentication are looking to reduce the possibility of accidental exposure. Multifactor authentication combines two or more different security methods for authenticating a user's identity.

The first method usually requires a "what-you-know" response from the person seeking access. This is typically a password, but it can also be the answer to a challenge question such as, "What is your mother's maiden name?" This technique is known as knowledge-based authentication.

The second method is usually based on something a user has in his or her possession. This object is usually a physical device, such as a smart card with a built-in chip or a hardware token that generates one-use-only passwords. Other personally possessed types of items could be a biometricasset, such as a fingerprint or the eye's iris.

Banks Lead the Charge

Multifactor authentication's fundamental goal is to enhance security by making it more difficult for fraudsters to obtain system access. Attack-proof security is a concern shared by many businesses, yet due to the large amounts of money they handle, banks and other financial institutions are at the forefront of the drive toward multifactor authentication. In the United States, the APACS (Association of Payment and Clearing Systems), the FDIC (Federal Deposit Insurance Corp.) and a variety of other banking organizations have all urged banks to begin offering multifactor authentication.

Many banks also view multifactor authentication as a way of enhancing customer confidence. A study conducted earlier this year by Javelin Strategy & Research revealed that 67 percent of consumers in the United States do not bank online for fear of having their identity stolen. Fifty-three percent of those surveyed would like to see banks offer identity-protection software, and 33 percent would like their bank to offer biometrics. The study shows that banks stand to realize a gain of $8.3 billion per year through customer adoption and increased loyalty by making identity-protection software available to their customers.

Many retailers would also like to see increased adoption of multifactor authentication for Web-based sales. Unfortunately, few American Web shoppers have the smart cards, hardware tokens or biometric readers required for such transactions. European shoppers, on the other hand, are ahead of their American counterparts on the multifactor-authentication adoption curve. Multifactor use is on the upswing in Europe, with a growing number of retailers adopting some form of the technology.

Europeans may be more accepting of multifactor authentication due to their experience with the related technology when shopping in brick-and-mortar stores. Until relatively recently, European retail shops didn't have easy access to cheap data lines for online verification of credit card transactions. This forced European retailers to pressure financial institutions to adopt some type of offline multifactor solution, such as a device that a retail clerk could use to scan a smart card-generated code, then compare it with the PIN entered by the consumer. Given this track record, it was more natural for Europeans to adopt multifactor authentication for consumer Web applications as well.

Market Drivers

In the U.S., many online bankers and retailers continue to hope that they will be able to perform authentication without issuing consumers extra hardware or software, such as by using monitoring systems to observe customer behavior and detect any anomalies. Most of these organizations want to focus on their core business and would prefer not to involve themselves in the cost and complexity of technology support. This mind-set has slowed the deployment of multifactor authentication in the United States, except perhaps for certain niche applications, such as high-end investing and corporate cash management.

Still, the prejudice against multifactor authentication may ease in the years ahead, as credit card issuers and financial regulators press their business partners to tighten security. In a 2007 study, financial industry research firm The TowerGroup Inc. reported that online banking is becoming the most powerful tool retail banks have ever deployed, outpacing everything from ATMs to call centers, and is increasing in use at an annual rate of 27 percent. With Web shopping growth also skyrocketing, it seems inevitable that more banks and retailers will eventually embrace enhanced security technologies, with multifactor authentication standing at the front of the line of potential solutions.

Thursday, September 3, 2009

iPhone passcode bugs revealed

Problems with iPhone passcode handling and Exchange ActiveSync policies may leave you vulnerable

By Jay Sartori , Network World , 09/02/2009

About the author: Jay Sartori, CISSP, Security+, CCSP, MCSE, is an IT security analyst with over 12 years of IT experience. He has a bachelor’s degree in computer engineering and a master’s in network security management.

As an IT security professional, I was tasked with evaluating the iPhone’s security features for the enterprise (more iPhone management tests here). Over the past few weeks, I have been testing different aspects of the new iPhone 3GS, particularly the interaction with Exchange ActiveSync (EAS) and device password policies. During my testing, I discovered some strange behaviors with how the iPhone handles device password policies, as well as passwords altogether.

iPhone security considerations, Part 1 | Part 2

It has already been proven that the passcode on an iPhone can be removed. The purpose of this article is to point out the false sense of security delivered through Apple’s marketing of iPhone features for the enterprise. My testing has revealed that the enterprise security features do not behave correctly and I will point out three flaws with how passwords are handled with the iPhone and EAS.

The setup for my testing consisted of a 16GB iPhone 3GS running firmware 3.0.1. The iPhone was configured to use Exchange ActiveSync mail going through a proxy server. The proxy server was an F5 Firepass which provides similar functionality as an ISA server to proxy connections to EAS. The Exchange server was running Exchange 2003 SP2 with EAS enabled and configured with device password policies. I set up the device password policy on the Exchange server to enforce a password with a minimum of four characters and a 20 minute inactivity timeout. This means that any mobile device connected to Exchange that is idle for 20 minutes will automatically lock and require a password to access the device.

Bug 1 – iPhone does not handle EAS Policies as expected

With Exchange ActiveSync, administrators can configure device password policies. According to Microsoft, the “Inactivity Time” option determines how long the device needs to be inactive before the user is prompted for the password. I first tested my EAS settings against a Windows Mobile Device. The results were as expected, with the device requiring me to set a password and after 20 minutes of inactivity, requiring me to enter my password.

The iPhone behaved differently. First, you need to understand two settings on the iPhone which pertain to passwords: “Auto-Lock” and “Passcode Lock.” “Auto-Lock” sets the amount of time in minutes before the screen locks. The purpose of this is to save battery life by dimming the screen and to prevent accidental pocket dialing. “Passcode Lock” determines the amount of time in minutes after the Auto-Lock sets in, before a password needs to be entered. This can be configured at 1 min., 5 min., 15 min., 1 hour, 4 hours or never.

Upon successfully connecting to EAS, I was required to set a password as expected. After I set up my password, I reviewed the settings on the iPhone and saw that Auto-Lock was set to 5 minutes and Passcode Lock was set to 15 minutes. This appeared to be correct as the total adds up to 20 minutes before requiring a password to be entered. Surprisingly, however, I was able to change the “Passcode Lock” on the iPhone up to a maximum time of 1 hour. I did notice that I could not set the Passcode Lock to 4 hours or never as those options were apparently removed after connecting to EAS. This allowed me to change the Passcode Lock up to a maximum of 1 hour for a total of 65 minutes (5 for the Auto-Lock and 1hr for the Passcode Lock) before requiring a password.

This means in a corporate environment, users are able to override inactivity timeout settings defined by administrators, as the iPhone does not respect the EAS policy. This gives a false sense of security to administrators and they need to be aware of this behavior. If Apple is going to advertise integration with EAS security policies, then they need to ensure the iPhone respects the settings and behaves accordingly.

Bug 2 – Passcode Prompt Reveals Too Much Information

I’m really not sure how this next bug made it by the quality assurance team, specifically security testing. For this example, let’s assume you set your password to “abc123” and your device gets locked. You are prompted to enter your password with the iPhone keyboard and, as you type, asterisks are displayed across the screen (see Figure 1). This is typical and expected behavior. Note that the input box does not give any indication as to the length of the password or the complexity of the password as you can enter numbers, letters and special characters.

But if you change your password to “1234” or any four-digit numeric password for that matter, from then on you lose the ability to enter any letters or special codes (see Figure 2). This reveals two pieces of information about your password: 1) that it consists of only numbers, and 2) the password is only four digits long. From a brute-force perspective that is only 10,000 possible combinations, which would be trivial for any type of offline attack. Knowing this behavior of the iPhone, you may want to consider requiring passwords to require at a minimum both numbers and letters in your EAS policy.

Bug 3 – Changing your iPhone Passcode

This next bug has some similarities to Bug 2. Let’s assume that you realize that your four-digit numeric password is weak and reveals too much information. You decide to change your password from numbers to something alphanumeric. What I discovered is you cannot do this. Once your password is changed to four digits, when you go to change the password, you are only given the option to change it to another four-digit numeric password. On the other hand, if your password is already alphanumeric, you can change it to any length and any combination of numbers, letters and special characters. This is clearly a bug with the iPhone OS.

The workaround to this was to remove the Exchange account from the iPhone and add it back. Upon adding the Exchange account back, I was prompted to enter a new password which allowed me to enter a complex password.

Summary

The iPhone is a great device and is arguably the best mobile device from a usability perspective. Unfortunately, the security features are not quite ready for the enterprise and contain various bugs. In order to safeguard against such bugs, data encryption has to be considered for any type of data protection, but that is another article. Enterprises considering the iPhone for corporate use need to be aware of how the iPhone security features behave and the different ways that data can be breached in the event that the device is lost or stolen.

More test results of iPhone management available here.

iPhone Security, Part 2

The iPhone app security model

Security Strategies Alert By M. E. Kabay , Network World , 05/20/2009

My friend and colleague Adjunct Professor Richard Steinberger from the MSIA Program at Norwich University continues his analysis of Apple iPhone security. Everything that follows is entirely Ric’s work with minor edits.

* * *

iPhone apps are, with a few limited exceptions, available to iPhone owners only via Apple’s iTunes store and only if iTunes has been installed on the computer accessing the store. Users cannot, in general, download apps from any other source, or share their apps (even free apps) with other iPhone owners. This distribution architecture allows Apple to vet every app that iPhone users install on their phones. In emergencies, Apple may also remotely remove or disable dangerous apps that have been installed on iPhones.

Based on my personal observation and analysis, the main security constraints imposed by the iPhone Operating System are as follows:

• No app may access any iPhone OS files.
• No app may access any other app’s files (with a few exceptions). Any files created by an app must remain local to that app. For example, an app designed to edit Java files could only edit Java files created within that app (or downloaded to that app). Primary exceptions include: Third-party apps may access and modify stored photos and phone contacts.
• No app may alter any system settings. For example, a precise, NTP-enabled clock may not set the iPhone’s clock.
• If an app crashes, then in theory, only that app crashes, and the OS is unaffected. In practice, a crashed app may hang a system, requiring a restart.
• An iPhone app may sync with a PC- or Mac-based application to exchange or update the app’s data. But the syncing must be done by a wireless LAN connection and cannot be carried out using the cable that connects the iPhone to the computer; i.e., synchronization via an iTunes conduit to a PC or Mac application is not permitted.
• Apps are allowed to communicate with the Internet using the iPhone’s network connection. Thus, any data files present within an app may, in theory, be sent to an unauthorized destination without the iPhone owner’s knowledge. This transfer would be an example of an app Trojan horse program. Although such programs may escape Apple’s initial vetting, the author knows of no cases where such an app has actually been distributed via iTunes.

In other words, apps are islands unto themselves. Although a rogue employee may use a mobile phone to help steal or distribute confidential information, it remains far less likely that a trustworthy iPhone owner’s use of downloadable apps presents any major new security risk. As mentioned in the introduction, the primary risk of mobile phones remains their theft or loss. Organizations need to be prepared for the loss of confidential information when staff member phones are misplaced or stolen unless the iPhones are equipped with encryption software. In addition to using a password or personal identification number (PIN) to protect the phone itself from unauthorized access, some useful encryption and data protection apps for the iPhone are:

• SplashID
• 1Password
• My Eyes Only
• Verisign Identity Protection (VIP)
• Jaadu VNC

With appropriate precautions, corporate security managers can survive the latest wave of innovation from Apple.

* * *

Richard H. Steinberger, CISSP, CISM, has over 20 years of hands-on and supervisory experience with computers and networks with special expertise in Internet and network security; security principles and products including firewalls, routers, VPNs, vulnerability assessment tools, intrusion detection systems, and hacking tools; advanced Unix software development; and system administration. He has taught network security at University California Berkeley Engineering Extension and for several years as Adjunct Professor of Information Assurance in the MSIA Program at Norwich University. You may reach Ric by e-mail.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.

iPhone security, Part 1

Security Strategies Alert By M. E. Kabay , Network World , 05/19/2009

Tuesday, September 1, 2009

New attack cracks common Wi-Fi encryption in a minute

August 27, 2009 (IDG News Service) Computer scientists in Japan say they've developed a way to break the WPA encryption system used in wireless routers in about one minute.

The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University, who plan to discuss further details at a technical conference set for Sept. 25 in Hiroshima.

Last November, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level, according to Dragos Ruiu, organizer of the PacSec security conference where the first WPA hack was demonstrated. "They took this stuff which was fairly theoretical and they've made it much more practical," he said.

The Japanese researchers discussed their attack in a paper presented at theJoint Workshop on Information Security, held in Kaohsiung, Taiwan, earlier this month.

The earlier attack, developed by researchers Martin Beck and Erik Tews, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm.

The encryption systems used by wireless routers have a long history of security problems. The Wired Equivalent Privacy (WEP) system, introduced in 1997, was cracked just a few years later and is now considered to be completely insecure by security experts.

WPA with TKIP "was developed as kind of an interim encryption method as Wi-Fi security was evolving several years ago," said Kelly Davis-Felner, marketing director with the Wi-Fi Alliance, the industry group that certifies Wi-Fi devices. People should now use WPA 2, she said.

Wi-Fi-certified products have had to support WPA 2 since March 2006. "There's certainly a decent amount of WPA with TKIP out in the installed base today, but a better alternative has been out for a long time," Davis-Felner said.

Enterprise Wi-Fi networks typically include security software that would detect the type of man-in-the-middle attack described by the Japanese researchers, said Robert Graham, CEO of Errata Security. But the development of the first really practical attack against WPA should give people a reason to dump WPA with TKIP, he said. "It's not as bad as WEP, but it's also certainly bad."

Users can change from TKIP to AES encryption using the administrative interface on many WPA routers.

Secure online Identity