ITS Blog

Two days ago a popular news site (wiwo) posted an article that the German defense minister stated a warning about the usage of Smart phones during combat operations. As he pointed out the department of defense is not prohibiting the use of smart phone in general, but it is left to the single department to prohibit this use. It is also statet that especially in the headquarters not everyone knows about the dangers coming from these phones.

So lets have a look at smart phones:

Most of the smart phones have a build in GPS receiver and at least the android phones are able to use WLAN hotspots to identify your position. Therefore they make connections to databases on the net to get the current position of the hotspots. An attacker can triangulate this communication to get the position of a single mobile phone.

Another way to track someone would be to bring some malware or  “special app” on the phone which simply sends the current position to your server, this would be a even more convenient way to track someone.

A third approach could be to get such a smart phone. At least some of them are storing a history where you have been recently. If such a phone would be captured by an attacker he could easily find out where the base camp of the soldiers has been.

So soldiers… please turn off your phone or better leave it in your base. By that means it will not get lost…

Currently I am focusing on the topic of password security and guessing of passwords. For this work I started to analyse the famous rockyou password list. This list was leaked in December 2009 [wikipedia]. The list can be found on various sources for example at SkullSecurity, where are a lot more lists as well.

Taking a closer look on the passwords brings the following results:

12.2% are passwords with 6 letters lower case

8.4% are passwords with 7 letters lower case

7.5% are passwords with 8 letters lower case

7% are passwords with 6 digits

As a little performance test I took a list of raw-MD5 Hashes a asked John The Ripper to brute force all lower case words with 8 letters meaning from a to zzzzzzzz. It took around 5 hours then John had finished his work with roughly 2.4 Million words hashed per second.The work was performed on a Compaq nx9420 running a gentoo linux. Testing the digits from 0 to 99999999 took additionally 42 seconds.

This numbers bring us to the point:

• use long passwords (10+ signs)
• use small and capital letters
• use numbers
• use special signs !

All of these measures increase the security of your password and also help to protect your data.

Working in a company, being responsible for security, you have to deal with passwords. Passwords are used to login to the company network, to login to the desktop PC, to login to webshops. Passwords are used nearly every where.

Due to this, the default user has a lot of passwords to remember. For this reason most users use a very limited number of password. For some the number is just one. To make it even worser, the passwords are not exchanged over the time.

Users tend to forget their accounts. Most likely you encountered is by yourself already. Only accounts which are used on a regular basis stay in the focus of the users. Putting both things together the following happens:

1. a user created an account on website “example.com”, for example to write a comment
2. he uses his default password, the same he used on his personal computer, his Email account and his company PC
3. time passes ….. the user forgets his account
4. some bad guys hack example.com and do or don’t publish the user data via torrent

The user forgot the account and by this is not aware about the risk his accounts are in.

Step 4 happen last year to:

• gawker [gothamist] [lifehacker]
• carders.cc [krebsonsecurity] [hackbase]
• and many more

The databases from carders.cc and gawker are still available via torrent.

What you should learn from this:

• Use different passwords for different sites
• Change your passwords at least ones a year

Some days ago I wrote about a problem with Apple devices. Meantime Apple published an update for some of the devices:

For

• iOS 4.0.2 for iPhone starting with second generation (3G, 3GS, 4)
• iOS 4.0.2 for iPod Touch starting with second generation
• iOS 3.2.2 for iPad

updates are available. For other (older) versions there is still no update available.

Please update your devices.

For more information (in German) see BSI

Yesterday (August, 5th, 2010) the BSI (federal office for security in information technologies), a governmental organization in Germany issued a warning against devices with IOS on them.

Affected are:

• Iphone with version 3.1.2 to 4.0.1
• Ipad with version 3.2 to 3.2.1
• Ipod Touch with version 3.1.2 to 4.0
• possible devices with older versions as well

The problem is located in the ability to view PDF files on them. Using this hole, an attacker could run his own code on the devices. The attacker is able to evade the sandbox, which means all the data on the device are at risk, not limited to, but including: GPS location, SMS, passwords, emails and contact informations.

For the full warning have a look at the BSI(german).

Their suggestion is:

• Do not open PDFs on your device
• visit only trusted sites with your device
• Do not follow links in emails or websites you do not trust.
• If you are using Search engines like google, do not click on PDFs

These guidelines should be followed until there is an software update fixing the problem.