Apple to iPhone Users: Please Install This Untrusted Configuration Profile

It appears Apple is the only company around that doesn't use Microsoft Exchange. Apple's recently released iOS (not to be confused with Cisco's IOS) 4 apparently wasn't tested with Exchange at all. Many users are reporting slow e-mail sync, and apparently Exchange server admins are none too happy with the load these devices are putting on the Exchange server – much more than the old OS did. Of course, you cannot downgrade a device that has been upgraded to iOS 4. iPhone Operating Systems are signed by Apple at run-time and Apple refuses to digitally sign anything below iOS 4 now, … Continue reading Apple to iPhone Users: Please Install This Untrusted Configuration Profile

Don’t fire people until after you wipe their phones

A very commonly required feature for mobile access to email is remote wipe – the ability to reach out and wipe all corporate data off a mobile device. Exchange ActiveSync supports this feature and has for several versions now. You, as the Exchange or Security administrator can issue a remote wipe command to a compliant device, or the user can do it themselves through Exchange, and the next time the user connects the device will be wiped. There are two major flaws in that design. One is the well understood "the next time the user connects" part: you cannot reach out … Continue reading Don’t fire people until after you wipe their phones

Passwords are here to stay

At least for the short to medium term. That is the, quite obvious, conclusion drawn in a Newsweek article entitled "Building a Better Password."  The article goes inside the CyLab at Carnegie-Mellon University to understand how passwords may one day be replaced. It is interesting reading all around. The article is not without some "really?" moments though, such as this quote: The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity—mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"—somehow became … Continue reading Passwords are here to stay

And finally, standard user malware

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes itself resident by infecting HKCU\…\Run. Curiously, the legitimate anti-malware program (one of the top 3) failed to detect the infector. Obviously, this version is much easier to remove than the ones that require admin privileges. However, MS Antispyware is not about being hard to remove. It just needs to run until the user pays for the privilege, and more than likely, even as a … Continue reading And finally, standard user malware

Please do not e-mail my social security number

Recently I had a very interesting incident. I wrote an article some time in 2008 and the publisher paid me a little bit of money for it. That means the publisher must send a report to the Internal Revenue Service (IRS – the U.S. tax department) reporting that they paid me, as well as send me a form called a 1099 form that I can use to report this money on my tax return. A few days ago the comptroller for the publisher sent me an e-mail asking for my social security number (my national ID number for any non-Americans … Continue reading Please do not e-mail my social security number

Is MS08-067 Wormable?

A couple of weeks ago Microsoft released an out-of-band security update in bulletin MS08-067. Looking at the type of vulnerability and the fact that the issue was already being exploited in the wild at the time, this was a good decision. If you have not already installed this security update, you should stop reading this right now and return after you have installed the update. The problem fixed in MS08-067 is eerily reminiscent of the vulnerabilities that resulted in the Blaster and Sasser worms. Therefore, for obvious reasons, the question arises whether MS08-067 is wormable or not. Microsoft claimed in various … Continue reading Is MS08-067 Wormable?

Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer. For the past couple of years … Continue reading Anatomy of a Hack 2008

Buy the original Olympic Torch from Beijing

"Buy the original Olympic Torch from Beijing" That was one of the fake headlines in the latest "CNN.com Daily Top 10" malware spam I've been getting lately. This particular spam is a fake newsfeed which redirects you to one of many sites. All the sites have the same thing in common: they are designed to trick you into installing fake anti-malware software. I sent some screenshots I took to Sandi, and she wrote up a nice warning about it.

Phishing for a Tax Refund

What's wrong with this picture? If you answered "why would the IRS use a web server in Korea to ask for information about my tax refund" you are a winner! This is a phishing site preying on people who do not know that all you need to do to get your tax rebate is to file a tax return this year. Apparently, this is the hot new phishing scam, and the IRS has instructions for how to handle it. The e-mail came in at 21:07 PDT today. By 21:30 PDT it was not recognized as a phishing site by either Internet … Continue reading Phishing for a Tax Refund

Mitigate the Image Uploader Vulnerabilities

The big security news this week is the six vulnerabilities found in various image uploader ActiveX controls. In case you haven't seen the news, there are exploits available publicly for remote vulnerabilities in five different ActiveX controls. US-CERT is offering the, relatively unhelpful, advice that users disable all ActiveX controls in their browser. Doing so would have the effect of disabling a lot of things, notably virtually every corporate expense reporting application. Your users will probably have a thing or two to say about that. You can mitigate that by adding all the sites users will ever need to the Trusted … Continue reading Mitigate the Image Uploader Vulnerabilities