iPhone 4: Siri Security Fail

 iPhone Related, Security  2 Responses »
Feb 052012
 

This weekend I discovered a pretty massive security fail on the iPhone 4S.  As you might know, you can set a security pin code to prevent unauthorized use of an iPhone handset.

You might also be aware of the new Siri feature built into the iPhone 4S.  Assuming you have Siri enabled, then out of the box the following is possible (as of time of writing):

You can hold the home button to activate Siri – whether the handset is locked or not.  Once activated, you can direct Siri to perform specific actions – for example, making a phone call!

I’ve tested the following scenarios/commands -

  • “Call Paul” (assuming you have a person named ‘Paul’ in your contacts)
    • Will list matching entries in the Contact List
    • Will dial a selected contact
    • I assume this will worj with any contact
  • “Call <a number>”
    • e.g. “Call 12345”

Interestingly, if you issue the command “Unlock the Phone”, Siri responds with “I’m sorry, I can’t do that”.

So, there’s a pretty blatant hole in the iPhone security model – not only can you dial arbitrary phone numbers with Siri’s help, you can also expose contacts in the contact’s list.

It also appears that Siri will conduct web searches (e.g. “What is the capital of Columbia?”) while the handset is locked – using up your data plan.

Now, how about some bonus security flaws?  You can also send messages via Siri.  The command “Send a message to Paul” will take you through steps to select a contact, select a number and then will record a message and allow you to send – all while the handset is locked.

Cupertino says: Oops.

Update

As a few people have communicated (many thanks), it is possible to disable Siri while the handset is locked (as opposed to disabling Siri altogether).  This is not the default configuration (unfortunately!) which means (IMHO) this is still a fairly significant flaw.  To disable Siri when the phone is locked, go to:

Settings -> General -> Passcode Lock -> Siri.  Set ON -> OFF.

Again, note this will disable Siri when the phone is locked rather than switching Siri off altogether.

Note: I’m not the first to discover this, here’s more reading on the topic:

Further Reading

http://tech2.in.com/news/smartphones/siri-makes-phone-calls-even-if-phone-is-locked/250662
http://mashable.com/2011/10/19/siri-lets-you-make-calls-on-passcode-locked-iphone-4s/
http://www.techradar.com/news/computing/apple/siri-security-flaw-uncovered-1035270

Just-In-Time Credit

Tip o’ the hat to my co-contributor, Paul Doessel, for the initial discovery and further testing

 Posted by Rob at 6:49 pm  Tagged with: iPhone 4, Security Fail, Siri

Anatomy of a Phishing Scam

 Security, Tech Meme  No Responses »
Jan 222012
 

Today I received an e-mail which made it past Google’s Junk E-mail protection.  It was sent from “Gmail Team” and titled “Google Verification”.  As I’ve had to do site verifications for Analytics and Webmaster tools, I took a look at the e-mail.

Within half a microsecond, I decided to compose this quick “Tech Meme”, breaking down all the tell tale signs of a Phishing attempt.  As far as they go, this one was pretty poor – but could still trip up some unfortunate folks.

Firstly, what is Phishing?

According to Wikipedia:

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Does my e-mail constitute a Phishing attempt?  Check it out and see what you think.  Here’s the complete message:

image

So let’s break it down:

1. The “From“ Address

Although this e-mail was sent from a “@gmail.com” address (although most official Google E-mail is sent from @google.com), clearly the folks at Google would have a better reply-to email address than “customerservice.verifyinfor”

2. No Branding/Google “look and feel”. 

Although some authentic e-mails from Google are sent in a basic format, even they carry some kind of corporate signature, like the following:

“© 2011 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043”

Microsoft usually applies style sheets to their emails, most of the major banks do too.  If you receive an e-mail which doesn’t look or feel right (fonts, colours, lack of legalese in the footer), chances are it’s not an authentic e-mail.

3. Nature of the request

There’s just no way that Google (or any other large company) will ever expect end users to fill out details in text like this.  In fact, no big company or financial should ever contact their customers this way and request private information.

Even if they did, it would be horrible to import into their systems, and it would be very hard to validate the input text.

4. Grammar and spelling mistakes. 

Even in this age of decaying English, most big companies tend to proof read their e-mail text.  This email isn’t too bad for a phishing scam, but you likely won’t find these kind of mistakes in legitimate e-mails.image

Lastly, if you read this e-mail and thought “isn’t this information already located at accounts.google.com?” you’d be correct. 

Why would a company re-request this information?  You’ve already supplied your account and password when you logged into your account, your year of birth doesn’t change, and your name wouldn’t change that often either.

There’s a good chance you don’t remember the year you registered (and shouldn’t they be able to look it up?) and place of residency isn’t required.

Finally..

If you get an e-mail like this one from a bank, Microsoft, Apple or Google (or others like them) apply some simple logic before hitting reply.  As always please be careful with your personal information.

Your details should be as protected as your PIN number or bank account details.  Don’t give the information away freely.

R

 Posted by Rob at 8:10 am  Tagged with: Fake Email, Information, Phising

The Internet’s Off Switch: WikiLeaks, Arab Protests & Beyond

 Free and Fun Stuff, Infrastructure, News, Security, Technology  No Responses »
Feb 232011
 

The IEEE Society and Internet Society of Australia (ISOC-AU) are presenting two free public seminars on recent developments in the Internet sphere including the “Kill Switch” used in Egypt and Libya, Wikileaks and beyond.

This should prove a very timely event, given the recent developments concerning the Internet, and I’m hopeful that it will also give participants an opportunity to chime in about Australia’s proposed Internet filter and data retention laws.

The event will be hosted by Narelle Clark who has a long and rich history working within the Internet Society, and who can be considered on the forefront of policy discussion and education.  Narelle and I have collaborated previously on a number of IPv6 Summits in Australia for ISOC-AU.

For more on what will be covered at each event, here is an excerpt from the flyer:

“Over recent times we have  seen large scale disconnection from the Internet, country-wide domain name and application blocking, domain
name seizures, content filtering and talk of an Internet kill switch. How do we separate the reality and effectiveness of what is possible from
media reports and political dreams? In this talk Narelle will review the technical accounts and analysis of recent events and pose some
questions on the potential for Australia and the region.“

There are two days, held in Sydney and Melbourne, next month on the 15th and 21st.  Details below. 

Please download a copy of the flyer (PDF) for more information.

Melbourne
Tuesday 15th  March 2010
5.30 for 6.00pm
The Spot – Level 1 Lecture Theatre
Economics & Commerce Building (stairs or lift to Level 1)
198 Berkeley St (cnr Pelham St), South Carlton
RSVP: Michael Arnold, mvarnold@unimelb.edu.au

Sydney
Monday 21st  March 2011
5:30 for 6:00pm
Google Australia
Level 5, 48 Pirrama Rd,
Pyrmont
RSVP: Lyria Bennett Moses, lyria@unsw.edu.au

Event Flyer (PDF)

 Posted by Rob at 11:48 am  Tagged with: Discussion, Free Event, Internet Society

Trouble Securing Your Web Browser?

 Security  No Responses »
Feb 182011
 

This morning I was trawling through a variety of websites as I usually do, and I came across an article which referenced this website called Qualys, where they have a tool called BrowserCheck.  The site basically scans your web browser for vulnerabilities based on plugins which are installed.

Assuming you agree to the terms and conditions, it will install a plugin into your browser.  Restart the browser and return to the site to run a scan.  The tool will compare the versions of plugins/browser and then provide you with a list of issues.

Each issue links to the latest version (to the source) so you can manually update any components which are out of date.  I thought I was relatively up-to-date as I regularly patch, and in fact most of my plugins were either up-to-date or a few minor revisions away from the current version.

If you patch/update even semi-frequently, it might be worth running this scan over your browsers at least once in a while, to avoid those pesky attack vectors.

Note: my largest vulnerability was Foxit PDF Reader, which was a major version out of date (v3 vs. v4) which should be a testament to how well the product works.

 Posted by Rob at 12:54 pm  Tagged with: browser versions, plugins, security check

Microsoft Security Report on Botnets

 Infrastructure, Security, Technology  No Responses »
Oct 272010
 

What is a Botnet?

Well, in a nutshell, a Botnet is a internetworked series of computers which are running distributed software. 

The more notorious form of Botnet (and the topic of this post) typically infects other computers using a variety of attacks and vulnerabilities, increasing their overall size and computing power.  You might hear the term “zombie computer” associated with a malicious Botnet – this is accredited to an unwilling participant (computer) in a Botnet, controlled remotely.

Tell me more

As you might know, there has been a massive increase in the scale and complexity of Botnets over the past few years.  Recently, Microsoft Security has published a fairly comprehensive report on the nature of Botnets and also how to defend your IT assets from becoming part of a Botnet.

More on the report published by Microsoft:

“This is the first time that Microsoft has released this depth of intelligence on botnets. Over the years, there have been plenty of industry security reports published on botnets, but this report is based on data from 600 million systems worldwide and some of the busiest online services on the Internet like Bing and Hotmail. Microsoft cleaned botnet infections from6.5 million systems in just 90 days in 2010-helping to free the owners of those systems who, unwittingly and unknowingly, were potentially being used by cyber criminals to perpetrate cybercrimes.“

This is not just a high level report for the casual IT professional; it contains much more and is worth setting aside some time to review.  There is a section dedicated to some suggested ways to fight back against Botnets including detection, analysis and even a section on honeypots and darknets (of which this author has a decent amount of knowedge, I might add).

If you have anything to do with network security, distributed software on the Internet this is  one report worth the read.

 Posted by Rob at 10:48 am  Tagged with: Botnets, Distributed Computing, Security

Delegating Minimal Permissions to Access Windows Services

 Build and Config, Security, Web Services and Interop  2 Responses »
Aug 082010
 

You might find this information handy if you work with Windows Services, and wish to grant some basic permissions to user accounts.  In my scenario, I wanted to be able to list the status of several key Windows Services used in my overall architecture (for a diagnostic website/control panel) and to be able to restart the service(s) should they stop for some reason.

This has become increasingly difficult as, over time, Windows Server has become further locked down.  By default, local users and non-administrative accounts do not even possess the rights to even aggregate local services, let alone query their status or restart them.  Luckily, there is a way to remedy this.  Please note that this applies on a per Account basis, I have not found a solution which applies to security groups.

You’ll need a special utility (called Subinacl) to grant permissions, you can download a copy from  Microsoft hereNote that you will require local administrative privileges to perform the following steps.

The first thing you need to do is to [1] determine the SID (security identifier) of the account you wish to grant permissions to.  This can be achieved a number of ways, the easiest being the execution of a little VBS script.  Copy and paste the below VBS into a text file, save it with a .vbs extension,  and double click the file to execute.

strComputer = "."   ‘ — or the full name of the machine
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objAccount = objWMIService.Get _ ("Win32_UserAccount.Name=’<USERNAME>‘,Domain=’<DOMAIN OR LOCAL MACHINE NAME>")
Wscript.Echo objAccount.SID

Once you’ve obtained the SID for the account you wish to grant permissions to, read the following blog article – scroll down to the section titled “Grant access to run the Services Control Panel“.  This blog article will take you the rest of the way.  I strongly suggest reading through the linked article.

If, however, you’d prefer a quick summary of the remaining steps, keep reading below.

  1. Open a Command Prompt and execute the following statement:

    sc sdshow scmanager

  2. Copy the output (SDDL) to a text editor, it will look something like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  3. Copy the section of the SDDL that ends in IU (interactive users) to just before the S: in the SDDL line.
  4. Replace ‘IU’ with the SID of the user you looked up previously, it may look like this:

    D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

  5. Run the following command to grant the permission to enumerate local Windows services to the specified User Account/SID:

    sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CCLCRPRC;;;S-1-5-21-214A909598-1293495619-13Z157935-75714)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)"

You’ll need to know the “short name” of the Windows Service you want to grant permissions on, to do this quickly, type the following command:

sc getkeyname "<Service Name>”

You can also get the name from the Services applet in the Control Panel –> Administrative Tools.

Then, using subinacl (which you previously downloaded and installed, right?) you can grant permissions to your user account like so:

subinacl /verbose /service “<short name of service>” /grant=<DOMAIN or MACHINE>\<user account>=F

Note that the “=F” grants full permissions.

A big thanks to the two blog entries I’ve referenced for steering the way here.  I found the VBS script an easier way to lookup the user SID than the one referenced in the second blog article.

To grant enumeration rights to a security group, you may be able to follow steps outlined in the following blog article, though I have not tested it out myself.

Source Articles:

[1] http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx

[2] http://lanestechblog.blogspot.com/2010/07/how-to-delegate-services-control-in.html
[3] http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20allow%20users%20to%20enumerate%20service%20remotely.aspx

 Posted by Rob at 1:50 am

Some Handy Articles on Configuring Kerberos with Service Principal Names (SPNs)

 Build and Config, Database Magic, Security  No Responses »
Apr 122010
 

If you are like me, you probably aren’t a huge fan of Kerberos, but it does have some advantages.  When using an Active Domain (AD) account as a service account, it is handy to reduce the attack vector by minimising the chosen Domain Account’s permissions and privileges.

If you are using a Domain Account as a service account for Microsoft SQL Server, for example, it’s highly likely that you will want the chosen service account to be able to automatically register and unregister Service Principal Names (SPNs) automatically when the service is started and stopped.  To avoid giving the account far reaching permissions (such as domain administration rights) you’ll be required to do some editing of the Domain Account’s ADSI properties.

This isn’t as daunting as it sounds (trust me).  Below are some articles worth reading – don’t be afraid to allow the account the ability to read and write service names.  In case you are in a hurry, here’s exactly what you must do to allow a Domain Account the ability to automatically register SPNs for services (from link #2, below) :

  1. Click Start, click Run, type Adsiedit.msc, and then click OK.

    Note The ADSIEdit tool is included in the Windows Support Tools. To obtain the Windows Support Tools, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

  2. In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName , and then click Properties.
    Notes
    • DomainName is a placeholder for the name of the domain.
    • RootDomainName is a placeholder for the name of the root domain.
    • AccountName is a placeholder for the account that you specify to start the SQL Server service.
    • If you specify the Local System account to start the SQL Server service, AccountName is a placeholder for the account that you use to log on to Microsoft Windows.
    • If you specify a domain user account to start the SQL Server service, AccountName is a placeholder for the domain user account.
  3. In the CN= AccountName Properties dialog box, click the Security tab.
  4. On the Security tab, click Advanced.
  5. In the Advanced Security Settings dialog box, make sure that SELF is listed under Permission entries.
    If SELF is not listed, click Add, and then add SELF.
  6. Under Permission entries, click SELF, and then click Edit.
  7. In the Permission Entry dialog box, click the Properties tab.
  8. On the Properties tab, click This object only in the Apply onto list, and then click to select the check boxes for the following permissions under Permissions:

    • Read servicePrincipalName
    • Write servicePrincipalName
  9. Click OK two times.
    Note For help with this process, contact Active Directory product support, and mention this Microsoft Knowledge Base article.
    Note To use the dsacls tool to determine if the self account has the Write ServicePrincipalName permission, use the dsacls command. The following is the syntax: 

    dsacls <distinguished_Name_of_service_account>

    If the self account has the Write ServicePrincipalName permission, you see the following output: 

    Allow NT Authority\SELF SPECIAL ACCESS for Validated Write to Service principal nameWRITE PROPERTY

    The dsacls tool is part of the Support Tools.

  10. In the CN= AccountName Properties dialog box, click Attribute Editor.
  11. Under Attributes, click servicePrincipalName in the Attribute column, and then click Edit.
  12. In the Multi-valued String Editor dialog box, remove the service principle names (SPNs) for the instances of SQL Server that use this SQL Server service account.
    Warning You should only delete the SPNs for the instances of SQL Server that you are currently working on. The other instances of SQL Server that use this service account will be able to remove the SPNs that are related to these instances the next time that you start these instances.
  13. Exit the ADSI Edit snap-in.

Leave a comment is this helped or hindered you!  Cheers..R

Further Reading is Recommended

[1] http://msdn.microsoft.com/en-us/library/ms191153.aspx
[2] http://support.microsoft.com/kb/319723

 Posted by Rob at 2:59 pm  Tagged with: Kerberos

Adding Logins to SQL Server 2008 (User Provisioning)

 Build and Config, Database Magic, Security  No Responses »
Mar 082010
 

Today I learnt an important lesson about moving a PC from one Active Directory domain to another – the process will strip (domain) logins from SQL Server!  Yes, I know this is kind of obvious and expected, but also easy to overlook.

So our scenario is that we don’t have any Windows Accounts which can authenticate to SQL Server (via SQL Management Studio or via command line tools) and/or we have no accounts as members of the sysadmin role.  the “sa” account is not usable because mixed mode authentication is not enabled.  We can’t administer the SQL instance.

This is a big problem if you rely on Windows Authentication (i.e. no mixed mode authentication), and you haven’t got any local (built in or otherwise) accounts which have been assigned sysadmin permissions. 

You’re basically stuck!  You can’t log onto the instance and you can’t administer SQL Server, even locally.  You can’t use the Dedicated Administration Console (DAC) either since it requires the active user to be in the sysadmin role!

SQL Server 2005 Service Pack 2 came with a handy utility called the User Provisioning Tool for Windows Vista (sqlprov.exe) and allowed you to assign sysadmin logins for your account (and other accounts).  This tool unsurprisingly doesn’t work with SQL Server 2008, and as far as I can tell there is no equivalent tool available (please correct me if I am wrong).

At this point you might be reaching for the installation media for a reinstall, but never fear – there is a solution.  The solution was actually quite obvious now that I think about it. You have to start SQL Server in single user mode.

This allows you to log on (using SSMS) from the localhost with sysadmin permissions. From there, you can then create new logins (including domain account logins, if so desired).

Here’s how to start SQL Server in single user mode and here’s more information on how to start SQL Server from the command prompt (which you will have to do for single user mode).

Big thanks to Rob Farley for supplying the suggestions.

 Posted by Rob at 1:28 pm

Mark Russinovich Introduces SysInternal Tools and Windows Debugging

 Security, Technology  No Responses »
Apr 032009
 

Thanks to Bridger for pointing me in the direction of this excellent video of former SysInternals and current Microsoft internals guru Mark Russinovich demonstrating how to use some of the various debugging utilities with a particular view to debugging “plugins” and hosted programs which could be causing performance problems.

The video runs at just over an hour, but very highly recommended for anyone who wants to improve their system debugging and analysis skills – learn from the master himself.  A chance to watch Mark using debugging tools in real time.

Here are some links to the essential debugging tools (to download) for Windows:

The SysInternals Tool Suite

”The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files” – the rolled up archive is about 9 MB.

Kernrate Viewer Tool

”KrView – the Kernrate Viewer – provides a visual representation of kernel/user mode CPU utilization based on Kernrate output. Developers can use this tool to tune performance of device drivers and other software during development and testing phases.”

Debugging Tools for Windows

“You can use Debugging Tools for Windows to debug drivers, applications, and services on systems that are running Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. You can also use Debugging Tools for Windows to debug the operating system itself. Versions of the Debugging Tools for Windows package are available for 32-bit x86, native Intel Itanium, and native x64 platforms.”

Includes links to OS debugging symbols!

BONUS Link: The future of SQL Data Services from MIX 09 if you’re interested in what SQL Data Services is going to look like in the wake of the CTP & ACE architecture.

 Posted by Rob at 3:40 pm

VPN Issues? Perhaps we have the same symptoms..

 Infrastructure, Security  No Responses »
Jan 302009
 

Recently I went digging for a solution to a problem which has been bugging me on Windows Server 2008. 

It seems once connected to a virtual private network (via PPTP, peer to peer tunnelling) when you try to authenticate to non-VPN network resources, Windows passes your VPN credentials instead – even to local system resources like Internet Information Services web server (running on your local machine), or a file share on a different machine in your local network.

This is obviously annoying since it’s very likely that your VPN credentials are only meant for use against the VPN network.  As I went trawling the Internet I cam across only one really helpful forum, located (1) here.

It might be worth trying out.  Basically, once you’ve created your VPN connection, open a command window and type:
cmdkey /delete /ras

It may work for you.. It may not.  It’s worth a shot, I think at this point in time.  Later, I’ll check Microsoft Connect to see if anyone has logged this as a potential defect in Windows Vista and Server 2008.

[ (1) http://bink.nu/forums/p/9533/17018.aspx ]
[ (2) http://connect.microsoft.com ]

 Posted by Rob at 5:17 pm
 Older Entries

Aussie Wine Guy

Archives

© 2012 Rob Sanders: Sanders Technology Suffusion theme by Sayontan Sinha
WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera