InfoSec Philippines

Information Security, Technology News and Opinions

Archive for January, 2009

Curse of Silence Update 2

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 29, 2009

If you have a Nokia S60 3rd Edition phone, which doesn’t seem to be accepting messages, or just accepts some but not all messages, your phone may have been attacked by what’s been called as the “Curse of Silence“. Nokia Europe has just released their SMS Cleaner which can clean Nokia S60 3rd Edition (Initial or Feature Pack 1) based devices. Nokia doesn’t say if it will erase anything from the affected phone aside from the “Curse of Silence” messages.

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):

Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

No word yet on software that can undo the problem for devices with S60 2nd edition with Feature Pack 2 and 3.

You can also check out this site to find out if your handset is running S60 and what Feature Pack it has.



A few days after this post, Nokia released SMS Cleaner for Feature Pack 2 and 3.

Posted in DOS, ISMS, malware | Tagged: , , , , , | Leave a Comment »

Info Sec News, Jan 22, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 22, 2009

One of the reasons why I started this site is because there seems to be a paucity of Information Security News about the Philippines. Sometimes its even hard to find out about Conferences and Seminars in Metro Manila. Its refreshing to be able to find the following:

(YouTube, from GMANews.TV) IMBESTIGADOR – Friendster Hacker (Identity Theft, Cybercrime)
(GMANews.TV, Old News) Woman who hacked Friendster account faces estafa raps

(Computerworld Philippines) Surveys: Security risks impede business innovation
(Computerworld Philippines) Web Security Lifeline: In-the-Cloud Technology Beats Malware Pollution
(Computerworld Philippines) Survey: Banks need better communication methods
(Inquirer.net) Nasty worm hits millions of computers
(Inquirer.net) Kids’ shield vs porn on Net removed
(Manila Bulletin Online) EMC creates new company to address today’s growing personal information challenge
(Manila Bulletin Online) RP to benefit from Satyam scandal, lawmaker crows
(Manila Bulletin Online) Employees’ everyday behavior puts sensitive business information at risk – new threat study from EMC reveals
(Manila Bulletin Online) Sophos warns Twitter users of possible hacking


Just in case you need help in figuring out HijackThis, there’s this useful tutorial on PCHell.com. If you already use HijackThis and don’t understand parts of the log file, the tutorial points you to the HijackThis Logfile Analysis site.


The recent Twitter hack shows that some Admin level personnel should follow Admin Password Best Practices. Apparently the Admin’s password was, ‘happiness’, as is discussed in this Wired blog.


Other Info Sec News:
(SecurityFocus) Payment processor warns of network breach
(HeiseSecurity) Over 100 million credit / debit cards compromised
(Washington Post) Payment Processor Breach May Be Largest Ever
(HeiseSecurity) QuickTime 7.6 update brings security fixes
(HeiseSecurity) Elcomsoft Wi-Fi auditor prompts security warnings

Posted in News, Philippines, Social Networking | Tagged: , , , , , , , | Leave a Comment »

Info Sec News, Jan 19, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 19, 2009

Secure Coding and Application Dev
What is probably the most significant security news item of the past week is the release of SANS and Mitre of their Top 25 errors and how to fix them. It’s been said that around 85% of criminal activities on the net stem from the current crop of Top 25 flaws. The Top 25 list is divided into three broad categories namely: Insecure Interaction Between Components, Risky Resource Management, and Porous Defenses.

The PDF version of the Top 25 is available here.

The Software Assurance Forum for Excellence in Code (SAFECode) has made two publications available to help eliminate the Top 25 errors, its Guide to the Most Effective Secure Dev Practices in Use Today, and Software Assurance: An Overview of Current Industry Best Practices.


Social Engineering
A rehash of old tactics can be seen in an E-mail purportedly from Northwest Airlines (but actually carries a zipped trojan file), and malware spreading websites that claim US President elect Obama won’t be taking the oath of office on the 20th. This just strengthens the argument that your personnel and their security awareness training are now your first line of defense, and not your perimeter firewall.

This is related to the fake Christmas and holiday greetings that been sent every year for the past few years, which was seen again this past Christmas.


Malware
The Downadup (also known as Conficker) Worm versions A, B and C that exploits what Microsoft released an out of band patch for in late October ’08, and weak Admin passwords, is said to have infected an “amazing” 9 million PC’s according to F-Secure researchers. If you’re wondering how they got to this astonishing figure, check out F-Secure’s Blog.

(PC World) UK Ministry of Defence Stung by Rapidly Spreading Virus


Secure deletion, reuse or disposal
According to new research led by Craig Wright, it just takes one re-write to securely wipe the data from a hard drive. This talks about a complete sector by sector overwrite of a hard drive.

Articles on this can be found on Heise Security and SecurityFocus. The paper was presented at the Fourth International Conference on Information Systems Security (ICISS) in Hyderabad, India and can be purchased here.


Encryption
Heise Security has published an in depth article on how modern cryptological attacks are done in their article, “Cheap Cracks“.


Patches and Change Management
Oracle released fixes for 41 different flaws this month and Microsoft released a single patch that closed three flaws.

(Heise Security) Numerous security updates from Oracle
(Heise Security) Microsoft closes three holes in Windows
Microsoft issues patches for ‘nasty’ Windows bugs

A vulnerability in SAP GUI has also been found and a patch has been released and is available to registered SAP users.


Other InfoSec News:
In relation to the Anonymization article I wrote about a few days ago, the makers of Tor has announced that their software has zero known bugs.

(Computerworld) Two big, bad botnets gone, but replacements step up

(Computerworld) Critical security projects escape the budget ax

(Heise Security) Banking details can be stolen through a new JavaScript exploit

(Computerworld) Six Worst Internet Routing Attacks

(GO San Angelo.com) US Air Force planning to train hundreds yearly in cyber warfare skills

(Information Week) Thief Steals Sony Ericsson Prototypes

The Windows 7 Beta Team has removed the 2.5 million download limit as stated in the Windows 7 Blog. People can get the Beta until January 24.

Secunia Advisories


Tips:

(Computerworld) How to Secure your Vista PC in 10 easy steps

(Computerworld Blog) Removing malware from an infected PC

The Windows Security Blog has announced a new Beta called Sundance that could help secure Windows and Office 2007 installations.

In relation to what I wrote about around a month ago regarding wireless networks, the crack in the WPA protocol only affects the TKIP version and not AES, so the solution is to simply switch from TKIP to AES as is detailed in this article from Search Security.com, “Cracks in WPA? How to continue protecting Wi-Fi networks“.

(PC Magazine) The Top Tech Tips of 2008 Part 1

(PC Magazine) The Top Tech Tips of 2008 Part 2

Posted in ISMS, News, social engineering, Windows | Tagged: , , , , , , , , , , , , , , , | Leave a Comment »

Anonymization Sites and Devices

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 15, 2009

Disclaimer: Some of the following info comes from a very informative Microsoft SCP seminar I attended around two months ago. So not all below come from my research.

There’s a good article on Anonymous Surfing at AuditMyPC.com and one should take heed of that authors advice that, “Not all proxy servers do as they claim and in fact, there are a ton of junk proxy servers out there that give people a false sense of security or worse, record everything you do in hopes to score a password or two!”

Anyway there are a bunch of freely available Anonymization Services on the web like:
Anonymizer.ru
Anonymous Web Browser
Anonymouse.org
Guardster Free Web Proxy
Megaproxy (limited, more of a demo)
Proxify
ProxyLord
Shadow Surf
SnoopBlocker
the Cloak
Web Warper

The funniest of which is probably Borat Proxy 🙂

I personally use some of the sites above and they seem fine, although I cannot vouch for all.

TechFAQ.com has link page to proxy sites.

Since some may suggest it and its related, Meebo (used for IM) is a proxy service but obviously not for anonymization.

You can also check out the freely available (although not the high speed version) XeroBank Browser. Anonymizer.com also allows you to download free trial software.

PortableTor is also worth checking out since it “allows you to connect into the Tor anonymous internet system from any computer with your flash or thumb drive. This allows you to browse the internet anonymously from public locations, such as internet hotspots, library, or school computers and public terminals.” Yes its also free.

And since you might already be thinking of making an Anonymization Flash Drive (The CD-R King Website lists some 8 GB flash drives for around P700), Portable Apps is also a good site.

Posted in Anonymization | Tagged: , , , , , , , | 1 Comment »

Curse of Silence Update

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 9, 2009

F-Secure apparently has a solution for this, but you would have to pay for it after 15 days. I’ve also confirmed that this attack works on at least one of the major local networks. No word yet if they have changed their settings to what was suggested to stop the attack. Sony Ericsson UiQ devices were found by F-Secure to also be vulnerable to the attack.

Nokia isn’t very worried about it since it is a denial of service attack and doesn’t allow an attacker to leach information from your cellphone. I still think it would be very annoying if I would have to do a factory reset of my phone, losing all my contacts, settings and messages. I also wouldn’t like it if my competitor knows my company uses the vulnerable phones and starts shutting down SMS capabilities until we notice it. That could potentially hit productivity and the bottom line.

I have no details of the local test done except that it exists and it was possible. If one watches the video, the victim wouldn’t even know who sent the message. The phone just stops receiving messages… in other words, Nokia’s advice in the Heise Security article is pretty useless.

Nokia which got the demo around a month before the public release and which recently acquired Symbian, is currently working on a remedy for the vulnerability. I will post it here as soon as I get word of it.

Posted in vulnerability | Tagged: , , , | Leave a Comment »

Happy New Year to All :)

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 6, 2009

A lot of people in the Philippines are probably still hungover from the long vacation from Dec 25 to Jan 4, unless of course they were part of sales, or a BPO… anyway, on to the news:

OpenVAS 2.0 was released around two weeks ago, and a respected security expert (who wishes to remain anonymous) thinks it is, “fast approaching the maturity level needed to truly compete with Nessus in the vulnerability assessment area.”

The OpenVas 2.0 press release states that:
OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server administrators and for developers of Network Vulnerability Tests (NVTs).


Some of the Philippines’ high ranking government officials may want to look into cellphone voice encryption (as mentioned in this SecurityPark.net article) before calling some other high ranking government official so that they wouldn’t need to give a televised public apology (wink).


Speaking of mobile phone security, there was a DOS vulnerability found in Nokia Series 60 cellphones just before new year’s eve called the “Curse of Silence”, which either stops the cellphone from receiving SMS until a factory reset is done (Series 60 2.6 and 3.0 devices) or not all SMS’s are received (Series 60 2.8 and 3.1).

This is done via the following steps (check out the demo video link below):
For Series 60 phones v2.2, 2.3, 3.0 and 3.1 attack target phones
1. create an email that has an e-mail address with more than 32 characters followed by a space.
2. set TP Protocol Identifier of SMS Message to Internet Electronic Mail
3. send message to target (eleven times to Series 60 v 3.1, only one message is needed for all other versions)

There are currently no client side workarounds published as of the moment. If ever you work for Smart Communications, Globe Telecom or Sun Cellular maybe your network team can take heed of the suggestion in the document that “network operators should filter messages with TP-PID ‘Internet Electronic Mail’ and an email address of more than 32 characters or reset the TP-PID of these messages to 0”. I also do not have a Series 60 phone mentioned in the list so I cannot test if it can affect cell phones here in the Philippines. Kindly drop me a line in case you were able to test this.

Phones affected:
S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

More details can be found in a must see video (21 MB) and a document (6.8 KB) on the website of Tobias Engel, who is a member of the Chaos Computer Club.


Microblogging site Twitter had a major breach and has phishing problems reports HeiseSecurity, SCMagazineUS, and SecurityFocus. Apparently, US President elect Barack Obama’s and Britney Spears’ accounts were compromised.

In related news, (The Register) Bogus LinkedIn profiles punt malware to fools.

A security update for the popular email client Mozilla Thunderbird was recently released. (Heise Security report, SCMagazineUS report)

The recently found MD5 vulnerability links:
(SCMagazineUS) MD5 insecurity affects all internet users
(SCMagazineUS) Hackers find hole to create rogue digital certificates
(Heise Security) Verisign/RapidSSL close 25C3 MD5 vulnerability
(SecurityFocus) Survey: One in seven SSL certificates are weak

Posted in News, social engineering, Social Networking, vulnerability, vulnerability assessment | Tagged: , , , , , , , , , , , , , , , , | 1 Comment »