Last week at the RSA Conference I had the opportunity to attend the “Mobile Security Battle Royale“, featuring a great panel of experts on mobile phone security. Moderated by Zach Lanier, the panel featured Tiago Assumpção and Collin Mulliner paired off against Charlie Miller and Dino Dai Zovi (co-authors of iOS Hacker’s Handbook). 

As many great panels typically do, this panel featured no slides and no set talking points. Instead, Zach asked the panel some great questions to just get the ball rolling, and the panel started firing off great quotes left and right. I got busy live-tweeting the session and got (and re-tweeted) a few great quotes from many of the panel members which I have embedded below.

One of the recurring themes was “which is better”, comparing iOS to Android. BlackBerry/RIM got a few mentions as well since Tiago worked for RIM for a long time. The panelists did not come to any final conclusion, all the platforms have their benefits and their drawbacks. However, as a “battle royale”. there was a certain amount of desire from the moderator and the audience to declare a winner. My belief is that currently iOS is currently ahead, but the battle is close. The reason I’d tip my hat toward iOS at this time is for two reasons. First, it is slightly more expensive and difficult to get an app into the Apple App Store than Google Play, which makes things slightly more difficult for malware developers. Second, Apple iOS devices are generally running the latest version of the operating system, unlike the fractured Android ecosystem which has over half of the active devices running multiple major revisions behind.

Enjoy these quotes (paraphrased a little, I don’t have an eidetic memory) from this great panel discussion. I look forward to the rematch at next year’s conference.

“Apple disallowing downloaded code to be put into runtime was a hugely prescient decision.” – @dinodaizovi #RSAC

— Peter Hesse (@pmhesse) February 28, 2013

“Talking about antivirus for mobile, it just doesn’t make sense.” – @0xcharlie #RSAC

— Peter Hesse (@pmhesse) February 28, 2013

“We’ve proven that we can get to the moon. I personally don’t have the resources so the moon is safe from my attacks.” @dinodaizovi

— DennisF (@DennisF) February 28, 2013

Good point by @collinrm there are 3 parties needed to upgrade android: carrier, hw manufacturer, and Google, only 1 has incentive to upgrade

— Peter Hesse (@pmhesse) February 28, 2013

“The amount of web traffic that goes to phones is minuscule. So we might as well be talking about rhinoceros attacks.” @dinodaizovi #RSAC

— DennisF (@DennisF) February 28, 2013

“Jailbreaking should be legitimized, and the way to do it is compartmentalization.” – @coconuthaxor #RSAC

— Peter Hesse (@pmhesse) February 28, 2013

Recently I had the chance to test out a clever little device called the hiddn Crypto Adapter. Made by Norway-based High Density Devices, the adapter looks somewhat like a miniature desk calculator with a USB port instead of a display, but its simple appearance belies some powerful functionality: transparent, real-time encryption of USB drives with two-factor authentication.

The adapter essentially acts as a proxy between your computer and a USB drive, meaning it needs no software, has no operating system requirement, and works with everything from a flash memory stick to an external hard drive. All communication with the USB device is encrypted on the fly using 256-bit AES via a certified FIPS 140-2 Level 3 crypto module, but the key isn’t stored on the drive: at the front of the hiddn adapter is a smart card slot.

When you insert a smart card, you have to enter the corresponding PIN code to use it. (After three unsuccessful attempts, the card becomes locked until a longer PUK code is given.) The device does not appear as an active USB device in the OS until a card is verified, and becomes “unplugged” when the card is removed. The encryption key (or half of it in split-key mode) stays on the smart card, making an encrypted drive unusable without it.

Setting up and operating the hiddn system is very straightforward. You connect it to your computer with a USB cable, plug a drive into the top USB port, insert your smart card, and then enter your PIN. From there, the experience is no different than using a USB drive normally – there’s not even a difference in speed.

When I first connected an unencrypted drive on a Windows machine, it appeared as an unformatted drive. After formatting, it behaved just as it would when plugged in directly. (A few times I had to reconnect the adapter to get Windows to recognize a new drive if I didn’t “eject” the drive first or tried a bad PIN, but those were minor issues.) Trying to use the drive without the hiddn adapter after it had been encrypted brought up another prompt to format – Windows could tell there was a volume, but it was completely unreadable.

After using the hiddn Crypto Adapter for a short time, I started wondering why no one else had thought of it before – or at least why I’d never heard of it before. It’s a great tool for anyone wanting a no-hassle method to encrypt removable storage. The only potential drawback is pricing; two adapters and two sets of pre-configured smart cards can run almost $900. High Density Devices offers a few different packages of units and cards, ranging from one of each to ten, as well as an enterprise key management system for creating new cards. But while some users may find hiddn too expensive for personal use, its flexibility, ease-of-use, and high security make for a combination that’s hard to beat.

Another iPhone killer is here. DROID. Whether you’re a fan of either product, or you’re still thumbing away on your Blackberry or WinMo device, there’s one thing to be said. There are plenty of apps now. A couple years ago it was a pretty daunting task to get any sort of application on your device that wasn’t already on your carrier’s supported list. WinMo users have been the only real open crowd here as every version of Windows Mobile has supported most of the older apps since the Windows CE days. But with the rise of more and more applications comes the rise of the risks associated with these applications.

(more…)

Questions about the trustworthiness of electronic voting machines have been in the news a lot over the last few years. Plenty of people acknowledge the potential for abuse of these machines, and discussions of how they can be used to swing elections are pretty common. A trait that these discussions share are hypothetical scenarios or instances where an attacker would need to have some kind of esoteric/insider knowledge about the hardware and/or software running the machine to mount an effective attack.

However, I recently came across a video detailing a real attack against a real voting machine, carried out by real engineers, using real tools and data, and showing very real results.

The Sequoia AVC Advantage, a pretty old piece of electronic voting equipment, was broken pretty badly by hardware reverse engineering and return-oriented programming. The following video shows how it was done by a team of computer scientists and engineers from the University of California, San Diego, the University of Michigan, and Princeton University:

More about the attack details here.

What’s really interesting is the ease in which they were able to get a voting machine to play with in the first place. They didn’t steal one or bribe a government worker. Instead, they bought 5 of them… online… from a government surplus auction for less than $20 a pop. Craziness… especially considering some states still use these same machine models. A few months later and these guys have a well-structured attack that can swing the vote any way they want.

This just goes to show how thin the line is between hypothetical voting machine attacks carried out by insiders with special knowledge and real voting machine attacks carried out by smart people with a couple of dollars and some spare time on their hands.

A recent study on lost laptops by Dell and the Ponenom Institute show how important data protection and encryption are, especially for portable devices. Here are some of the findings.

• 12,000 laptops are lost in US airports each week.
• 65-70% are never reclaimed.
• 53% carried sensitive corporate information.

Guess how many of those machines were protected with encryption.

You can read the entire report [pdf] and find out on page 7.

As many have noticed, Apple has released their new lineup of laptops, software, OSes, and iPhones. As I watched live coverage of the keynotes on Monday (thanks Gizmodo) – a few things caught my attention when they were speaking about the new iPhone 3G S.
The first thing that caught my eye was the mention of “hardware encryption.” Now, simply mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this “hardware encryption.” The official word from Apple is…

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.

…according to that, it would sound like the remote wipe is dependent on the hardware encryption, which makes me believe that instead of actually wiping the data (as in a format), it would simply delete the private key – therefore making the data inaccessible. (Since iTunes stores a backup of all your iPhone data at every sync, securing this also seems important.)  This also assumes it’s using a strong form of encryption. I’ve also read in other posts…

…hardware encryption for Exchange users…

…as the listed feature. Does this mean it’s only available through Exchange, and at what level is it being used? Is it only securing your email? We know the iTunes songs and videos are already being encrypted on the device. Is this the same form of encryption they’re talking about?  We’ve asked an insider at Apple to help us out with some of these questions and are still awaiting a response.

All of this brings up major questions about the REAL security behind all these marketing terms. How much do companies actually care about security, and how much do they actually do to help protect their users? Is everything just a marketing ploy these days?

Users were upset about the lack of security in our last model of product X. Let’s add minor revisions and throw some good marketing verbiage in the features list and hope that fixes everything.

Is this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board. They just happen to be the ones asking for the most attention at his current point in time.  Stay tuned as I hope to find and relay some answers to many of these questions as more details are revealed.

Much like most virtual hacks, some clever people create a very sophisticated tool and a bunch of amateurs (or crime syndicates) use them to commit fraud. Hardware hacks, like this ATM skimmer are generally more difficult to obtain, expensive, and can’t be copied and shared as easily as a computer program.

ATM skimmers like those shown in the video require a camera set up to see you PIN as you enter it. Aside from the obvious advice or not using and ATMs with wires or protruding panels, they recommend shielding the number pad as you enter in your PIN code. I’d add going inside of a bank to withdraw cash when at all possible, but now a days most debit cards double as credit cards and your PIN is pretty useless. The crooks can just take the card number swiped from the magnetic strip to go shopping online or sell to someone else.

You may have been reading about the latest advancements in quantum cryptography over the past week. Claims that the technology is unbreakable are unfounded however, if not in least for these theoretical reasons.

• Quantum Cryptography Will Be Broken With Quantum Technology - Current computing technology uses methodical means to encrypt and decrypt data. Quantum physics doesn’t work sequentially or even follow the laws of classical physics.
  • The first quantum hack will be done with quantum technology.
• The Human Factor - I always like to think about the “gun to head” method of cracking security. Put a gun to the right person’s head and they’ll tell you whatever you want. Quantum cryptography can be cracked by blackmailing, intimidating, and threatening the right people.
  • Not to mention that people lie, cheat, and steal for money or other personal gains. No technology in the world is immune from people.
• Maybe God Isn’t Playing Dice - Einstein never believed that quantum physics was random famously saying, “God doesn’t play dice with the universe”. I agree with him, consider it’s just that we don’t completely understand what’s happening to entangled particles – making them seem “magic”.
  • The entire physical universe works according to a set of very well defined laws and rules. Why quantum physics should be an exception is unlikely.
  • If that is the case, quantum cryptography could be unraveled by a brilliant physicist one day.

All of the above is purely theoretical, but you should always be wary of “completely secure”, “unbreakable”, and “perfect security” – because it doesn’t exist. There are other theoretical ways to possibly disrupt or eavesdrop on a quantum message – but again they’re purely theoretical.

Well, so is practical quantum cryptography.

Mark Kahn found out the hard way that even “small” sites will press charges when he hacked into Six Flags’ computer systems. He used a bad form on Six Flags’ job site to submit lots of bogus job applications containing threatening messages. While his stunt did not result in the loss of data, it did annoy some people enough to press charges. What I want to know now, is how well amusement parks’ externally facing websites are separated from the really important computer systems – those that belong to the rides/roller coasters.

I’m speculating here, because I ride coasters a *lot*, and the newer systems are controlled by general purpose computer systems – I’ve seen the Millennium Force at Cedar Point blue screen, and it was built in 1999/2000. I don’t know if these systems are networked at all, but I could see a business use for it: letting people know what rides were having problems, or just generally monitoring the health of each ride. These computer systems (like many at hospitals) control life or death literally, not just storing someone’s personal data. It’s a lot like the pacemakers that are bluetooth controlled. Do we really want to network these devices?

There are arguments on both sides of the fence, and I can see both sides – it’s easier to monitor and make changes (without having to go through surgery again), as well as “but someone could get killed”. Both sides make great cases (someone could die during surgery too), but the networked (whether bluetooth, wi-fi, RF, etc) devices also present the accidental hazard. What if I want to just play around with the bluetooth protocol and start sending garbage to a device I own (say my cell phone), and someone with a new pacemaker just happens to be sitting across the way at the coffee shop?

To network or not network is probably going to be an eternal question, and the answers are going to be different each time we ask that question. It all depends on what risks we’re willing to accept, and what ones we’re not.

This is really bad and scary news. The F.B.I. Says the Military Had Bogus Computer Gear.

[T]he… sinister specter of an electronic Trojan horse, lurking in the circuitry of a computer or a network router and allowing attackers clandestine access or control, was raised again recently by the F.B.I. and the Pentagon.
The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components.

Cisco routers are everywhere. According to Cisco’s web site, “Cisco is the leading supplier of networking equipment and network management for the Internet.” The likelihood that you received this web page over one or more Cisco routers is extremely high.

Also, what if this wasn’t just counterfeiting?

The F.B.I. is still not certain whether the ring’s actions were for profit or part of a state-sponsored intelligence effort.

It’s one thing if largely used networking components get compromised through a flaw to allow “back door”, privilege escalation, or other nefarious access to data which flows across them. It’s an entirely different thing if these devices were (re-)engineered with villainous intentions. Such additions could be nearly impossible to detect. One more quote from the NY Times story:

The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor by altering the data file on a chip with nearly 1.8 million circuits used in automated manufacturing equipment…
“It’s very difficult to detect and discover these issues,” said Ted Vucurevich, the chief technology officer of Cadence Design Systems, a company that provides design tools for chip makers. Modern integrated circuits have billions of components, he said: “Adding a small number that do particular functions in particular cases is incredibly hard to detect.”

If this doesn’t give you nightmares, it should.