Debug switches … they’re useful for diagnosing and fixing stuff, but horrible for anything else.

RJS Software is first and foremost a writer of IBM iSeries and Microsoft-based software. We have a rich programming background and a wonderful crew of seasoned programmers … some of whom started back in the punch cards days of the 1960′s and 70′s.  But as good as our programmers are, we still have errors in our code from time-to-time that find their way into a customer’s hands.

Let’s be realistic, when you write hundreds of thousands of lines of code, it’s inevitable that something will slip through the cracks. Luckily, our QA team catches the obvious stuff, but occasionally a small bug will slip past their keen eyes. These bugs are the ones that only appear within a unique situation employed by a unique customer. And with those, 99.9% are completely innocuous, but it’s the 0.1% we’re always concerned about catching and fixing immediately before a real problem occurs.

Similarly, such is the case with Apple.  About three months ago, they released an update for OS X Lion version 10.7.3. Shortly after, a German IT administrator discovered a bug while reviewing the var/logs/secure.log file. He noticed that his password was being passed plain text in the secure.log file, which caused him to immediately post the error in Apple’s forum. Unfortunately, the thread was largely ignored until last week when a security researcher ran into the very same problem. He started digging and discovered the bug was the result of a debug flag that was left enabled and writes passwords plain text. It’s not actually a bug at all, it’s simply a debugging option that is performing exactly as it was designed to. But as we ourselves find, sometimes those tiny errors that aren’t supposed to be present in the production build, somehow make it past a QA team. It happens to us … it even happens to Apple.

For most Mac home users, this doesn’t really mean anything to you. This particular debug option is designed for the HomeDirMounter service and most home users are not using server-assigned home directories/server-mapped shares. The folks this is a show stopper for, however, are corporations and schools that deploy Macs in large scale where server-assigned home-share mapping is routine business.

The good news is if you haven’t migrated to OS X Lion 10.7.3 from 10.7.2, you’re in good shape. The debug flag isn’t enabled in 10.7.2. For those who have migrated, the soon-to-be released 10.7.4 version will have this debug flag disabled.

Microsoft announced they have fixed a critical bug in their Hotmail service which allowed remote resetting of account passwords by third parties.  The zero day exploit was first reported by a Saudi security firm and was then unfortunately leaked to the Dark Web hacking forums. Within hours the exploit was reposted with video showing the hack in action.

Here’s how the exploit works:

Using FireFox and a plugin called “Tamper Data” (the plugin allows one to modify browser data in real-time), the hacker would first check the “I forgot my password” link. Next, they would enter the corresponding email address that needed the reset password, but would use Tamper Data to change the recipient email address that was to receive the reset data to whatever email address they wanted. Of course all the hacker has to do at this point is click the link they received in the reset email and voila! … the account is now theirs.

This is a relatively simple hack to pull off. The question is how long has it been going on?

In the past few years, I have helped a handful of family members and customers recover their personal and business Hotmail accounts that had been compromised without warning. One day it worked, the next it did not. The majority of these cases were just plain weak passwords or weak security questions that any quick web search could unearth. Unfortunately in this case, however, even an extremely complex and lengthy password is completely useless when a hacker can simply reset your password to whatever they want.

This is of course a fairly isolated incident and I can’t recommend enough that your best bet for a secure email, Facebook, banking account, etc. is to choose a long and complex password with only security questions you would know.

As Josh mentioned on Monday, Google is about to introduce their new privacy policy and there are significant implications for you personally. Effective Thursday, March 1^st 2012 - tomorrow – Google will begin harvesting your web history and neatly filing it away under your personal profile. Google will then be able to utilize this data to personalize your user experience in a sometimes helpful, but oftentimes creepy fashion. This type of data collection, tied directly to your identity, gives Google a wealth of information to not only utilize for their own benefit, but to sell for huge amounts of money to third party sources.

Again, check out Josh’s post for a set of instructions on how to delete your browsing history (this includes YouTube, Gmail, Picasa, Google+, and the Google search engine) and/or read this very helpful IT World piece that details some of the same.

While you’re at it, be sure to log into Twitter and nuke your old forgotten tweets, as well. It turns out Twitter is going to allow third parties to sift through your old tweets for marketing research information. As Naked Security states, “ Regular Twitter users can only search the site for messages posted in the last seven days or so, but Twitter has granted DataSift access to the full Twitter Firehose, allowing the UK-based firm to monitor and analyse tweets from the last 24 months, and even record sentiments and the location of Twitter users.”

Similar to Google, Twitter has been storing permanent records on all their users and don’t appear to have any issue selling this goldmine to outside sources.

As we’ve said time and time again, if you want to keep something private, don’t post it on the internet.

Last June, many top websites and ISPs participated in a 24-hour test of the IPv6 protocol to see the impact of running dual TCP/IP stacks, IPv4 and IPv6 together would have upon their networks. This joint venture, known as World IPv6 Day, was heralded as a resounding success as customers switched enabled IPv6 on their home and business hardware and easily accessed Google, Facebook, Yahoo and more than 1,000 participating websites.

This year’s World IPv6 Day is for keeps. It’s going on and staying on.

Read the rest of this entry »

I spent a little time today getting caught up on some security news. Here are three fascinating security reads, I think you’ll enjoy:

Revisiting “Dude, your car’s infected!”

Last March, we posted a story about an article in Motor Trend detailing the interesting proclamation that cars may soon be in need of “McAfee or Norton protection.” Basically, a research team developed a virus called “CarShark” that allowed a car’s computer system to become exploited. Here’s a recent white paper on their findings.

The good news is the attack vectors and vulnerable subsystems are unique by car make and model. Thus, an exploit that makes one car vulnerable doesn’t necessarily cross over to another make or model at this point in time.

However, I believe it is simply a matter of time before the car industry starts implementing standards similar to the computer industry. For example, the computer industry’s ATX form factor standard simplified the assembly process by specifying locations of mounting holes and bus slots. These types of common sense changes could very well see their way into the auto industry as our computer technology becomes more fluid and replicable in all cars. But with a simplified system, comes easier access for a CarShark-like virus to take form.

A Truly Black Friday

After the Thanksgiving holiday, City College of San Francisco discovered their network had been breached. Now what makes this story especially shocking is the hole in the network that caused this breach has been open for over A DECADE. The network was compromised way back in 1999 and was a consistent source of private information for computer criminals in China, Russia and multiple other countries. Private data, including personal banking information was stolen from” tens of thousands of students, faculty and administrators” at the college over the past 12 years.

AT&T Wi-Fi Woes

In April 2010, CNET wrote an article about AT&T phones automatically connecting to Wi-Fi hotspots named “attwifi” without even bothering with username or password. Apparently the Einsteins at AT&T believe no one but AT&T would possibly name their wireless network “attwifi.”

In today’s day and age, this little goof was found and naturally exploited. A fun little blog entry from May 2011 ran an “attwifi impersonation experiment” with surprising results. AT&T still hadn’t eliminated this loophole and a high percentage of AT&T devices still automatically connected.

Imagine my surprise when a co-worker emailed me this last week, clearly illustrating the whole “attwifi” is still unfixed and still being exploited! A person on the above thread who plays around with the “attwifi” loophole allows users to connect to his fake hotspot, however uses a few harmless tools to flip images upside down and/or make them blurry in the hope people notice and start paying attention to what they’re connecting to.

And branching off the concept of altering the look and feel of web pages, check out this video by g0tmi1k of what he can do with Squid scripts. My personal favorite is the ASCII art script.

On July 14^th, we shared a story about Ramona Fricosu, a seized laptop and whether she was lawfully required to reveal her decrypt code. Here’s a quick snapshot of the story:

“The case involves a laptop seized during the investigation of a mortgage scam. During the police raid, Ramona Fricosu’s laptop was taken by authorities, but the information they sought within the computer was encrypted. The federal judge ordered the defendant to enter the passphrase so the information could be decoded. She refused. Because of her rejection, the judge now has to make a decision on whether she is protected under the United States Constitution – a ruling that could create significant legal precedence.”

This scenario is a bit of a sticky wicket. Is Ramona protected under the constitution, or because she broke the law, is she required to disclose important personal information?

In the ongoing court case of US vs Fricosu, the Colorado district court is still deciding whether they can legally compel Fricosu to divulge the decryption key that unlocks the hard drive, thus potentially incriminating her in the process.

Fricosu has the backing of the Electronic Frontier Foundation (EFF). The EFF believes the government prosecution has failed to present what they’re looking for, because they actually have no idea what it is they are indeed expecting to find within the coded hard drive. The EFF has accused the government of going on a fishing expedition in hopes they’ll catch a substantial piece of evidence.

Perhaps most importantly, the EFF contends that forcing Fricosu to disclose her password is a violation of her Fifth Amendment right and that prosecution has failed to offer immunity as trade collateral.

My Take:
If the state doesn’t have clear-cut evidence *before* digging through Fricosu’s hard drive, the case needs to be dropped. In this day and age of internet technology, nearly everything is logged – emails, text messages, phone calls, etc. There are plenty of other places to fish before forcing someone to decrypt their hard drive. If you can’t catch the big fish out in the open, then move onto another lake.

A design flaw in the Wi-Fi Protected Setup (WPS) protocol was recently discovered. The flaw allows hackers to crack your router wide open within hours.

The hole is the result of  how the WPS protocol handles the PIN used to setup secure access. When viewing the 8 digit WPS label on the bottom of a router, one would be happy with a PIN that has 100,000,000 possible combinations. But it turns out, the aforementioned protocol cuts the PIN in half and sends both halves separately. Confirming the first four digits is all the system needs to accept the PIN, thus the second half of this supposed security step is rendered useless. Thus in reality, the iterations needed to brute force the PIN are a measly 11,000. Your average PC can crack this code in a day or two. The author from the second link above had a worst case scenario of 44 hours with the routers he tested. Others took substantially less time to crack.

So what can you do to safeguard your router?

1)      Disable WPS.
2)      Change the default admin password, the longer and more complicated the password the better.
3)      Disable remote administration (disabled by default on most routers).

As of time of writing, there are currently two tools available that use this proof of concept.

On October 4th, I blogged about the logging services TrevE found on his HTC mobile phone. These services were tracking all activities on TrevE’s phone regardless of whether he, or any end user, had opted out or not.  Until recently, it was believed if you opted out, nothing would be collected. However, TrevE illustrated this was clearly not the case and logging was occurring regardless of privacy settings.

Unfortunately, the story takes a turn for the worse. TrevE was not happy with the answers he got from HTC back in October. Although HTC promised a fix, they still haven’t followed through. As TrevE continued to dig deeper, he discovered that HTC code relied heavily upon a little known CarrierIQ service.

CarrierIQ was discovered by a community that creates custom ROMs that run on rooted phones. As you customize this software, particular attention is paid to how the phone’s resources are used because excessive use of RAM or CPU drastically reduces battery life and slows the phone. Because CarrierIQ runs all the time, it became TrevE’s focus. Why was this service always active and why did HTC’s code rely so heavily upon it? Here is what TrevE found.

A week later, CarrierIQ served TrevE with a cease and desist letter and threatened to sue. TrevE solicited help from the Electronic Frontier Foundation (EFF) who quickly wrote a response to CarrierIQ. Acknowledging that their scare tactics were hollow, CarrierIQ quickly apologized to TrevE via a post on their company website. This post also claimed what their software supposedly does.

Believing CarrierIQ’s product explanation to be a lie, TrevE continued his research and substantiated our worst fears: Carrier IQ digs through your texts, your calls and even your encrypted Google searches.

Evidence indicates this software is not limited to HTC devices. A well known iPhone hacker named Chpwn tweeted that versions at least as recent as the iPhone OS 3.1.3 contain references of Carrier IQ. He later confirmed it exists in all versions of iOS including iOS 5. Apple has been quick to respond to this information and openly admitted they have CarrierIQ in iOS. Perhaps based on the latest firestorm, Apple stated they have plans to completely remove Carrier IQ in a future software update. Similarly, Dan Rosenberg confirms that CarrierIQ exists on his Samsung device.

At this time, it appears as though different phones are running different versions of CarrierIQ with different capabilities. The intent behind the software is to collect metrics to allow carriers to improve their service offering, but as with many technologies, they appear to have over-reached. According to Dan Rosenberg, his research indicates the following items are being tracked:

* Browser information: In some cases, this can track search terms and URLs, but does not record the contents of a page.

* Location data: Based on GPS and proximity to cell towers and wireless access points.

* Network and radio events: Basically tracking when the phone joins/leaves networks and turns 3G/4G/Wifi on and off.

* Hardware events: These are like battery levels, voltages, temperatures, etc.

* Keystrokes: This has been misreported. Keys can be tracked, but at least on Samsung devices, only keys pressed in the dialer can be tracked.

* Call Information: Initiation of calls, received calls and dropped calls.

* Application data: Which apps you run and when you run them.

* Text Messaging: Who the message is to, who the message is from and how long it is.  Does not track the message themselves.

If you run a rooted Android, be sure to get a Carrier IQ test app to see if your ROM has been properly sanitized.

If you do not run a rooted Android, consider the information that goes through your phone and consider whether or not you trust your carrier with that information. To a certain extent, we need to trust others. However, it is always wise to consider who you are trusting and how much trust you extend to them. In this case, at least, we can do something about it. Please think hard about this issue and decide what your information is worth to you.

In China, there is a large group of professional posters who are paid to write comments, gossip, information and disinformation on chat room boards, forums and blogs. For the right price, they’ll post literally anything you want. They’re called the “Internet Water Army” according to an undercover team of computer scientists since their intent is to flood the internet.

This raises major concerns for anyone who utilizes user comments as an opinion in their decision-making. Which comments can you truly take at face value?

As published in www.technologyreview.com.

When I research new technology and hardware products, there are only a dozen or so sites I trust to give me the real scoop on how the product compares to its competition. Like many other purchasers, I also base a substantial part of my buying decision on user reviews because they are generally unbiased. I feel confident in selecting a product that has both a positive review on a respected technology-based website and a base of users who openly praise the product’s capabilities on blogs, forums or comment sections.

Where people struggle is with sites whose only review process is via user comments, like the Official Android Market for instance. Occasionally an XDA Developer will review an app, but I’m usually on my own to dig through the user reviews and separate the wheat from the chaff.

It is in this situation, where the Internet Water Army has the greatest ability to influence view points and purchasing decisions. Am I reading a comment from a legitimate customer or a paid poster’s review lampooning a good product or championing a piece of garbage?

Cheng Chen, of the University of Victoria in Canada, was able to infiltrate the Internet Water Army and work as an undercover paid poster. He and several friends captured datasets from two large Chinese websites and manually analyzed every posted comment to identify Internet Water Army behavior. Since these posters are paid on volume of fake comments/posts, many take shortcuts and simply copy and paste the same information over and over again.

Using this information, Chen and his friends designed a new anti-spam logic which filters out artificial paid poster comments. It can flag a comment based on how frequently a given user posts reviews, or other specific behavior patterns associated with prepared information or canned sales pitches. The impressive program achieved an 88% catch rate on its first attempt.

Now that’s an impressive use of technology!

I was sitting at work last week when an email popped up in my inbox:

That blacked-out friend requester is my wife and the request was oddly sent to my work email. This was especially strange, because I already have a personal Facebook account I don’t use, so why would she invite me to create yet another one via my work account? I called her and asked if she had actually sent the invite and needless to say, she hadn’t. Heck, she wasn’t even signed onto Facebook when I received the invite.

So if my wife didn’t send me the invite, who did? The conclusion I’m drawing is it must have been Facebook themselves.

There have been several stories circulating recently about Facebook tactics in collecting massive amounts of user data and creating shadow profiles for both users and non-users. I even read an article from a blogger who was tracking trends of Facebook friend requesting without the user’s permission back in 2009. This leads me to believe that in Facebook’s quest to gather as much information possible about you and your friends, they may be sneakily rifling through your address book and contacting your acquaintances without your permission.

My wife only had my work email address stored in one location… her Instant Messenger account on MSN Live Messenger.

Looking further into the false friend request above, one of the other friends supposedly trying to connect with me is actually a customer of RJS. She has also never sent me an invite and happens to have my email address stored within Microsoft Outlook.

So is my assumption correct? Is Facebook rummaging through my and your online address books? And if so, what else are they digging through without our permission?

I’ll definitely be choosing that “unsubscribe” option at the bottom of the invite. Regardless, it is time to ask Facebook some serious questions about privacy invasion.