Category Archives: Security

image684

Have I been Hacked by Nokia? Weird MS Account Issue

I am in the habit of regularly auditing my MS Account information as I want to know where my threat vectors are coming from. I am looking at you guys from Russia, please leave my account alone, will you! :)

Anyways, seriously now, I took a look a minute ago and I noticed something out of place. There is a Successful Login entry on my timeline last Thursday; from UK!

That is far outside my operational zone! So far even I’ll need to catch a plane to be there physically. And what troubles me most is the Browser/App reported: Unknown. Now I am a die-hard IE user. I intentionally use IE so I could be on the InfoSec warfront; contrary to what popular opinion is that IE is for NOOBs. Normally IE would have shown up there that says Unknown Browser if it were me.

Now, I know for sure I wasn’t in UK on that day, as I was still on vacation somewhere else. Normally my line of work require that I use VPN connection to work, and accessing my MS Account during my VPN connection gives a skewed login location of my company central server location that is well known in my timeline, but on that Thursday I was off duty, and my VPN access is mostly somewhere else totally.

So I did what a normal InfoSec person would do, I went to IPAddress.com for the WHOIS info of the IP address and my bacon was stolen! I have been hacked from Nokia HQ UK!

How is this possible. I thought Nokia is one of the good guys right? Could IPAddress.com get this wrong, I went to other WHOIS tools, they all told the same story, I have been hacked by Nokia. Now I don’t believe I am that important that Nokia would go after me, neither do I believe there is a Nokia Admin that needs my attention.

I just want to know how this is possible. I remembered Nokia had a Keynoting event on the day that I watched online, but I didn’t have to login at that time with my MS account, and even if I did, it wouldn’t have registered me at UK. What other event did I have last week that has to do with Nokia? Yeah, I downloaded the Recovery Tool but that was also without login. So what the freak is going on? Has any of you experience this kind of place-shift?

This is a riddle for any of you InfoSec experts out there. The way I see this. Nokia have been hacked, and the hacker used Nokia’s network to get to me. But I see this as least path effort as I haven’t got anything that any Hacker would go the length of hacking a renowned company to reach me. So what is this? Go ahead people, theorize. I am curious to your thoughts on this. In the meantime, excuse me while I clean up my MS Account.

About these ads

Microsoft Garage details Microsoft’s Cloud Security Strategy

I mentioned yesterday that Microsoft doesn’t hide the fact that any system can be broken, they embraced the fact and built their security initiatives that bad can and will happen to data. Now you can hear it for yourselves from a Lead Architect of Microsoft Cloud Computing platform Mark Russinovich. He was talking to Microsoft Garage series host today about how MS goes about protecting your data in the Cloud. Lets hope the competition are taking a page from this.

Now jump to 11:45 in the video and hear Mark confirm what I told you yesterday. MS assumes no matter how good your security is, it will be breached. You just have to mitigate to limit the damage. Go Microsoft.

Microsoft Details it’s Online Safety History

While Apple is today busy burying it’s head deeper into the sands, Microsoft chose to detail it’s track records with Online Safety initiatives of its Trustworthy Computing Policy efforts. What a marked difference between the two Internet giants. One is too busy denying they’re vulnerable, the other is accepting the fact that any system is vulnerable, you just do your best to protect your users.

Go see Microsoft’s efforts through the years on their Trustworthy Computing page. The fact that they chose today to come out with this news in contrast to Apple could be purely a coincidence, or genius plan of Microsoft to contrast itself since it gets neglected and ridiculed for its amazing efforts on security. Just download the Safety Milestone report alone (PDF), you’ll be amazed how far back this company has been dealing with security issues. The file is a treasure trove of information and a worthy perusal.

Now if only those in the distortion field would just wake up and read it. But then, it will remain a dream, for now.

Apple pushes its head further into the sand

Boy, I knew this was coming, still it was disappointment when it comes. The wait is over, Apple has come to town on the rootcause of the Celebrities nude breach, yes, it wasn’t Apple’s fault as usual. How could we have guessed different. Apple confirmed there was a breach, but it was because users were not using strong password, leading to folks being able to guess their passwords.

That a perpetual repetition of login attempt was used till the right password was found was not mentioned. And I meant perpetual repetition of dictionary words. Thousands, sometimes millions of guesses being passed to Apple system till the right one is passed and access is granted. Pray do tell, iCloud users, do you guess your logins a thousand times before you give up? No, no sane person would guess their own login that long. So why does Apple’s system allow it.

This is the 21st century, no self-respecting system allows more than 5 guesses before locking up access to the system. So why does script-kiddies succeed in guessing thousands and thousands of attempts at login. No, it is not Apples fault touting a security platform of the 80’s, it is the users fault for not using strong password.

But guess what? Apple will get another pass again. It is almost Keynote time at Apple’s, none of your favorite tech blogger will dare to question Apple for the fear of not being invited to the Church. I don’t blame Apple, I blame the teeming masses that continue to give Apple a pass in all its laxities.

Just like SSL bug, another ridicule is allowed to pass as water under the bridge. I just pity those poor users who doesn’t know better.

My final question to Apple: If your infra was not involved in this breach, why the need to ask your users of Find My Phone service to re-authenticate themselves yesterday? I thought all was good with the platform?

You can fool some people some time, but you can’t fool all the people, all the time. One day, they’ll see through your smoke screen. Yes, it wasn’t Apple’s fault, it’s the users’ fault for trusting them with their lives.

Apple Painted itself into a Corner

With all the nude leaks going on these last days, all linked to iCloud breach, and the thundering silence of Apple to respond officially to the allegations, I am smelling a rat. It is two days after the fact, and Apple is yet to go to town with their manipulative attitudes. That smells to me fishy. It is unlike Apple to keep quiet for so long. Even with a single gram of salt, they would have gone to town in damage-control mode.

All these points as far as I am concerned to the fact the damage is so tremendous, that it requires special handling. You see the problem is, this is Apple that told the world they are the “most secured” platform on planet earth. The SwitcherAds adage still rings in the ear with “We are Apple, we don’t get viruses” pompous exclamation.

This very hubris is turning out now to be the Apple’s downfall in security. When you’ve conditioned the world to accept that you’re invincible and all bullets just bounce off you thick hide, then it is difficult to now turn around and confess to the world that your platform is as porous as any other’s on the planet.

Once is an accident, twice is a curiosity, thrice is a habit. The number of Security breaches taking place in Apple’s paradise is becoming epidemic. The laxity of Apple to build security into it’s product at foundational level is now coming back to bite them where it hurts most.

We’ve told the masses that there is not a single company that knows security like Microsoft. When you’re the planet’s atlas, carrying 90% of the world OS usage on your shoulder, you’re the big target for malicious hackers. Microsoft has learnt its lessons by pressing the reset button with its Secured Computing initiative in the Vista timeframe. Right now, they are centuries ahead of competition in security. We’ve told you all along, now we’re being vindicated.

Who are you going to trust with your precious data in the Cloud. Well my choice is clear. My choice goes to that company that has been battle-tested, and so should yours. Now let’s continue to wait on Apple’s spin-doctors, to see which diversionary tactics they’re going to employ this time around.

Image Credits:

From <http://thestickmanspeaks.files.wordpress.com/2011/02/painted-into-a-corner.jpg>

XP Still Not Completely Dead to Microsoft

 

msohtmlclipclip_image001

Today I fired up an old XP box just out of curiosity to see the security status of XP anno June 2014, and lo and behold I have one Security update which in this case is the Malicious Software Removal for June 2014.

Then I thought while we are at it, lets see the status of MS Security Essentials, and yes, it is still being updated daily by MS as you can see below:

msohtmlclipclip_image002

Like I initially reported and contrary to popular opinion, MS has not completely abandoned XP users, it is still making sure they are not the Internet Trojans everyone is purporting them to be after EoL.

Of course this doesn’t mean that you should still sit on XP, it is a dead OS. You may be making the Net unsafe for all of us as is. You don’t want to come to a Gun warfare with a knife. Get off of this time bomb called XP now while you still safely can.

How to Turn-OFF App Recommendations in the New Store

image

Unless you’ve been living under a rock, you would have noticed people are raving seriously about the new Windows Store for the new and improved Windows 8.1 Blue. There have been lots of articles about the new Store on various Tech sites that I don’t feel compelled to write another about it here. That’ll be unproductive and a waste of your time. But one thing I want to mention out is the new Recommendation feature of the Store.

As you might have read, the Store is now powered by the awesome engines of Bing. For better or for worse, we are being followed everyday by the Search Engines we use, whether you belong to Google or to Microsoft or whatever, there’s no denying it, our lives is being interpreted by these AIs (almost AI then, have it your way!). So unless you don’t use the internet, there is no denying it that these machines know one thing or other about us. So, we have the advantage in this case that due to your usage and search patterns, these engines knows what it good for you. So you have recommendations of Apps that the AI think will be interesting to you.

But you may not want your patterns to be recorded, and the new Recommendation features of the new Store turned OFF, well how you do it is right there in that picture. Microsoft, worrying about your privacy as usual, has added an Option for you Tin-foil wearing conspiracy theorists to turn off machine recommendations. Not that it matters, the NSA has got your backside via PRISM, so you might as well leave the darned option ON and enjoy the discovery it brings to the Store. :-)

5-0 Radio Police Scanner App in the Store for old and new Radio Amateurs

image

Well, here is a blast from the past! Internet has spoilt us all, and some of us have forgotten what we used to do back then when there was no Internet. Believe me, some of us have lived in that timeframe where there was no Internet. You asked what did we do to communicate and keep ourselves entertained? We were Radio Amateurs, we send and receive radio signals to long distances to communicate and make new friends, the longer distance you bridged the better; and we listened to Police and Fire Department communications. We knew what was going on before the average Joe knows it. Those were good old times when you had to hunt for information :-). Now, we are overwhelmed with information via Internet, and it has totally wiped out this fantastic human invention from a golden era.

That is why I jumped for joy when I saw this app. Radio amateurs have obviously moved on from basic analog only rigs to digital receivers that are able to stream their signals to the internet. So now, the net is full of these amateurs streaming their receptions. You don’t have to have an expensive rig anymore to listen in to Police communication. I just love this app. I am listening to 10-24 right now in New York Binghamton/Tioga. This is awesome.

The app not only stream scanners, you can also listen to regular radio stations all around the world. Get the app while you can, its free of charge. Here is an excerpt from the Store:

Description
5-0 Radio is a free, all-in-one digital radio and police scanner service that lets you listen to police, firefighter, ambulance, airport, railroad, music, comedy, talk, news, and sports radio stations.
Listen to your stations in the background while you use other apps
Share stations with your friends and family who can listen to them on their own devices
Search stations by music artists, location, name, genre, and songs playing
Save your favorite stations onto presets

Features
Listen to your favorite radio stations including NYC’s Z100, Howard Stern, ESPN, Opie and Anthony, Alex Jones Infowars, idobi radio, 181.FM, and many more.
Tap into the largest collection of real-time police scanners streaming live from all around the world.
Chat with other listeners to talk about what you’re listening to
Get details about the song that you are listening to, such as lyrics
Decode local police codes while using the police scanner

Download now via the Source link below.

Source: Windows Store

TechCrunch, Scroogled: Why Not?

It’s a slow day today, so TechCrunch asked “Scroogled: Why So Negative, Microsoft?” with a post trying to bash MS for its rather un-Microsoft-like way of competition against Google. I mean everybody is used to everyone bashing Microsoft, while they happily turn their other cheeks. So where is this new aggressive Microsoft coming from?

The question that TechCrunch should have asked is “Scroogled: Why Not?”. There was a time Journalism was established as the public Third Arm of Democracy, in which Journalist were the Sentinels of Truth in the society, to tell the story the way it is after an investigative effort. They are supposed to keep the Government and businesses realms healthy by exposing what we’ve all commonly agreed to be against social norms being practiced by these entities. The World Financial Collapse is an attestation to the failure of Journalists in their role.

Today, journalism is a joke, the line between a journalist and a fanboy has merged. Journalist are now rather opinion shapers instead of harbingers of truth. Where was TechCrunch when Apple was raiding anything Microsoft with the Switcher Ads? Every soul that knows its salt in IT and Computing knows all the claims of Apple in the Ads were just one big crock. The claim of Apple that its devices don’t get viruses prompting massive run for Macs have been proven to be an illusion. Where where all the Tech journalists then that should have called Apple to its senses and exposed the fraud in the Ads. No, they where all cheering Apple on and empowering the Distortion Field further. Now Apple has removed virus-efficacy claim from its sites. MacOS is just another susceptible OS as any other.

imageAnd this brings me back to the question in focus. “Scroogled. Why Not?” The question is whether MS assertion is true or not. If the Journalist are failing to warn the masses about the dangers of using Google’s products, who is going to do it. Yes, there is inherent danger in using Google’s product. You mum has told you when you were small, nothing comes free in life; something has to give. You just don’t think Google as a commercial company is working for Santa Claus did you? Where do you think they are making those billions they declared recently as profit? Have you ever seen a Non-Profit organization declare billions in profit?

Yes, you are all paying for it by using Google’s products. Those Android Phones, Chrome Browsers and Chrome OS all phone home by using them. They are telling Google everything you’re doing. That is how they get to know you more than your mother does. To sell you things you don’t need. If you pitch your tent with an Ad company, you need to be aware of the consequences. That is what Tech Journalists are failing to do. They are failing to educate the masses about the dangers of exposure. Privacy Advocacy is not there for nothing, there are people that have been bitten by having their lives exposed online to all and sundry. You may think you are safe for now, but the incessant attack we are witnessing against big American companies these past weeks attest to the fact that security is an illusion. You can say you don’t mind Google knowing everything about you, but what happens when Google is hacked and brought to its knees by enemies, what is going to happen to you? These are the questions that Tech Journalists should have been asking, but almost all of them are fanboys in this age and time. Most of them have vested financial interests in these companies that they’ve lost their objectivity.

So, is it right for Google to be reading your mail, scouring you HDD and looking at everything you type on your computer. If a Virus does this, we are all up in arms, but it is OK for Google to be doing it. Just think about that for a while. The masses need to be aware of these issues and they need to be educated to be able to make informed choices. But how can the masses be educated when the Journalists are busy making money and cheering and hating at the same time. There was a time Journalism was devoid of emotion so as to maintain factual integrity, but these days we all read our news from fallible and raging fanboys. Obviously you’re doing one right now, but I don’t pretend to be a journalist. I just ask you to stop drinking that Cool-aid for a while and think; for Pete’s sake!

MS SurfaceRT Security Broken–Now you can run ANY Desktop App

surface-tablet-windows-rt

We knew it’s a matter of time, in fact I am surprised it took this long, but it has finally happened. Someone has found a way to circumvent the built-in Security of Surface preventing arbitral running of Desktop Apps on SurfaceRT devices. Its all about a Byte in the Kernel, and a hacker going by the handle of Clrokr (@Clrokr) has found it as below:

SeGetImageRequiredSigningLevel+0x18
LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0x400000 image base
LDRB R3, [R3]
CMP R3, #4
BHI loc_HighSigReq
B.W loc_LowSigReq

Here is what he said about it:

Finding the right spot

The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard…

He provided the sample exploitation code on his blog. But what does it all mean to you as user? First, this is not for the faint hearted, you must know what you are doing. Second, someone will probably write a code to automate the jailbreaking. But the question is would you run this code on your ARM device?

I personally will like to to see how SurfaceRT performs after jailbreak. Remember the version of Office on SurfaceRT is specially crafted and optimized for the RISC architecture and its small power environment. So, will you be able to run the likes of AutoCAD/Photoshop now on Surface, I doubt it, you will be frustrated possibly with the performance speed. We will be keeping an eye on developments for you and report back if anything new come up around this story.

It’s a brave world out there, once again, it has been proven that nothing is secure by default. If it is written by man, it will be broken by man, period. Now that you can jailbreak SurfaceRT, what are you going to do about it? The decision is yours and yours alone.

You can read the rest at Clrockr site: http://surfsec.wordpress.com/2013/01/06/circumventing-windows-rts-code-integrity-mechanism/

[Update]
I have been made aware of the fact that you can’t run “ANY” desktop Apps on ARM devices like the hacker’s post suggested, but even after this jailbreak, you still have to compile your standard Desktop App for ARM before it will run in a jailbroken desktop. So, with this news, we can expect Google and the likes to start compiling Chrome and other apps for Windows RT desktop. And of course all the security risks and exploits will follow. Hopefully people will not be blaming Microsoft for their misfortune then.

original

Snapchat: Does it Really Disappear?

snapchat

If you’ve ever used Snapchat before you’ve most likely known that all media sent and received disappears after the alloted time set by the sender, right? Well, Buzzfeed has found out a hack that allows those recieving to view the videos forever. So how’s this happening? Continue reading

Microsoft is Moving Family Safety Service over to Outlook.com

 

Dear Family Safety customer,
Family Safety

We’re making a change to Family Safety, and are contacting you because you’re monitoring or managing one or more children’s Microsoft accounts (formerly known as Windows Live IDs).

There are many different email programs your children can use to communicate with others. But until now, Family Safety has only been able to help parents monitor their children’s email contacts through Microsoft-owned programs like Outlook.com using Family Safety Contact Management.

Starting on 3/18/2013, we’re switching your children’s monitored accounts to Outlook.com’s “exclusive” mode. These settings work for all email programs, so now you can help keep your children safer across any email platform they use, not just those created by Microsoft. The change affects three things:

  • The contacts you currently manage for your child will be added to the Safe Senders and Domains list. Emails from people on the list will go directly to your child’s inbox.
  • Emails from people not on the list will go directly to your child’s junk mail folder. (They can still view these messages there, though, so it’s important to be cautious.)
  • Your child will be able to add their own new contacts.

These accounts will be affected by the change:

  • Kid Account1
  • Kid Account2

Note that these new settings don’t affect your child’s communication in Messenger. However, if you want to block online communication, we recommend setting the Family Safety web filter to “General interest”.

You can also visit Microsoft’s Safety and Security Center page for tips on helping your children use the web more safely.

Thanks for your understanding and patience as we update our services.

Sincerely,
The Family Safety team

NRA-techtronica

NRA’s silence on the WWW

NRA-techtronicaBefore beginning this post I’d like to personally express my condolences for those involved [in any way] with the tragedy that struck the town of Newtown, Connecticut. One of the highly discussed topics during these difficult times is the statements of different organizations against “unnecessary” gun limitations and the ones that believe they are necessary. As of late, the NRA [National Rifle Association] has gone into hibernation on the WWW. This story has made headlines on both CNN & USA so far and continues to become a more talked about subject. Continue reading

MX Apps Security and Devs’ Income Jeopardy

image

Since today is turning out to be a Plea day to Microsoft, I might as well add the following points that Devs have raised to me, and the points I could really understand looking from Devs perspective.

MX Apps (Metro Apps if you live in the past) have great promise for Microsoft and End-Users alike. They are highly portable, highly manageable and secured; if we could believe Microsoft on their promise for WinRT environment of Windows 8. Apps can be built with next to nothing experience, even script-kiddies are now top-notch coders on Windows 8. Its all fine and dandy till bread and butter comes into question. If you are a hobby developer, you wouldn’t mind what MS does with your code the moment you submit it to the Store, all you care about is to see your App published, hopefully featured in the Windows Store.

But when your app is your bread, and preferably your butter too, you do seriously mind what MS does with your code in the Store and on Users devices. MX Apps are scripted Apps, they are managed Apps, you either code in Javascript or in .NET both of which are translated Apps. This means there’s a file of yours somewhere with readable code for everyone who has the will and the intent. Here you are slaving away at a particular difficult routine in your app. You need to implement that killer feature that will differentiate your app as professional Dev, ergo, this is the source of your income! It took you two days to do the plumbing and debugging of this difficult routine, now it is part of your code for your app, submitted to the Store, and globally readable.

Of course you’ll feel cheated. Anyone who find your app awesome and wants to know how you carried out that impossible feat can now dive into your code and read how you did it, gone is your professional advantage. This will be an awesome scene in about 50 years when we don’t work for money anymore, the era of Star Trek has broken upon us where everyone works just for the pleasure of it. There is no hunger anymore, need has been banished by the Federation. This will probably remain in the realm of my dreams and many of you.

But for now, you need to pay your bills, but how could you if people could easily pilfer your code and earn money with it while you go hungry. So this brings me to my point. Microsoft, we know you protect MX Apps with Encryption from hackers and the likes, and that you can’t just copy and run apps on other machines, but what’s with people readable code. Why aren’t you protecting Devs labour? Why not encrypt Devs’ codes and files before publication so that only the system can unencrypt it at runtime? Why does my files have be readable to all? If you think I am joking read this from a concerned dev:

Hi McAkins,

I just want to explain, the security problem in Windows 8 store app, that can lead to another security problem:

First of all, when we install windows 8 store app, it will reside on %ProgramFiles%\WindowsApps folder, although the folder is hidden

by default, but through ‘folder options’ we can show the folder, and we access it after we take ‘ownership’  of the folder (we don’t need special tool to take ownership of the folder, only through windows explorer we can take ownership), after that, the problem begin;

1. All the application that we installed, user can take all the assets we use in our app. (Images, Sound, Video, and other assets). because we can access all the windows 8 store app application folder, for JS app we can see the code clearly if we not minified that code first before published to the store.(like skype app, I attach the source code I take from my laptop,).

2. Let say we develop windows 8 store app using JS, and use Windows Azure mobile service to push the notification to the user, or even worse if we have storage or other cloude services, the ‘client secret’ to access our Windows Azure service, can be seen by the people or malware, and then they can abuse our cloud servce / windows azure services.

3. Another problem if we develop using C#, we can decompile it also using .NET reflector or other related app. (but this is the nature of .net app either Desktop App or Windows 8 Store app).

Thanks

<Concerned Dev>

And here is the Skype Source Code he was talking about:

skype source code

How about that?! Even MS own Software is not protected! But then they can afford to loose a dollar or two to a script kiddie.

So there you have it, if you write in JS, you’re screwed as professional Dev. You are basically plumbing for other people. Period. This is not acceptable and should be mitigated Microsoft. The only way to guarantee App privacy right now is to hide your code in C++  dlls with JS as frontend, or to a lesser degree to code in .NET, at least it takes a bit of effort to get to the decompiled code. So here we are MS with another plea. Please either obfuscate publish codes or encrypt all JS and .NET files. That’s the only way Devs can resign from their day job and take up coding full time if they are guaranteed income source in the future. Do it now! Yes you can!

Thanks all for your attention.

– McAkins