Archive for the ‘Software News’ Category

One of the good things about long airport layovers are the chances you finally get to catch up on your reading. Which is what it finally took to crack open my last issue of Wired magazine. I must say I was quite amused to find an article outlining the love/hate relationship between AT&T and Apple. Since I have never been an Apple fan I usually just tune out most news related to them which may explain why many of the details in the article was new to me. The tale ends up being a good example of a “FAILationship” and the fact that it starred two of my favorite US corporations just made it that much more comical. Read the article Here

Meanwhile, no matter how frustrated AT&T got with Jobs, it had little choice but to stand by him. It would have been devastating to lose the iPhone after investing billions of dollars and endless reputational capital. And so the relationship carried on, dysfunctional and loveless though it was. Divorce, at least for the time being, was not an option.

iphone blowup

Advertisements

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

RSA researcher Ari Juels sat down with SearchSecurity.com to discuss various topics. One of which was the constrained capabilities of RFID (like wireless bar codes), and how it affects the security posture needed to secure these devices.

But, in fact, it’s possible to shoehorn in capabilities for which these tags were not explicitly designed. For example, in RSA Labs, we proposed techniques to commandeer access control features on the tags — those are an optional security mechanism — and even the privacy feature on the tags, what’s called the “kill” function, a self-destruct feature that’s meant to protect consumer privacy. We’ve shown ways the tags can be commandeered for authentication.

Read More Here …

Since it is Earth Day it is a good day to review a new website which helps show how green your neighborhood is (or is not). This new website UrbanEcoMap.com will have the ability to show the carbon levels in a given zip code. Currently the city of San Francisco is the only city supporting this project, but hopefully more cities will follow suit after this project goes live in 29 days.

Read More Here …
Or find out about more IT & Carbon Reduction projects Here …

Suffering the same fate as many other technology projects during our economic slowdown it appears the CommerceGuard project has had it operations suspended by GE. The CommerceGuard project was responsible for development of the CommerceGuard Container Security Device System (CSD) whose purpose was to track and secure shipment containers. The system was developed to meet the needs set forth by the Department of Homeland Security(DHS) which called for

a sophisticated security system within the electronics industry that can detect unauthorized breaches on all six sides of a standard cargo container or an intrusion through the door while also monitor and relay conditions inside the container such as humidity temperature and oxygen levels.

Put simply.
A more effective and secure way to track and audit who is accessing cargo containers shipped before it hits our shorelines.

Still early February of this year began to signal the beginning of the end for the project when it appeared that GE was not interested in further testing the technology. This was done just prior to a critical round of testing by DHS. Perhaps the reason for the hesitation in further testing was because the solution uses RFID technology. A technology proven long ago to be susceptible to hijacking & hacking attempts. The company sited a variety of reasons from developmental costs, speed of updated data, to maintenance costs.

A bit more on the CSD technology concept.
It uses 2 devices to monitor when ever a cargo container is opened or closed. The internal wall sensor & the door sensor work in unison to monitor and make a note of the date, time, and location of containers as they are accessed. It will also audit the amount of times this information has been queried and by whom. This process is kicked off by the shipper as they seal and virtually “Lock” their container using a hand held mobile device. This information can be referenced by receiving ports and either inspected or cleared based partly on this type of access audit. It can also be exported to various standardized data formats.

EDIT: This post was edited to correct inaccuracies on some of the details provided. Apologies for the Error..

Really this needs no introduction more than this video can provide!

One of the first products of the Android Bounty program hosted by Androidandme this not only blows the iPhone’s torrent (download to local storage) program out of the water but just shows the power of open source!
And to think the bounty the developer earned for this was about $90.. So when you see the 2.99 price tag for the app on the market keep this in mind

Read more Here!

It was in 2006 that the language known as RUBY was fully accepted as a standard language. The self described “open source programming language with a focus on simplicity and productivity” is one of the more powerful languages in use today. The folks over at Matasano Security (not affiliated with “matz” Y.Matsumoto the creator of RUBY) have announced the release of ‘rbkb’ or The Ruby Black Bag.

‘rbkb’ is an ever growing collection of reversing and pen-testing related ruby libraries and tools I’ve been using and evolving for a long time now.

Head on over to their site to read more.

While the concept is pretty clear the development team is having some issue with resources ($$). You can read more about the concept first shown in the Android Dev Challenge at Androidandme.com. You can also show your support for the dev team by voting for them to help get some funding here.

I am pretty excited to see this project mature and release a workable version. In my opinion this would pretty much be cake for Android security which is already is ahead of the pack in this field.

As posted in the “Waiting for the Worms” article below the conflicker worm was MIA on April 1st along with all the Gloom N Doom forecasted by the IT security industry. There is an interesting article posted by SearchSecurity.com that talks about not only possible reasons for the fizzle of the worm but also the impact these “Crying Wolf” scenario’s can have on the security industry. Will we get to a point where these warning will be ignored? Is that maybe the intention of some of these skilled attackers? How about end users who could of patched this 6 months back but still may have not until something as hyped as this? .. Many good questions still to be answered.

Read More Here

As anyone who have heard any news media source lately may already know. Today is April Fool’s Day, and also “worm” day. For those that are unfamiliar the worms first started back in 1988 and was released by accident (so the story goes) by a researcher named Robert Morris. Today this has evolved quite a bit but the overall concept is still the same, create some malicious code that can move freely to any exploitable system it can talk to. While the build up for the today’s worm may have been part hype and part prior preparation, it is still a real reminder of how vulnerable our technology is still. For today’s threat make sure you are patched and safe.