I came across a recent research paper titled “Practical Consideration of iOS Device Encryption Security” written by two researchers from the Fraunhofer Institute for Secure Information Technology in Germany.  In the report dated February 9 2011, researchers Jens Heider and Matthias Boll documented how they were able to break into a standard iOS device and successfully extract a number of stored passwords on the device – in six minutes flat.  Indeed, the swiftness of this attack allows for the possibility that hackers could complete their shenanigans and return an iPhone or iPad before their victim is aware of the meddling.

While security vulnerabilities of smartphones or tablet devices don’t usually fall within the jurisdiction of the humble email administrator, the problem here is that among other information that the researchers were able to compromise in this manner is the password used in Exchange ActiveSync. As covered in past blogs, Exchange ActiveSync allows mobile and portable devices to access practically email, contact and calendaring information in a Microsoft Exchange server, and is not a capability that should be blocked.

You can view the list of vulnerable passwords in iOS devices listed in the below table.  The table can be found on page 7 of the report (pdf), and the red highlight was added by me.

The Problem

The heart of the issue is related to how the iOS platform fails to properly encrypt all the passwords that are saved within the system “keychain” with the user passphrase.  In many instances, the requisite cryptographic key is actually stored within the iOS device memory – and could be accessed by an attacker via the appropriate system API (Application Programming Interface) after obtaining access via a standard jailbreak.

As you can see in the above table, data that can be recovered include passwords such as those from LDAP accounts, VPN passwords, Wi-Fi passphrases and the passwords of Microsoft Exchange (Exchange ActiveSync) accounts.  From the same table, it is interesting to note that the passwords of generic IMAP or SMTP accounts are safe from prying eyes even after a jailbreak.

The risk resulting from a stolen Exchange password is significant because there is no easy way for email administrators to track access from client devices.  As such, a stolen password could be used to quietly download a copy of all emails on file, or used in social engineering attempts on other employees.  Moreover, a pilfered Exchange password could see it being used to authenticate with other servers and resources within a domain, triggering a serious breach of security.

The problem is exacerbated because using Exchange ActiveSync device management capabilities such as remote wipe is not feasible here, since a stolen phone is likely to be disarmed by removing of the SIM card at the earliest possible opportunity.

Mitigation Strategies

The simplest solution here would be not to use iOS devices (iPhone and iPad) to access company resources for now.  Some email administrators might find themselves overruled, however, given the strong feelings of end-users or even CEOs in this regard.  Fortunately, there are a couple of simple measures that companies that have already fielded iOS devices can enact as a mitigation strategy.

1.      Devices encrypted should be enabled, and use a passcode with auto-lock enabled

2.      Lost or stolen iOS devices must be reported as soon as possible

While the use of device encryption is useless due to the vulnerability outlined above, it should at least deflect less resourceful hackers.  And once Apple fixes this problem, will help ensure future security.  Obviously, the use of a passcode is necessary, for which you can find detailed information on how to activate at the official support page here.

Lost iOS devices should be reported within a stipulated amount of time, with enforced password resets sent via a second factor such as a mobile phone – this will help narrow the risk exposure window.

In conclusion

This particular research focuses on exploiting iOS devices, though the truth is that similar risks exist for most other endpoint clients.  For example, a lost laptop not protected by a good password and disk encryption can just as easily result in the unwitting exposure of password.  However, because smartphones and tablets tend to get quietly replaced when they are lost or stolen, extra vigilance and care must be enacted to safeguard individual accounts from hackers.

More than a third of all network devices attached to business nets are carrying at least one known security vulnerability, according to an annual report released by a global IT infrastructure company.

Dimension Data, headquartered in Johannesburg, South Africa, in its Network Barometer Report 2010 revealed that an analysis of data gathered from 235 organizations around the world showed that 38 percent of networking devices had vulnerabilities that had been publicly disclosed but remained unaddressed by their businesses.

The data was obtained electronically through technology lifecycle management assessments performed by Dimension Data. The assessment technology discovers installed assets on a network, identifies their lifecycle status and determines their maintenance coverage.

The 38 percent vulnerability number is significantly lower than the 73 percent found in last year’s report, but because the methodology in the 2010 report was altered from the 2009 one, results aren’t entirely compatible.

Continue reading More than third of network devices running known vulnerabilities

A security advisory issued this week highlighted a serious code execution vulnerability in Mozilla Firefox 3.6. The vulnerability, according to the advisory, is caused by an “unspecified error,” and can be exploited to execute arbitrary code that could be malicious and harmful. The exploit was originally highlighted by Russian security firm Intevydis.

There has been very little reported on the vulnerability to date, with some even suggesting that it is a “hoax.” Don’t believe the hoax suggestion, no matter how big a fan of Firefox you may be—in the security business, things need to be taken seriously. Not doing so is inherently dangerous. That said, there is very little data on how widely circulated the exploit has become, although some sources report an increase in the number of Firefox 3.6 crashes on February 12 and 13.

On the Mozilla blog, Mozilla does not confirm the vulnerability at this point for lack of details on how to reproduce it, but does make a point of saying, “Mozilla takes all reports of security vulnerabilities seriously,” as well they, or any other software organization, should.

The advisory brings up an important issue, which is that even when using the latest version of software and the most recent patches, security is not always bulletproof. Applying patches as they are available, preferably on an automated basis, is always good practice, and it does go a long way towards reducing the incidence of preventable attacks. However, patch management alone isn’t going to keep your systems safe. In fact, in one forum where the vulnerability is being discussed, it is noted that the “Insecure” tab—which is a cool feature, by the way—only shows programs that have patchable exploits. The Firefox exploit has not yet been addressed with a patch from Mozilla, so it isn’t shown there as being insecure.

As such, it’s a classic zero-day exploit, which is a vulnerability that is able to do its dirty work between the time it is discovered and the time when it is patched. At this point, users of Firefox should proceed with caution, and as always with any browser, take standard precautions, avoid opening up unknown or suspicious URLs, use pop-up blockers, and monitor traffic accordingly.