iPhoneTracker

April 26, 2011

I assume that you’ve heard at least some of the wailing and gnashing of teeth about iDevices caching location information, allowing for the use of an iPhone or the computer that it syncs to as a record of the owner’s physical movement.

Well, if you would like to see how thorough it is, check out iPhoneTracker. This is a simple application for OS X that will search the hard drive of your computer, find the cached information from an iDevice that’s synced to that computer, and build a map of where you’ve been with it. Ta-da! If you’re using a Windows machine, check out the Linux port iPhoneMap under Cygwin instead.


Definition Monday: Steganography

April 25, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Steganography.

Steganography, a term derived from the Greek for “covered writing”, refers to techniques for hiding a covert message in an unsuspected object or communication. Historical examples abound – from the ancient Greeks tattooing messages on the scalps of trusted slaves to Boy Scouts using lemon juice as invisible ink to send hidden messages. In the modern parlance, it more often refers to “digital steganography”, the use of computers to embed messages into an innocuous file.

(A couple of vocabulary terms before we continue. “Stego” is a common abbreviation for steganography, both for the sake of brevity and because most spell checkers choke on the full word. The data that is being secretly conveyed is often called the “message” or the “payload”. The file that the message is hidden in is often called the “carrier”.)

It is important to note that there is a subtle difference between encryption and steganography. When two parties are communicating using an encrypted channel, there is still metadata available to an eavesdropper. For example, if you sent me an encrypted email, there would still be definitive proof that your email account was used to send some message to my email account. The purpose of stego, on the other hand, is to hide the fact that any message is being passed at all. If you upload an image with a hidden message embedded in it to your web gallery and then I download it, there is almost no way that anyone would correlate these events.

There are hundreds of different steganography applications available for all major operating systems – for the sake of example, I will look at OpenPuff. OpenPuff is a currently maintained Windows application designed to hide messages in a variety of different carrier types:

  • Images (BMP, JPG, PCX, PNG, TGA)
  • Audio support (AIFF, MP3, NEXT/SUN, WAV)
  • Video support (3GP, MP4, MPG, VOB)
  • Flash-Adobe support (FLV, SWF, PDF)

What this means is that someone can hide up to a quarter-gigabyte of data inside something that appears to be a bitmap or video file, upload it to a common media sharing site like Facebook or Flickr, and have an accomplice download the file and extract the data. And unless your corporate defenses are set up to capture someone uploading data to a social media site – a filter that would no doubt be overwhelmed by false positives in most environments – you would be none the wiser. Especially since OpenPuff is available as a Portable App these days, so it doesn’t even require install rights on the client machine.

Surprisingly, there have been very few cases of steganographic carriers spotted in the wild; lots of speculation about it as a threat, but very little proof. Then again, the point of the technology is to evade notice. Maybe it’s just really good at it.


ASUS Transformer

April 25, 2011

While this isn’t technically a security-related topic, I wanted to pass along a link to this review of the new Android-powered ASUS EEE Transformer tablet. It’s running Honeycomb, much like the Motorola Xoom, but with an optional keyboard dock to turn it into a traditional laptop form factor.

It might be a good time to make sure that your NAC systems and other network infrastructure are capable of handling Android devices – I’m sure this is only the first of many laptop/desktop systems running the OS. It’s not just for phones any more.


Android DHCP Issue

April 20, 2011

Having trouble with misbehaving DHCP client behavior from Android devices? You are not alone. Check out this entry over at the Google bug tracker.

One of the possible culprits is a DHCP lease timer that’s tied to system clock; unfortunately, system clock stops advancing and simply jumps forward when a machine wakes from sleep, so the renewal request is never generated. Nice.


Trusted Identities Redux

April 20, 2011

An interesting analysis of the new “Trusted Identities in Cyberspace” initiative has been posted over at the Miller-McCune web site. It’s a refreshingly frank and clear-eyed assessment of the proposal, and a nice antidote to the manically cheery and optimistic presentation by NIST.


Glue Gun Theft

April 19, 2011

How do you steal hundreds of dollars from someone’s ATM account with nothing more than a five dollar Wal-Mart glue gun?

It’s simpler than you think.


Dropbox Decryption

April 19, 2011

Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.

Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.


WordPress Breach

April 15, 2011

The popular blog hosting site WordPress has been compromised – some source code and other proprietary information appears to have been copied. Apparently the intruders were not aware that most of the source code for the project is freely available under an Open Source license.


Trusted Identities

April 15, 2011

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.

There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.

It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.


Coreflood

April 14, 2011

Another botnet, this one named Coreflood, has been taken down with the help of the courts. Court approval for the replacement of five US-based command and control servers enabled officials to dismantle the botnet, which was used for wire fraud and other illegal purposes.