Tom Olzak

Archive for September, 2009|Monthly archive page

Interesting Stats: B2B Threats

In Access Controls, Business Continuity, Cloud Computing, Data Security, Policies and Processes, Risk Management on September 30, 2009 at 10:00
Source of Company Security Threat

From Dark Reading's "Inside Out: Protecting your Partnerships--and Your Data

iPhone Tip – When iTunes crashes and you wish you’d bought a Blackberry

In iPhone on September 26, 2009 at 18:34

No, this isn’t a security post.  However, the level of frustration I felt over the past two days should never happen to anyone.  So I decided to put everything you need to know about dealing with drastic iPhone issues in one place.

It all started yesterday when I excitedly connected my iPhone 3GS to my office laptop to get the long-awaited-should-have-had-it-long-ago MMS update.  A funny thing happened, however.  I received a message immediately after iTunes loaded telling me that iTunes had stopped working.  And then that Apple-revenue-generating software simply closed.  I tried again with the same results.  I rebooted and retried.  Same results.  Ignoring the adage that the sign of insanity is trying the same thing over and over expecting different results, I continued to connect and disconnect my iPhone so I could send my first photo to another phone.  No luck.

After I left the office, and my Windows XP SP2 laptop, I drove home and ran to my Windows 7 Ultimate desktop and plugged in my iPhone.  iTunes loaded long enough to display that dreaded message telling me that iTunes had stopped working.  Again, an iTunes crash and burn.  ARRGGH!

To verify that this was an iPhone issue, I plugged in my iPod Touch (yes, I am an uber geek).  It worked fine.  OK.  So now I knew that my iPhone, which I just purchased two months ago, was the problem.  On to Apple support.

There may have been something in one of the forums, but I couldn’t find it.  So I scheduled a call back for the next day at 5:45.  But I am not a patient man (I hope my boss isn’t reading this or there may be more confirmation of that fact than I can bear).

When I got up this morning, I immediately visited my old friend Google to see if anyone else was having this iTunes crash problem.  My search resulted in finding a significant number of people who were experiencing the same frustration as I.  However, there didn’t seem to be anyone who had actually fixed it.  One person wrote that removing my iPhone’s authorization for iTunes and putting it back would help.  Or that a master reset (holding the home and power buttons down, ignoring the shutdown slider, until the iPhone screen goes black) might work.  Neither worked for me.

But after about three frustrating hours—and many colorful remarks about Apple, AT&T, etc.—I found the fix.  Here it is:

  1. Load iTunes
  2. Turn off the iPhone
  3. Make sure the USB cable is unplugged from the iPhone
  4. Hold down the home button for three to five seconds
    1. Plug the USB cable into your iPhone
    2. Plug the USB cable into your computer
    3. After iTunes recognizes your iPhone, release the home button

This process places your iPhone in recovery mode.  iTunes informs you that a phone in recovery mode is connected.  Click the RESTORE button on the iTunes screen and sit back.  The iPhone will be set to factory defaults.  If a backup exists, iTunes will eventually prompt you for restore.  After the restore, you phone is in the same condition is was in prior to the service recovery, assuming you had a current backup.

This fixed my problem and I had my MMS functionality.

In closing, I will admit there is a little security associated with this story.  That is, the process to place the iPhone in recovery mode is the first step in cracking iPhone security.  I guess we can’t have everything, can we Steve?

Privacy Tip — Using VIP Access at PayPal

In iPhone, Multi-Factor Authentication, One Time Passwords, Privacy on September 24, 2009 at 13:02

Today I tried to load and activate VIP Access on my iPhone.  The app loaded OK from the app store, but finding the page on PayPal where I could activate it was another story.

For those of you out of the loop, VIP Access provides a means to use your iPhone as a second authentication factor.  When installed, the software provides a different six-digit code every 30 seconds.  This code is used to verify your identity at sites supporting this VeriSign identity management technology—like PayPal.  See Figure 1.

Figure 1

Figure 1

 Installing and launching the free software on my iPhone 3GS was easy.  The first screen included a video and other information about how to use the service.  So, having lost my VIP “football” for PayPal, I was anxious to try this out.  That was where the fun began.

There are no references to this service on PayPal.  Neither searching nor browsing turned up anything useful.  Finally, I searched Google and found someone who had solved this lack-of-information challenge by actually sending a message to PayPal. 

It turns out VIP Access activation uses the same link used to activate the VIP token, as shown in Figure 2.

In the activation form, enter the VIP Access Credential ID into the Serial Number field.  The rest of the form is self-explanatory.  After jumping the activation hurdle, everything worked as advertised.

Figure 2

Figure 2

Fighting Unwanted Browsing: Web filtering is not always effective

In Access Controls, Business Continuity, Content Filtering, Data Leak Prevention, Insider risk, malware on September 23, 2009 at 12:22

Many organizations use Web filtering to block employee access to “unsuitable” sites.  Blocking usually takes the form of products like WebSense and services such as OpenDNS (from free, through SMB and Enterprise).  However, savvy employees will find a way around these controls. 

Definitions of what constitutes an unsuitable site vary from business to business, but there is a general set of objectives which typically underlies them all.

  • Prevent viewing of pornography, hate sites, or any other material which may be interpreted as creating a hostile work environment
  • Prevent activities which may put the organization at risk, such as visiting sites
    • which present a known high risk of infecting the network with malware
    • which provide an easy way for employees to wile away the workday focused on social networking, shopping, sports, or other non-business related media

Whether an organization uses Web filtering to achieve one or all of these objectives, users will find a way around restrictions.  One of the best ways is to encrypt outgoing sessions with a client-based or hosted proxy.  Yes, most if not all Web filters allow you to block access to these sites.  And yes, restricting employee rights to install applications can help.  However, there are services which circumvent both controls.

Web filters rely on their ability to see destination information and compare it to a database of blocked sites, usually organized by category.  If a user connects to an external proxy service (not in the blocked sites list) via SSL/HTTPS, no traffic from the end-user device to the Internet is visible to the Web filter.  The result?  The user can browse to any and all sites on the Web.

Take, for example, Megaproxy.  Figure 1 is the message I receive on my test machine if I try to go directly to the Megaproxy site.  Why?  Because the site is considered a proxy site.  All proxy sites must be blocked—as they are on this network–or Web filtering is the proverbial exercise in futility.  But Megaproxy provides an easy way around this.

Figure 1: Megaproxy blocked

Figure 1

The Megaproxy service periodically changes the URL used to get to the proxy sign-on prompt shown in Figure 2.  So Web filtering vendors have to play catch-up to block the current URL.  This is only possible when using the for-fee service, which a user can simply set up from home.  The fee is so low that any user with a strong desire to break out of IS constraints imposed on browsing will quickly get out the credit card.  I’ve been testing the same URL for about three weeks now with no problem.

Figure 2: Megaproxy login

Figure 2

Once logged on, the service asks for the URL for the page I want to visit, as shown in Figure 3.  The Web filter system I’m testing blocks remote access services, such as GoToMyPC.  So, I entered 

Figure 3: Enter URL

Figure 3

Figure 4 shows the result; I easily access with full functionality.  I could just as easily access  Note that I have to enter all addresses for sites I want to visit into the address bar provided by Megaproxy.  If I use the standard browser address bar, I will leave Megaproxy, and my traffic will once again be visible to the filtering solution.

Figure 4:

Figure 4

Megaproxy is not malware.  Nor is it intended to make your life as a security professional miserable.  It is designed to provide safe browsing from hotels, airports, and other hot spots.  The changing URL allows use of secure browsing even if the hotspot tries to prevent it by blocking proxy access.

The bottom line? An organization cannot rely on Web filtering alone to prevent unsuitable Web behavior.  Rather, other controls—preventive and detective, administrative and technical—must support filtering.  For example, some organizations simply block all SSL traffic not explicitly approved for business purposes.  If your organization is using Web filtering, take a look at the gaps unique to your organization and plug them.

Security note —

In IPSec, Network Security, Uncategorized on September 22, 2009 at 12:06

IPv6 has security issues.  This is no surprise.  What may be a surprise is that you might be vulnerable even if you haven’t rolled it out to your network.

Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).

IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?

Source: IPv6: Not a Security Panacea, AJ Jaghori, CSO, 21 Sep 2009.

For more information about IPv6 security issues, see the article referenced above and,

%d bloggers like this: