www.philiphall.com

Although Microsoft are hitting the headlines with details of their new and exciting Windows Phone  7 offering in Australia, they are also hitting the news for other reasons…

Microsoft today released the largest number of Windows Updates – a whopping 49 in total, covering 16 security bulletins. This October 2010 security bulletin includes the greatest number of patches released in a single month, and beats last August’s huge patch release, which included 34 updates.

Patches include fixes for Windows XP, Windows 7, Windows Server 2003, Windows Server 2008, Windows Server R2, .Net, Media Player versions 9 to 11, and Internet Explorer versions 6 to 8.

Four of the bulletins are rated as critical. There’s also a fix (MS10-073) to plug an issue exploited by the Stuxnet worm, in addition to two fixes Microsoft delivered back in September (MS10-046 and MS10-061).

Time to update your windows machines!

Share/Bookmark

The iPad has only been on sale for less than three days, and already hackers have jailbroken it to get around Apple’s restrictions.

MuscleNerd, a member of the iPhone Dev Team committed to hacking the iPhone OS, has jailbroken the iPad after just a day of tinkering. The hack gave him root access to the iPad and allowed him to install non-approved applications and to run apps simultaneously. It uses the same exploit employed to jailbreak the current OS 3.1.3 iPhone.

The fast hack was made possible by essentially using the “Spirit” jailbreak designed to open up the iPhone, according to MacNN. This uses a browser exploit to open up the OS.

Read the full article:

http://ow.ly/16ZRca

Share/Bookmark

By Gregg Keizer
Computerworld
March 29, 2010

Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.

Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple’s largest patched 67 vulnerabilities.

“The sheer number, it’s almost so daunting that you don’t even want to look,” said Andrew Storms, director of security operations at nCircle Network Security.

Today’s security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac’s version of the X Window System.

http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update?taxonomyId=17

Share/Bookmark

Ok – not really serious – however if you have seen chat roulette on the news recently, but are still wondered what it’s all about (because your adverse to trying it for yourself)… watch this guy on the piano having a go:

This made me laugh!

Share/Bookmark

I think lots of pinches of salt need to be consumed whilst watching this so called leaked ad of the new iPhone HD! Nice work whoever put this together, and posted onto You Tube!

Personally I think the video ad is a definite fake – but the name could be a winner – especially as the camera will be higher res.

Does make sense to have an improved camera, and one for video use…. however one things for sure -  the Apple rumors will continue to grow over the next few months.  Roll on later this year when the updated Apple iPhone is released!

Share/Bookmark

In case you missed it when this aired on free-to-air australian tv, below is the You Tube cut…

Not sure how much is fact or fiction, but makes you pause for thought. I know lots of Google lovers out there, so will be interesting to see what everyone thinks of this!?

Share/Bookmark

As smartphones such as the iPhone, the Google Android, Nexus One etc become more and more popular (and bigger malware targets) it’s worth considering what lies ahead as far as new security threats in the next few years.

Here’s a recent video discussing what’s on the horizon (yes a bit geeky), but you  get the idea…

Share/Bookmark

Apple have released version 3.1.2 of it’s iPhone OSX software – which fixes a number of issues with the 3.1 release.

This release will hopefully finally fix a number of issues with cellular network services, and another problem relating iphone was not waking from sleep, and video crashes.

The update is around 200Mb in size, and can be updated via the usual iTunes update process.

Share/Bookmark

For those of you out there who already have your own Apple iPhone 3G/S, below are a few recommended security tips to help keep your iPhone secure.

While Apple continue to promptly fix security flaws that are found and are reported, it is still important that we all do what we can to ensure that our personal iPhone’s are secure.

Unfortunately iPhones do get lost or stolen on a regular basis, and the last thing you would want after losing your much loved phone is for someone to have full access to your email, contacts, and all your other iPhone applications which store / give access to your personal information.

Install The latest firmware updates
Unfortunately due to the popularity of the iPhone, people are starting to focus on discovering new security flaws in the device.  By viewing some of the earlier articles on this website, you will see details of vulnerabilities which have been discovered (such as an SMS vulnerability), which Apple have now fixed.

By keeping your device up-to-date you can ensure you are not vulnerable to the security flaws that are discovered. Also Apple continue to add additional security related features and improve the overall security of the iPhone through new firmware releases, so it pays to keep up-to-date.

In order to update your iPhone, you will need to plug your phone into the computer which is synched with your device, so that you can download and install the latest OSX update via iTunes.  Apple released version 3.1 a couple of weeks ago, which everyone should upgrade to asap.

Use the Enable “Passcode Lock” feature:

The Auto-Lock feature (Settings -> General -> Auto-Lock) only locks the screen after a preset time of not using the iPhone. The “Passcode Lock” takes this a step further, as you need to enter a four-digit code to get access to the iPhone’s home screen. This will ensure that if someone gets their hands on your iPhone, they won’t be able to access it without knowing your 4 digit passcode.

By default, the iPhone doesn’t require you to enter a pass-code to unlock it.  To set a pass-code, open the following menus on the phone:

“Settings“, “General“, “Passcode Lock” and enter a 4-digit pass-code.

See the Apple support pages for more details.

Use “Erase Data” Feature

The “Erase Data” feature lets you completely wipe your iPhone after 10 failed pass-code attempts. After six failed attempts, the iPhone locks out users for a minute before another pass-code can be entered. And the device increases the lock-out time following each additional failed attempt – one minute, five minutes, 15 minutes, etc.

Its a nice feature to protect the data on your iPhone if it gets lost or stolen. However, you might want to be careful enabling this feature if you have young children who might get their hands on the phone.

“Show SMS Preview” Feature

If you have “Show SMS Preview” enabled, you will see the name of the sender and the first few words of the text message when you get the text message when iPhone’s screen is locked.

If you are concerned about privacy then you can disable it.  With Show SMS Preview disabled you will only get a generic “New Text Message”.

Using Wi-Fi safely on the iPhone:

One of the best things about the iPhone is Wi-Fi support, so you can connect to hi-speed Wi-Fi whenever it is available.

To ensure that you don’t unknowingly connect to any open (unsecure) Wi-Fi networks while on the go, you should enable the iPhone’s “Ask to Join Networks” function. This is enabled by default (Settings -> Wi-Fi -> Ask to Join Networks).

Summary

The points above are just a small selection of tips relating to securing your iPhone. Unfortunately there are known ways to get around some of the security features of the iPhone, however for the average punter, most won’t know (or want to know) about these techniques and therefore the above tips will offer an adequate level of protection.

Read on if you have a Propeller head – RedSn0w or PwnageTool 3.1

Lastly for those of a technical nature who do know what “Redsn0w” and “Cydia” are please read on…

For those who have jailbroken their much loved iPhone, there’s a few things you need to consider:

The first is to ensure you change the default password of your Jailbroken iPhone, and ensure that you lock down SSH or any other transfer protocols or apps you may have installed.

e.g. normally the root password for a jailbroken phone is “alpine”, and is therefore extremely critical to change the password as if you decide to ignore the tip on connecting to only secure Wi-Fi networks and connect to an open non-secure Wi-Fi network, as it exposes you to a security risk where a person with malicious intent could get access to your iPhone using the default password without your knowledge.

Share/Bookmark

The majority of you who do your banking or finances online will already be familiar with two factor authentication – such as the use of RSA tokens, SMS one time codes, in conjunction with your user id and passwords.  This article helps to raise awareness of two factor & its uses, some of the pitfalls, and a high level sneak peek about where the technology is heading.

Back To Basics – So What Is Two Factor Anyway?

Authentication is all about verifying the identity of a person or entity using a piece of information (e.g a password). “Two-factor” authentication (T-FA) is where two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. e.g. using a username & password in conjunction with an RSA token, or SMS code.

So what two factor solutions are currently in use, and why isn’t it used everywhere?
There are a number of two factor solutions widely in use for a number of industries. Most corporates & large enterprises often deploy two factor to ensure adequate protection for access to their systems for staff / customers.

Hardware Based Tokens
Examples of this are the use of RSA tokens for VPN access, whereby the two-factor authentication is based on something you know (your password or PIN) and something you have (the token an authenticator) providing a much more reliable level of user authentication than reusable passwords.

Tokens are often provided to high net worth customers, for people who perform large financial transactions, or for people who want assurance that their account has a better level of security protection.

SMS One Time Passwords
The majority of banks currently make use of SMS verification codes in order to validate a persons identity prior to completing a transaction. SMS one time verification codes are a highly effective but convenient (and relatively cheap) authentication system requiring single-use passwords to authorise certain banking activities / transactions. The single-use password is sent to the users mobile phone via an SMS message and only remains valid for a short time frame (e.g. Commbank’s implementation only keeps the SMS valid for 30 seconds).

So are there issues with the current two factor solutions That Are In Use?
Most technology is unfortunately not 100% bullet proof. People spend a lot of time finding technical vulnerabilities or ways in which to circumvent controls put in place. Even hardware based tokens are not 100% rock solid.

The most talked about issues recently are around the use of SMS as a second form of authentication. Unfortunately it is still fairly easy (due to poor regulations in the telco industry currently) to steal somebody else’s mobile phone number, by porting the same number to a different carrier & physical handset – so that the bad guy receives any SMS verification messages sent to that number, rather than the legitimate mobile phone owner. All that is needed for a successful mobile phone port is basic customer information – which can normally be obtained through “phishing”, which glean the customers account numbers also.

So Will Things Change?
The big telcos aren’t really going to move fast to fix up mobile phone porting regulation, as there’s nothing in it for them. The banks are losing money via this form of fraud, but probably not enough yet for them to consider spending lots of money on a different solution. A couple of the Australian banks have only just moved to SMS verification in the past year or so as a form of authentication, so they’re not too keen to move to another solution for now. The majority are also looking at smarter ways of two factor implementation in order to improve customer experience as well as keeping costs and fraud to a minimum. So as an example – rather than using SMS or hardware tokens for transactions over a certain value limit, some of the banks use two factor instead for setting up a new payee only.

Why Aren’t Two Factor Solutions More Widespread?
Basically there are three key considerations. The first is ease of use, secondly is the value of the asset that is being protected, and the third is cost of the solution to protect it. It’s all about balancing these factors, and as a result some businesses choose not to deploy second factor solutions for certain situations / customers.

So Where Is Two Factor Technology Heading In the Finacial Industry Space?
Apart from banks and financial companies getting smarter about how they use and implement these types of two factor, there are some changes in this space thanks to technology advancements.

There are a variety of newer and stronger hardware based tokens – some which require the end user to type in a code into the device before being given a response to provide in an online authentication process. Other advancements are hardware based tokens, EMUE integrated credit card chips, as well as soft-token applications running on smart phones.

RSA and other vendors are starting to provide their token solution as an iPhone application. Obviously financial institutions want to use something that can be widely and cheaply used by their customer base, so the take up on this will probably be slow initially.

Voice Biometrics
The big technology advancement in the two factor space is “Voice biometrics”. You may already be familiar with automated customer call centres, which use voice biometrics to confirm the reason for your call.

This enables you to be put you through to the most appropriate part of the business – resulting in a better customer experience & lower business costs. The technology is now capable of a lot more than that, as it can be used for authentication purposes also. It’s so advanced that the technology is highly accurate, and can even detect when a caller is under duress. NAB recently implemented this technology for part of its customer call centre.

A number of other companies are now moving into the voice biometrics game – so watch this space.

Share/Bookmark