So something weird happened with my iPhone over vacation and any application that I had downloaded (not included with the default iPhone) and all my DRM’d music and movies from iTunes would open and then quit quickly. At one point on vacation, my iPhone rebooted by itself and said that it was activated and couldn’t connect to iTunes. I tried signing out of iTunes and back in on the iPhone, but every application kept quitting.

I finally figured out that there must be something wrong with the iTunes activation — I tried to sync, I tried to remove all apps and install from iTunes on the iPhone, I tried a bunch of things short of a full factory reset / restore. So here is what I did to fix it:
1. On my Mac, I went to ~/Library/Application Support/MobileSync/Backup/ and backed up the folder that started with something like 346c5687c…..
2. I plugged in my Time Machine backup (I stopped the auto backup in progress) and browsed to the last known good backup of that directory.
3. In Time Machine, I restored that backup folder and then ejected the Time Machine volume
4. I launched iTunes and made sure I was signed into the iTunes Store
5. I plugged my iPhone in and stopped the sync.
6. I right clicked on the iPhone mounted in iTunes and selected “Restore from backup”
7. Once it completed, it rebooted and everything was normal again.

You could do this on a PC, the directory is On Windows XP: \Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\

See this article from Apple.

This will mean, however, that you will lose any information since the last backup, but that wasn’t a big deal for me. Hope this helps, it took me a couple of hours to figure it out.

ShmooCon 2009 is starting tomorrow in Washington DC and it promises to be a good security conference. If you have never been, I highly encourage you to check out the videos from past conferences on youtube.

I thought this was pretty funny because of how true most of it is: How to Suck at Information Security

What struck me was the following line: “Ban the use of external USB drives while not restricting outbound access to the Internet.”

This sums up some of the most egregious mistakes in the information security — taking a vulnerability view versus a threat view of how to secure your infrastructure. USB drives typically pose a relatively small threat to an infrastructure compared with unfettered outbound Internet access, but many organizations I have worked with are doing just that.

Happy New Year, 2009. Every one makes some kind of resolution for the new year. I think it is the hope that we can somehow change the things that we least like about ourselves or our lives that causes us to make promises. Every year I resolve to lose weight, but somehow by the end of the year I am right back where I was before.

This year, I am resolving to write more and be more visible. I plan on writing regularly here about information security and the relationship it has with economics, politics, news, and other areas. Hope you enjoy, and if there is something you wish to comment on or suggest, please put it in the comments.

So, in honor of George Carlin, here is a list of 7 things that you can’t say if you are a security consultant:

7. Anti-virus has not and never will work.

6. Your vendor’s security product (X) will NEVER make you more secure.

5. Compromise is inevitable and there is nothing you can do to stop it.

4. Security professionals are completely unqualified for what they are doing.

3. Code will never be secure.

2. Defense in depth doesn’t work.

1. Security is an illusion and won’t ever be perfect. It hasn’t worked the physical world, and certainly won’t work in virtual worlds. Ever.

A little tongue-in-cheek, but let me know what you think.

Feel free to add to this in the comments.

I stumbled upon these Firefox plugins the other day that allow you to test websites against a set of predetermined XSS or SQL injection parameters on a given website. The tools include XSS-Me, SQL Inject-Me, and Access-Me, all designed to test the security of the website in an easy fashion:
http://www.securitycompass.com/exploitme.shtml 

I thought these were pretty cool. I ran it against a corporate email website that is commonly used and was surprised by the amount of XSS that was successful. Be careful not to fiddle with Firefox while this is running because it will destroy the test. Also, Firefox 2 ate up a lot of memory while doing this, so I wouldn’t run it on that 486 sitting in the corner.

This is freaking interesting. In case you haven’t heard about the encrypted letter that Fermilab was sent and asked for help breaking, here is some more information:

http://www.symmetrymagazine.org/breaking/2008/05/15/code-crackers-wanted/ 

http://www.jgc.org/blog/2008/05/breaking-fermilab-code.html

http://www.gmilburn.ca/2008/05/17/fermilabs-strange-letter-progress/ 

Also, a report of spiking scans for SSH brute force logins using common username and passwords:
http://www.securityfocus.com/news/11518

You can always run SSH over a different port than 22 if the firewall is configured for that. How about 2222? Make sure root is not allowed, and the username/password isn’t easy to brute force (30 character passwords with upper/lowercase letters, numbers, and special characters).
Of course, none of this matters if you have a rootkit keystroke logging on your computer (see previous article).

Have a nice day!

That shouldn’t come as a shock to anyone, but for those who still doubt and put their faith in AV for protection, read this article:

http://www.darkreading.com/document.asp?doc_id=153760&WT.svl=news1_2

Thought this was a pretty nice graphic from CSO Magazine (of all places) showing different botnets and how they map to the IPs and domains that serve as command and control:

http://www.csoonline.com/article/348317/What_a_Botnet_Looks_Like 

Symantec came out with their Internet Security Threat Report a couple of days ago:

http://www.symantec.com/business/theme.jsp?themeid=threatreport

The report of course suggests that Internet Security is getting worse and the bad guys are getting better, same story as always. One of the highlights though is they do acknowledge the targeted attack dangers, which is a big step forward for an anti-virus vendor:

Attackers have adopted stealth tactics that prey on end users on individual computers via the World Wide Web, rather than attempting high-volume broadcast attacks to penetrate networks. This may be because enterprise network attacks are now more likely to be discovered and shut down, whereas specifically targeted malicious activity on end-user computers and/or web-sites is less likely to be detected.

A good read for those who are interested in the new threat landscape.

There is a great article at CSO Magazine that goes over information all IT people should learn about, even if security isn’t their primary responsibility.

This article reinforces what I have been saying for awhile — one of the greatest threats to businesses around the globe is the current state of computer security and the lack of well crafted security programs to protect data and financials. In my opinion, companies and governments need to stop modeling their security programs on a prevention model and shift toward a detection / response model.

Found a pretty good blog post from the CTO of Big Fix that talks about why he believes securing an IT infrastructure is expensive for a variety of reasons:

http://techbuddha.wordpress.com/2008/01/23/the-high-cost-of-securing-it/ 

He also talks about strategies for approaching a CFO to justify spending of security dollars, which is interesting.

Interesting article on how some Maxtor external USB drives were shipped with malware that executed when plugged into Windows machines. The malware then exfiltrated the data stored on the drive to foreign websites. Fascinating article:
http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

Apparently, VMware Fusion 1.0 (51348) has problems accepting keyboard input when Checkpoint SecureRemote VPN client is running on Mac OS X 10.4.10. Turning off the SecureRemote client allows

I find this only affects my machine after I have VPN into the network and then tried to launch Fusion.
What is interesting is that according to this post the way to discover that it is the SecureRemote client is to issue the following on the command line of the Mac:

ioreg -l -w 0 | grep SecureInput

“IOConsoleUsers” = ({”kCGSSessionGroupIDKey”=20,”kCGSSessionOnConsoleKey”=Yes,”kCGSSessionIDKey”=256,” … “kCGSSessionUserIDKey”=501, “kCGSSessionSecureInputPID”=311}) “IOConsoleUsersSeed” = <14000000>

Then take the value of kCGSSessionSecureInputPID and search for it in the process list:

ps auxww | grep 311

In my case, that was the PID for the SecureRemote client. Very cool.

Saw this post about a pretty comprehensive SQL Injection cheat sheet:

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/ 

Thought it went into some great detail, so check it out.

Also, this article was pretty good as well as an introduction to SQL injection:
http://webappsec.org/projects/articles/091007.shtml 

Here is how you can set up an encrypted disk within OS X to store sensitive files:

1. Open up the Disk Utility (don’t click on a volume)
2. Select “New Image”
3. Select name, location, size, and then select encryption > AES 128 bit
4. Select “create”
5. Type in the password, but make sure you do NOT select to store it in the keystore *
6. That’s it. Just drag and drop all files to the volume, and unmount it when you are done.

* This defeats the purpose of having a separate encrypted volume because OS X will keep the key in escrow and allow the volume to be mounted by anyone with your credentials on your computer. This password should be different from your OS X password and the FileVault master password for maximum protection. Also, for extra protection, make sure the password is over 30 characters in length and is a mix of uppercase, lowercase, numbers, and special characters.
Taken some from this article: http://www.macosxhints.com/article.php?story=20070711100831587

So this is not new, but I thought it was a nice illustration of the difficulty in trusting software.

FFsniFF is a Firefox sniffer that takes all HTML form input and emails it out. It even hides from the extension manager. Source is posted.

http://azurit.elbiahosting.sk/ffsniff/

Thought this was pretty funny: A trojan called Trojan.Kardphisher after installation and restart, pops up a Windows activiation form that asks for your credit card, CVV2 code, ATM pin:

Here is the Symantec information.

I thought this letter to Optimus Prime from GEICO was one of the funniest things I have read in a long time. Enjoy.

http://mcsweeneys.net/2007/7/9weaver.html