In this article I will first talk about some misconceptions regarding what is considered a secure password and then about how you can leverage different technologies to help protect your different credentials.
In the past few years there has been a sharp increase in websites being hacked and their users’ passwords/hashes stolen, in parallel we are using online services for almost everything: to pay for your local pizzeria delivery or your electricity bill, access your bank account, connect to your work email, etc.
The common advice is to use different passwords for each site you register to, but most people don’t. It means that hackers can often reuse credentials they obtained on one website to access another.
One way to counter that risk would be to use some kind of formula so you remember a different password for each site you have registered to. This *could* be the best solution, as remembering a password formula means you do not have to write it do...
>>[READ MORE]
Evernote hacked, an early warning for the Cloud Storage storm coming?
#83 - Posted on
2 March 2013 - Author: SM - Category: Security
In recent years I have written various articles warning of the risk related to uncontrolled cloud storage solutions usage in the corporate world.
Evernote is a popular online note storage solution which is often used by mobile users. You could see it as a cut down version of Dropbox as it is more restrictive to what one can store online.
It got hacked a few days ago, as reported by the Verge, what was stolen includes usernames, email addresses and encrypted passwords. We don’t know what password algorithm they used and how hard/easy/feasible it is for the hackers to crack them, but the company behind Evernote now asks *all* its (millions) users to reset their passwords.
This should really serve as a wake up call, to check what policies and controls are in place to prevent your user...
>>[READ MORE]
A new iOS 6.1 hack
#82 - Posted on
14 February 2013 - Author: SM - Category: Hacking
As seen on the Hacker news, there is currently a way to bypass the iPhone lock screen (iPad with SIM too?) running iOS 6.1.x
I had to change the steps listed in “The Hacker news” slightly for it to work:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen, by pressing the power button
-Go to passcode screen, by pressing the home button
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and let go…
From there you gain full access to the phone application and can change/add/delete contact, as ...
>>[READ MORE]
Mobile devices security, history repeating itself: Harder, Faster, Stronger but not Better!
#81 - Posted on
5 December 2012 - Author: SM - Category: Security
Following up on my SANS 575: Mobile Device Ethical Hacking course review, below is my take on the current state of Mobile Devices security.
First, let me define what I mean by mobile devices: Smartphone and Tablets, not laptops. Although laptops are “mobile” the level of security available to them is more mature and not in scope for this article.
Then, let’s dive into the past and where mobile device security fits.
Right at the start, when computers where used and interconnected, the security element of it has always been the last “add-on” and security professionals had to play catch-up. This was true with Intranets, where no or poor defences meant companies were often heavily relying on physical security, i.e.: no hackers will be allowed within the premises to connect their portable desktops. The realisation that staff could also be hackers and the arrival of laptops meant better IT access controls were put in place.
When Interne...
>>[READ MORE]
SANS 575: Mobile Device Ethical Hacking Review
#80 - Posted on
4 December 2012 - Author: SM - Category: Conferences
In the last two years I have been to a few SANS training courses:
508: Advanced Forensic
617: Wireless Ethical Hacking
660: Advance PenTest
Last week I attended the SANS 575: Mobile Ethical Hacking course,
it is a nice complement to the 617 Wireless course and although there is some overlaps, especially around WIFI vector attacks, most of the content is different; and when it is not, you get another perspective for those attacks.
The course gave an overview of the different architectures surrounding the Android, iOS, Blackberry and Windows Mobile phones, how system and app updates...
>>[READ MORE]