There was no “phone hacking” – but have you changed your voicemail codes?

Posted on By Mark Wilson
This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Before I start, let’s get one thing straight – I’m not condoning the actions of the News of the World, or any other medium that is illegally/illicitly accessing people’s personal information. And I added my name to more than one anti-Murdoch/News International petition this week. I’m appalled by some of what’s come out over the last few days but this is a technology blog – and this post is about technology, not politics or crime syndicates news organisations [source: Google/Wikipedia].

I just want to highlight something that was posted on Phil Hendren (aka Dizzy)’s Dizzy Thinks blog last year:

“* Calling someone’s mobile, waiting for it to go to voicemail and then entering their four digit pin (0000) is not hacking. Hacking is about circumventing security, not being presented with [a security check] and passing [it].

** Calling someone’s mobile, waiting for it to go to voicemail and then entering their four digit pin (0000) is not tapping. Tapping is the covert act of real-time interception of active communication links.”

But we can all protect ourselves – David Rogers explains how on Sophos’ Naked Security blog. So I urge everyone to check their voicemail access code(s), and change it/them to something non-default. After all, you wouldn’t make your email logon credentials consist of your email address as a username and the word “password” as your password would you?

Yikes! My computer can tell websites where I live (thanks to Google)

Posted on By Mark Wilson
This content is 14 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few months ago there was a furor as angry Facebook users rallied against the social networking site’s approach to sharing our personal data.  Some people even closed their accounts but at least Facebook’s users choose the information that they post on the site.  OK, so I guess someone else may tag me in an image, but it’s basically up to me to decide whether I want something to be made available – and I can always use fake information if I choose to (I don’t – information like my date of birth, place of birth, and my Mother’s maiden name is all publicly available from government sources, so why bother to hide it?).

Over the last couple of weeks though, I’ve been hearing about Google being able to geolocate a device based on information that their Streetview cars collected.  Not the Wi-Fi traffic that was collected “by mistake” but information collected about Wi-Fi networks in a given neighbourhood used to create a geolocation database.  Now, I don’t really mind that Google has a picture of my house on Streetview… although we were having building work done at the time, so the presence of a builder’s skip on my drive does drag down the impression of my area a little!  What I was shocked to find was that Firefox users can access this database to find out quite a lot about the location of my network (indeed, any browser that supports the Geolocation API can) – in my case it’s only accurate to within about 30-50 metres, but that’s pretty close! I didn’t give consent for Google to collect this – in effect they have been “wardriving” the streets of Britain (and elsewhere).  And if you’re thinking “thats OK, my Wi-Fi is locked down” well, so is mine – I use WPA2 and only allow certain MAC addresses to connect but the very existence of the Wi-Fi access point provides some basic information to clients.

Whilst I’m not entirely happy that Google has collected this information, it’s been done now, and being able to geolocate myself could be handy – particularly as PCs generally don’t have GPS hardware and location-based services will become increasingly prevalent over the coming years.  In addition, Firefox asks for my consent before returning the information required for the database lookup (that’s a requirement of the W3C’s Geolocation API)  and it’s possible to turn geolocation off in Firefox (presumably it’s as simple in other browsers too).

What’s a little worrying is that a malicious website can grab the MAC address of a user’s router, after which it’s just a simple API call to find out where the user is (as demonstrated at the recent Black Hat conference).  The privacy and security implications of this are quite alarming!

One thing’s for sure: Internet privacy is an oxymoron.

How much is your personal information worth?

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

We’ve all heard the horror stories about personal information, such as credit card details, falling into the wrong hands and, thankfully, in many cases the banking system limits the damage but it’s a growing problem.

Now Symantec have issued the results of some research which shows that this information may be sold on the black market for as little as a few pence as cyber criminals use generous retail promotions like bulk buying and “try before you buy” to sell consumer information and credit card details to other criminals. According to the Internet Security Threat Report 2009 e-mail addresses and accounts are traded among criminals from as little as five pence to as much as £60, with a full identity going for around £45. I don’t know about you but I find those figures to be alarmingly low – until I read on and discover that, according to Symantec, more than 10 million stolen identities are traded each year on the black market.

The online black market is booming compared to real-world criminal activity. It is more profitable, harder to prosecute and provides anonymity. Whereas on the streets of London Metropolitan Police figures indicate that a crime is committed every 37 seconds, an identity is stolen online every three seconds.

So how does this happen? Well, much of the information is harvested using malware on our PCs with many victims unaware that their computer is a “zombie” acting as part of the botnets that are the main source of online fraud, spam and other scams on the Internet today. In addition, we are putting increasing volumes of personal information onto the web through social networking. Meanwhile, action against criminals is hampered by the fact that national laws typically lag behind technological advances and the fact that the Internet is a global network and so requires co-operation from multiple law enforcement agencies.

So, what can we do about it? Well, much of the information in this blog post comes from Symantec/Norton and it’s no surprise that they would like us to buy the latest version of their security suite but, even if you use another reputable company’s security products, it’s worth checking out the advice on their Every Click Matters site including a victim assessment tool that helps you assess your risk (and black market worth) and 10 simple steps we can all take to stay safe. Maybe you, as a reader of this blog, know what to do – put it may be worth highlighting the advice to less-technical friends and family.

What does your digital tattoo say about you?

Posted on By Mark Wilson
This content is 15 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

We’ve all heard of employers Googling prospective (and current) employees to check out their history/online status and there’s the recent story that went viral about someone who forgot she’d added her Manager on Facebook before bitching about her job (needless to say she didn’t have a job when he read what she had to say). Then there’s the story of the Australian call centre worker who was too drunk to work and pulled a sickie… only to be busted on Facebook.

Maybe these things sound like something that happens to someone else – none of us would be that stupid, would we?

Actually, it can happens to the best of us, although maybe not in quite an extreme manner. I’ve become a bit of a Twitter evangelist at work (David Cameron might say that makes me something else…) and, after one of my colleagues suggested that my new manager check out my feed as an example of effective technical knowledge sharing, I hastily checked for any potential lapses of judgment. I did actually remove an update that was probably OK, but I didn’t want to chance it.

Generally I’m pretty careful about what I say online. I never name my family members or give out my address, family photos are only available to a select group of people, I don’t often mention the name of the town where I live (although this blog is geotagged) and I am very careful to avoid mixing the details of my day job too closely with this website (technical knowledge sharing is fine… company, partner and customer details are not).

Digital tattooIt seems that there is a generation of Internet users who are a little more blasé though and Symantec are advising consumers against the dangers of sharing their personal information on the ‘net, referring to a “digital tattoo” (described as “the amount of personal information which can be easily found through search engines by a potential or current employer, friends or acquaintances, or anyone else who has malicious intent”).

The digital tattoo term seems particularly apt because there is a misconception that, once deleted, information is removed from the ‘net but that is rarely the case. Just like a physical (skin) tattoo, removing a digital tattoo can be extremely difficult with the effects including hindered job prospects and identity theft. Symantec’s survey revealed that 31% of under-25s would like to erase some of their personal information online. Nearly two-thirds have uploaded personal photographs and private details such as postcodes (79%) and phone numbers (48%) but, worryingly, one-in-ten under-25s have put their bank details online (not including online purchases) and one-in-20 have even noted their passport number!

Of course, there are positive sides to social networking – I personally have benefited from an improved relationship with several technology vendors as a result of this blog/my Twitter feed and it’s also helped me to expand my professional network (backed up with sites like LinkedIn and, to a lesser extent, Facebook). What seems clear is that there is a balance to be struck and today’s young people have clearly not been sufficiently educated about the dangers of life in an online society.

Computer clamping

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

There’s just been a bit of entertainment in the office where I’m working today as one of my colleagues accidentally locked his computer to the desk!

Having seen a spare desk with a full size keyboard, mouse, screen and port replicator/docking station, he hooked up his laptop and started working – only to find that the docking station had a security device attached and he couldn’t release the PC without a key.  Furthermore, the keyholder had already gone home and wasn’t answering his mobile phone.

To be honest, I would have fallen for this myself – I didn’t know that the security device worked that way (I would have assumed that I needed to lock the PC in place with a key and not just attach it to a locked docking station) but, for those with a permanent desk and a docking station in a predominantly hot-desking environment, this could become a lucrative sideline in computer clamping – the principle being that if someone uses your desk they can pay to have you come along with a key and unlock their laptop!

Securely wiping hard disks using Windows

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My blog posts might be a bit sporadic over the next couple of weeks – I’m trying to squeeze the proverbial quart into a pint pot (in terms of my available time) and am cramming like crazy to get ready for my MCSE to MCITP upgrade exams.

I’m combining this Windows Server 2008 exam cramming with a review of John Savill’s Complete Guide to Windows Server 2008 and I hope to publish my review of that book soon afterwards.

One of the tips I picked up from the book this morning as I tried to learn as much as I could about Bitlocker drive encryption in an hour, was John’s tip for securely wiping hard drives using a couple of Windows commands:

format driveletter: /fs:ntfs /x

will force a dismount if required and reformat the drive, using NTFS.

cipher /w:driveletter:

will remove all data from the unused disk space on the chosen drive.

I don’t know how this compares with third party products that might be used for this function but I certainly thought it was a useful thing to know. This is not new to Windows Server 2008 either – it’s certainly available as far back as Windows XP and possibly further.

For more tips like this, check out the NTFAQ or John’s site at Savilltech.com.

Identity and security developments at Microsoft

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In amongst all the exciting new product announcements for new Windows releases and cloud computing platforms it’s all too easy to miss out on some of the core infrastructure enhancements that Microsoft is making. Last week I got the chance to catch up with Joel Sider from Microsoft’s Identity and Security group – a new organisation at Microsoft formed to address the issues of identity and security (which are really two sides of the same coin) and which, until recently have been treated as individual point solutions.

Joel explained to me that, with a single business group and a single engineering group, Microsoft is able to focus on the complete product stack, from System Center and Identity Lifecycle Manager (ILM – formerly MIIS), through Forefront security to the Windows platform, including Active Directory, Rights Management Services (RMS) and Network Access Protection (NAP).

Two of the products under the umbrella of the identity and security group have been in the news recently:

  • A release candidate of Identity Lifecycle Manager “2” is available now. Due for final release in the first half of 2009, ILM “2” provides self-service for employees, enhanced administration and automation for IT professionals, and extensibility for developers. In developing this product, Microsoft’s focus was in allowing IT departments to set policies for access, empowering end users and knowledge workers to perform actions and tasks (e.g. reset passwords, manage group membership, etc.). Until the release of this product, such actions would have required the use of third party products (e.g. Quest Active Roles Server and unlike MIIS, which was powerful but had a limited user interface, the focus with ILM is on providing an intuitive management interface and self service capabilities whilst still allowing extensibility (e.g. for audit and compliance purposes). ILM uses a concept of sets to group objects (e.g. “All people”) and then a workflow (authentication, authorisation, or action) may be applied to complete a number of steps (e.g. in a password reset scenario to answer a number of security questions; or approving membership of a group and sending out a notification in a group membership scenario).
  • Intelligent Application Gateway (IAG) service pack 2 is also due for release shortly. Originally available only in hardware appliance form, the former Whale Communications product can now be run as a Hyper-V virtual machine to reduce costs and increase flexibility in the infrastructure. In addition, IAG supports access from non-Microsoft browsers (e.g. Firefox) and platforms (i.e. users running Linux and Mac OS X) and has additional optimisers for recently released applications. (For those who are unaware of IAG’s capabilities, it provides granular access to specific applications via an SSL VPN with support for almost any application but optimisations for those which it has an awareness of – that’s the “intelligent” part of IAG).

Other significant developments taking place within the identity and security group include: the Windows Azure .NET Identity Framework (codenamed Geneva) which provides a Microsoft.NET identity access control service; Windows Cardspace; and the Forefront integrated security product (codenamed Stirling) which will combine the various disparate Forefront components.

From my perspective, I’m really encouraged to see Microsoft working to provide a more focused approach. As I’ve written before, many of Microsoft’s identity and security products are the result of acquisitions and, whilst it’s important not to lose the features and functionality that made these products successful in the first place, they also need to be tightly integrated to avoid the inevitable confusion caused by feature overlap and conflicting goals. It seems to me that Microsoft is working towards providing a sensible and logical identity and security portfolio for customers and partners.

Trusting a self-signed certificate in Windows

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

All good SSL certificates should come from a well-known certification authority – right? Not necessarily (as Alun Jones explains in defence of the self-signed certificate).

I have a number of devices at home that I access over HTTPS and for which the certificates are not signed by Verisign, Thawte, or any of the other common providers. And, whilst I could get a free or inexpensive certificate for these devices, why bother when only I need to access them – and I do trust the self-signed cert!

A case in point is the administration page for my NetGear ReadyNAS – this post describes how I got around it with Internet Explorer (IE) but the principle is the same for any self-signed certificate.

First of all, I added the address to my trusted sites list. As the ReadyNAS FAQ describes, this is necessary on Windows Vista in order to present the option to install the certificate and the same applies on my Windows Server 2008 system. Adding the site to the trusted sites list won’t stop IE from blocking navigation though, telling me that:

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificates problems may indicate an attempt to fool you or intercept any data you send to the server.

We recommend that you close this webpage and do not continue to this website.

Fair enough – but I do trust this site, so I clicked the link to continue to the website regardless of Microsoft’s warning. So, IE gave me another security warning:

Security Warning

The current webpage is trying to open a site in your Trusted sites list. Do you want to allow this?

Current site: res://ieframe.dll
Trusted site: https://mydeviceurl

Thank you IE… but yes, that’s why I clicked the link (I know, we have to protect users from themselves sometimes… but the chances are that they won’t understand this second warning and will just click the yes button anyway). After clicking yes to acknowledge the warning (which was a conscious choice!) I could authenticate and access the website.

Two warnings every time I access a site is an inconvenience, so I viewed the certificate details and clicked the button to install the certificate (if the button is not visible, check the status bar to see that IE has recognised the site as from the Trusted Sites security zone). This will launch the Certificate Import Wizard but it’s not sufficient to select the defaults – the certificate must be placed in the Trusted Root Certification Authorities store, which will present another warning:

Security Warning

You are about to install a certificate from a certification authority (CA) claiming to represent:

mydeviceurl

Windows cannot validate that the certificate is actually from “certificateissuer“. You should confirm its origin by contacting “certificateissuer“. The following number will assist you in this process:

Thumbprint (sha1): thumbprint

Warning:

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate with an unconfirmed thumbprint is a security risk. If you click “Yes” you acknowledge this risk.

Do you want to install this certificate?

Yes please! After successfully importing the certificate and restarting my browser, I could go straight to the page I wanted with no warnings – just the expected authentication prompt.

Incidentally, although I used Internet Explorer (version 8 beta) to work through this, once the certificate is in the store, then all browsers any browser that uses the certificate store in Windows should act in the same manner (the certificate store is not browser-specific some browsers, e.g. Firefox, implement their own certificate store). To test this, I fired up Google Chrome and it was able to access the site I had just trusted with no issue but if I went to another, untrusted, address with a self-signed certfiicate (e.g. my wireless access point), Chrome told me that:

The site’s security certificate is not trusted!

You attempted to reach mydeviceurl but the server presented a certificate issued by an entity that is not trusted by your computer’s operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

Chrome also has some excellent text at a link labelled “help me understand” which clearly explains the problem. Unfortunately, although Chrome exposes Windows certificate management (in the options, on the under the hood page, under security), it doesn’t allow addition a site to the trusted sites zone (which is an IE concept) – and that means the option to install the cerficate is not available in Chrome. In imagine it’s similar in Firefox or Opera (or Safari – although I’m not sure who would actually want to run Safari on Windows).

Before signing off, I’ll mention that problems may also occur if the certificate is signed with invalid details – for example the certificate on my wireless access point applies to another URL (www.netgear.com) and, as that’s not the address I use to access the device, that certificate will still be invalid. The only way around a problem like this is to install another, valid, certificate (self-signed or otherwise).

Generating secure passwords

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

One corporate blogger at Symantec recently wrote about the useless passwords that people use (with various lists placing “password”) at or close to the top of the list. His source contained some dubious claims (e.g. it claimed that one of the top passwords across Europe is “monkey”… maybe that is the case for English speaking Europeans but it’s unlikely to be the case in French, German, Spanish, Italian, Portugese, Greek, etc., etc.) but his point is valid – systems that require a password require one for a reason – usually to protect either the data contained in the system, or the reputation/identity of the person to which access is being granted or the company who operates the system.

As a concept, the idea of a username and accompanying password is flawed – ideally we would be using another form of identification and authentication – and that should use multiple factors (something I have/know/am) but in amongst the nearly 2 hours of drivel that was last week’s MacBreak Weekly podcast (note to self: drop this subscription from iTunes) was a little gem about generating new secure passwords. The panel was advocating the use of a utility such as OnePass to generate and manage passwords when one of them said he does something similar from the command line: Unix/Linux and Mac users can type openssl rand -base64 6 to generate a secure 8 character password (the number on the end of the command needs to be multiplied by 4 thirds to get the length of password – more details of using OpenSSL to generate secure passwords are available at the tech-recipes website).

One man who knows an awful lot about security, Steve Gibson, has produced a secure online password generator but the 64-character passwords it generates are a bit extreme for most purposes – and “secure” passwords of any length create their own problem – they are totally unmemorable, so most users will resort to using some form of password safe (either online or offline), reducing the security considerably.

Then there’s the issue of password policy – some sites will limit the length of a password whilst others will require the use of special characters.

At work, I use a variety of corporate systems, some of which respect my Active Directory logon, and others (timesheeting, more timesheeting, mobile phone billing, self-service HR portal) which do not – each with it’s own password policy for password length, complexity, re-use and expiry. Then there are the hundreds of websites that I use and which require registration. It’s a usability nightmare – and many people will use the same passwords repeatedly – an identity thief’s dream.

I prefer to use a memorable passphrase, which is typically longer than a password and although it may include dictionary words they do not make up the entire password. For example, if my password needs to be changed and something is happening at that time that might be memorable I could use that – “2008HolidayinFrance” is memorable, easy to type and whilst it includes dictionary words it’s also 19 characters long so spotting the dictionary word placement might take a while for a password cracker.

Of course, there is no one answer – what works for me might not work for you. What I’m pretty certain of though is that “password” is not a good password and that re-using the same password (or variations on it) is not a good idea either.

Preparing a 1st generation iPhone for resale

Posted on By Mark Wilson
This content is 16 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

In some ways, this post is of limited value – as it’s for a first generation iPhone, running on iPhone software v1.1.4 – both of which will become old technology on Friday 11 July 2008. Even so, I expect the market to be flooded with secondhand iPhones over the next few days and contract-free devices will sell for more money than those still locked to O2. In time, the hackers will unlock v2.0 iPhones but, for now, v1.1.4 is the one to get.

I’ve been happily using my iPhone on an O2 contract since last November but, tomorrow, my iPhone auction on eBay will end and I wanted to get it ready for sale.

iPhone working with a Vodafone UK SIMLast week, I unlocked (and “jailbroke”) the iPhone using iLiberty+ v1.5.1 for Mac and tested it with a Vodafone SIM (before listing it for sale) but tonight I followed the instructions to securely wipe the iPhone before I finally send it to the new owner.

When I first jailbroke my iPhone, I found that I’d entered a whole new world of mobile application possibilities. When I first thought about getting an iPhone and using it with my previous (Vodafone) contract, I was concerned about the impact of unlocking and jailbreaking the device but I am amazed to see just how many applications the AppTapp installer provides access to (especially with the Community Sources package installed). I really hope this ecosystem of iPhone underground application development is not killed off as the official Apple App Store route to market takes over but I guess, as long as the device is tied to a particular operator in each market, there will always be people who want to use their iPhone on another network (and I found that jailbreaking takes no more effort than unlocking the device).

So, with my iPhone restored to it’s factory defaults, then jailbroken, installer added to the splashscreen, the handset activated and unlocked, I set to work installing the BSD Subsystem 2.1 and OpenSSH. At first, I was downloading applications over O2’s 2G network, which took a long time (the BSD subsystem is 5.1MB), but then I figured I could share my MacBook’s Internet connection over Wi-Fi and that speeded things up considerably.

Even though I could ping the phone (the IP address is displayed in the Wi-Fi settings), I was having trouble connecting to the phone, with my terminal session reporting:

ssh: connect to host 10.0.2.3 port 22: Connection refused

Googling turned up various posts suggesting using the BossPrefs application to ensure that OpenSSH is running but I couldn’t get BossPrefs to complete its own installation.

Eventually, I figured that I could use iLiberty+ to install OpenSSH, after which I was able to copy a previously-downloaded copy of the umount utility to the iPhone:

scp ~/Desktop/umount root@ipaddress:/sbin/umount

After entering this command, something similar to the following should be displayed:

The authenticity of host ‘ipaddress (ipaddress)’ can’t be established.
RSA key fingerprint is 8d:0c:46:44:6c:ff:25:7c:c3:d6:49:1b:6a:c5:31:8b.
Are you sure you want to continue connecting (yes/no)?

To which the, answer is yes. Then you should see:

Warning: Permanently added ‘ipaddress‘ (RSA) to the list of known hosts.

Next up, should be a password prompt:

root@ipaddress‘s password:

The default password (at least for iPhone v1.1.4) is alpine and, once this has been entered, umount should finally be copied to the iPhone:

umount                                        100%   15KB  14.6KB/s   00:00

A few more commands are used to set execute permissions on umount, to do some Unix magic with mountpoints and then to copy lots of nothingness across both the partitions, as Jonathan A. Zdziarski describes:

chmod 755 /sbin/umount
umount -f /private/var
mount -o ro /private/var
mount -o ro /
cat /dev/zero > /dev/rdisk0s2; cat /dev/zero > /dev/rdisk0s1

This will take a while (I think it was about 45 minutes in my case) and when it’s done, you should see a couple of I/O error messages and a return to the shell prompt (#):

cat: stdout: Input/output error
cat: stdout: Input/output error

The iPhone GUI is also likely to be unresponsive (that is expected).

So, with all data removed, I could put the iPhone into recovery mode once more to restore its factory settings and then jailbreak/activate/unlock it for the final time. After a test with the Vodafone SIM inside the iPhone to call my O2 SIM (in another handset) I had confirmed that the handset was successfully unlocked and ready for its new owner.