Thursday, May 27, 2010

Apple’s iPhone security flaw

Bernd Marienfeldt and Jim Herbeck have discovered that a fully up-to-date, non-jailbroken iPhone 3GS can be plugged into a computer running Ubuntu Lucid Lynx that will allow nearly full read access to the iPhone's storage, even when it's locked by pin authentication.

Bernd states in his write up that:
“This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with a PIN code based authentication in place to unlock it.

The contents sample have been collected off a non jail broken iPhone 3GS (with latest iPhone OS installed, all apps fully up to date and immediately PIN lock enabled) by simply connecting it powered off via USB to a Linux Lucid Lynx PC (10.04) and then switched back on – being automatically mounted with given insecurity and never been attached to the PC before.


Other exposed contents and OS behavior has to be further investigated. The write access could also lead into triggering a buffer overflow.”


This will be a big issue for enterprises who think that the data held in the device is encrypted and secure. Check out Bernd’s full write up at his blog - HERE

Tuesday, May 25, 2010

U.S. Deputy Defense Secretary Notes Cyber Command’s Significance

U.S. Deputy Defense Secretary William J. Lynn III called the establishment of U.S. Cyber Command at Fort Meade, Md., today a milestone in the United States being able to conduct full-spectrum operations in a new domain.

Lynn spoke to reporters in his office before attending the stand-up of the command. During the ceremony, Army Gen. Keith Alexander, Cyber Command’s top officer, pinned on his fourth star and uncased the colors of the new command.

The command is the latest in a series of steps that will better protect military networks, Lynn said, as it combines a confederation of task forces into a formal sub-unified command.

Cyber Command will report to U.S. Strategic Command based at Offutt Air Force Base, Neb. Lynn has led the effort to stand up the command since Defense Secretary Robert M. Gates directed its establishment almost a year ago.

The new command will centralize cyberspace operations. The cyber domain, Lynn said, is as important as the land, sea, air and space domains to the U.S. military, and protecting military networks is crucial to the Defense Department’s success on the battlefield.

The U.S. military is more dependent than any other military on information technology, and that is a major reason why the U.S. military is the best in the world, Lynn said. The military must be able to protect its computer networks and must ensure freedom of movement in the domain to be able to operate on networks around the world, he added.

“We want to be able to maintain those advantages and protect the military missions, and that is the main mission of Cyber Command – it is to protect the military networks,” the deputy secretary said. “It will have a role, though, in protecting the government’s networks and critical infrastructure.”

Cyber Command draws existing cyber capabilities and places them under one organizational structure, Lynn said. And with a four-star general in command, he noted, Cyber Command can deal with the combatant commands on an equal basis.

“It will be the place where the Department of Homeland Security will come to on cybersecurity matters,” Lynn said. “And it will help rationalize the interagency process.”

About 1,000 people will work at Cyber Command at Fort Meade, most shifting over from existing task forces. The services will provide their cyber organizations: Army Forces Cyber Command, the 24th Air Force, the 10th Fleet and Marine Forces Cyber Command.

How the command will implement policies remains to be seen, Lynn said, because cyber capabilities have outpaced policy. However, “substantial progress” has been made in certain areas, he said.

Today marks the command’s attainment of initial operations capability. Full capability is set for Oct. 1. “That didn’t happen in isolation – we’ve been training people up, we’ve had task forces, we’ve made investments – this is sort of a capping step,” Lynn said.

The Defense Department has made substantial progress in working with defense industries, Lynn said. Officials wanted to share concerns about the cyber threat and best practices, but there were legitimate concerns about protecting proprietary information.

“I think we’ve worked through a lot of that,” Lynn said. “We’ve been able to work with the industry and share information about the threats and show them what we think is coming at them. I think we will be able to build further on that.”

The department also has made progress internationally. Lynn traveled to Great Britain and Australia to begin that process, and will travel to Canada to continue the outreach. This entails shared warning and shared technologies, and Cyber Command will be part of the outreach, he said.

Lynn acknowledged that more progress is needed on the many legal issues related to cybersecurity. A U.S. interagency team is looking at the laws of war and the application to the cyber domain. What is an attack in the cyber world? How does a nation respond to an attack? What does sovereignty mean in regard to the Internet?

“We’re in the midst of a series of meetings the White House is leading to work through a lot of those legal issues,” Lynn said. “We’ve made progress organizationally, industrially and internationally, but the legal regime in particular is an area we need to tackle further.”

And the threat continues to grow, he said.

“The first thing you say about this threat is that it’s asymmetric,” Lynn said. “It doesn’t take the resources of a nation state to launch cyber war. Nations still have the best capabilities, but you can do very threatening and damaging things with modest investments.

“Our ability to predict where the threats are coming [from], even in conventional threats, is remarkably poor,” he continued. “We didn’t see Desert Storm coming. We didn’t see the series of events that led to Afghanistan. Foreseeing the threats in cyberspace is harder. With Cyber Command, I think we need to be prepared for the unexpected.”


----
Jim Garamone
American Forces Press Service