Search the Community
Showing results for tags 'secure'.
-
Am gasit un link pe care il consider util.Sursa HF How Secure Is My Password?
-
Apple uses iOS (operating system) to power many of its mobile devices such as iPhone, iPad and so on. From the beginning, security has been placed at the core of iOS. There are many inherent features that secure the device and its resources at different levels. This article aims to provide answers to questions such as the following: What really happens when an iPhone is powered on? How is data at rest secured by iOS? If the device is lost or stolen, can the attacker view or modify my personal data? How are privacy controls enforced? For ease of understanding, we wil deal with each of these topics in separate sections. Let’s begin! Boot level security mechanism In the desktop computer world, an attacker can access the data present on the hard disk even without knowledge of the password of that system. For instance, he can remove the hard disk and plug it to a different system and read the data, or he can boot the system into a different OS by using a live CD. But do you think it’s possible in the case of an iPhone? I.e., Can an attacker who has access to an iPhone remove the chip and read its data or sideload another OS to access data? Not really under normal circumstances! This is because iOS devices don’t load firmware that is not signed by Apple. Taking a look at the boot level security mechanism would help us to understand this in a better fashion. So what really happens when you power on your iPhone? When an iOS device is turned on, the processor immediately executes code known as the boot ROM. This boot ROM code is something that is designed during chip fabrication and is implicitly trusted. This boot ROM also contains root certificates of Apple which will be used to signature check the loading of the next stages. LLB (Low Level Boot loader) is the next thing that will be loaded after the signature check. LLB finishes its task and loads next stage boot loader iBoot after verifying its signature. iBoot verifies and runs iOS kernel. Thus, as shown in the following figure, at each stage a signature check is done before loading the next step. This is called “Chain of Trust”. Hence, under normal circumstances, this chain of trust ensures iOS runs on valid devices only and also verifies that the phone is not booted into another operating system. Can this signature check be bypassed so that we can flash our own boot loader? Yes it can be. Several vulnerabilities have been identified in boot ROM code which can be exploited to not only flash our own boot loader but also to bypass the signature checks of every stage. Remember that if one link is compromised, it would ultimately lead to compromise of all the other links that follow. How this can be done will be discussed in a separate post. Secure Enclave You must have heard about the finger print sensor introduced in iPhone 5S. Apple says this finger print information is encrypted and stored in a ‘Secure Enclave’ inside the phone and is never backed up to iCloud or any Apple servers. So what is this Secure Enclave and how does it work? Secure Enclave is a coprocessor created inside Apple A7 processor. All the cryptographics required for data protection are handled by this. It has a secure boot and updates which are separate from the main processor. Secure Enclave is a concept that is similar to ARM’s Trust zone technology. Following is a sample depiction of hardware architecture of trust zones. As shown above, a new mode called ‘secure mode’ is added to the processor. In simple terms, it kind of creates two-world architecture on the same device. The first world that runs normal iOS apps (user mode) and the second world that runs only trusted code (secure mode). Data written to the RAM when in secure monitor mode cannot be accessed when in user mode. The following steps compiled from iPhone5S: Inside the Secure Enclave | Fortinet Blog explain how Secure Enclave works while validating the fingerprint in iPhone 5S: User enters his fingerprint Locking service calls an API present in secure world Processor switches to secure world The bits which characterize the fingerprint move from sensor to processor This data cannot be eavesdropped or modified by any app because this process is running in secure mode which is different from user mode Necessary cryptographic verifications are done & access granted. Apple thus argues that even if the kernel is compromised, the integrity of data protection will be maintained. As per Apple’s documentation, “Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, entangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space”. Code Signing Apps have today become critical components of any mobile operating system. Apple believes enforcing strict security at the application level is important to ensure overall security of the device. Apple has gone to great extent to make this happen, and code signing is one step in that direction. To put it simply, Apple does not allow running any app which is not approved by it! To ensure that all apps are from a trusted and approved source and have not been tampered with, iOS requires all apps to be signed by Apple. Default apps like Safari are signed by Apple. Other third party apps are also to be verified and signed by Apple. In other words, the above discussed chain of trust principle continues from boot loader to OS to apps. But how does this actually work? Does this mean I cannot run an app developed by me if it’s not signed by Apple? In order to develop and install apps on iOS devices, developers must register with Apple and join the iOS Developer Program. The real-world identity of each developer, whether an individual or a business, is verified by Apple before their certificate is issued. This certificate enables developers to sign apps and submit them to the App Store for distribution. As a result, all apps in the App Store have been submitted by an identifiable person or organization, serving as a deterrent to the creation of malicious apps. These apps are further reviewed by Apple to ensure they operate as described and don’t contain obvious bugs or other problems. Apple believes this process would give customers more confidence in the quality of apps they buy. If corporate companies want to use in house apps for their internal purpose, they need to apply for iOS Developer Enterprise program (iDEP). Apple approves applicants after verifying their identity and eligibility. Once an organization becomes a member of iDEP, it can register to obtain a Provisioning Profile. This is the one that permits in-house apps to run on devices it authorizes. Users must have the Provisioning Profile installed in order to run the in-house apps. This ensures that only the organization’s intended users are able to load the apps onto their iOS devices. In-house apps also check to ensure the signature is valid at runtime. Apps with an expired or revoked certificate will not run. This code signing process is depicted in the following figure. Thus we have explored three major security features in iOS – secure boot process, Secure Enclave, and application signing in this article. In the next part, we will look into other security features such as data protection, encryption and so on. ‘Til then, Happy Hacking! Source
-
Secure rm (srm) is a command-line compatible rm(1) which completely destroys file contents before unlinking. The goal is to provide drop in security for users who wish to prevent command line recovery of deleted information, even if the machine is compromised. Changes: Various updates. Download Sourceforge: srm - secure file deletion for posix systems
-
A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a “man-in-the-middle” attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn’t bad enough they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE. We trust our hardware manufacturers to build products that are secure. In this current climate of rising cybercrime, if you cant trust your hardware manufacturer you are in a very difficult position. That manufacturer has a huge role to play in keeping you safe – from releasing patches to update software when vulnerabilities are found to behaving in a responsible manor with the data the collect and the privileged access they have to your hardware. When bad guys are able to get into the supply chain and install malware it is devastating. Often users find themselves with equipment that is compromised and are unable to do anything about it. When malware is installed with the access a manufacturer has it buries itself deep inside the system often with a level of access that often takes it beyond the reach of antivirus or other countermeasures. This is why it is all the more disappointing – and shocking – to find a manufacturer doing this to its customers voluntarily. Lenovo has partnered with a company called Superfish to install advertising software on it’s customer’s laptops. Under normal circumstances this would not be cause for concern. However Superfish’s software has quite a reputation. It is a notorious piece of “adware”, malicious advertising software. A quick search on Google reveals numerous links for pages containing everything from software to remove Superfish to consumers complaining about the presence of this malicious advertising tool. Superfish Features: Hijacks legitimate connections. Monitors user activity. Collects personal information and uploads it to it’s servers Injects advertising in legitimate pages. Displays popups with advertising software Uses man-in-the-middle attack techniques to crack open secure connections. Presents users with its own fake certificate instead of the legitimate site’s certificate. This presents a security nightmare for affected consumers. Superfish replaces legitimate site certificates with its own in order to compromise the connections so it can install its adverts. This means that anyone affected by this adware cannot trust any secure connections they make. Users will not be notified if the legitimate site’s certificate has been tampered with, has expired or is bogus. In fact they now have to rely on Superfish to perform that check for them. Which it does not appear to do. Because Superfish uses the same certificate for every site it would be easy for another hostile actor to leverage this and further compromise the user’s connections. Superfish uses a deprecated SHA1 certificate. SHA1 has been replaced by SHA-256 because attacks against SHA1 are now feasible with ordinary computing hardware. This is insult on top of injury. Not only are they compromising peoples SSL connections but they are doing it in the most cavalier, insecure way possible. Even worse, they use crackable 1024-bit RSA! The user has to trust that this software which has compromised their secure connections is not tampering with the content, or stealing sensitive data such as usernames and passwords. If this software or any of its control infrastructure is compromised, an attacker would have complete and unrestricted access to affected customers banking sites, personal data and private messages. Below is a photo showing Superfish on an affected laptop presenting a fake certificate instead of the legitimate “Bank of America” certificate. As you can see the user is presented with the fake Superfish certificate instead of the legitimate BoA certificate. The only way a user would know this has happened is if they check the certificate’s details. Something most ordinary users are unlikely to do to a certificate which to all other appearances is valid and secure. As mentioned above the certificate used by Superfish is a deprecated SHA1 certificate that uses 1024-bit RSA. This is particularly obnoxious because they have installed into the system certificates as an unrestricted trusted root certificate. To put it into context they gave it the same level of trust and authority as Microsoft’s own root certificate. Users affected by this can go to any site on the internet, and so long as it presents this certificate they will be fooled into thinking they have a secure connection. Since this certificate uses SHA1 it is feasible that an attacker could break it and hijack it. This means an attacker could create a bogus certificate that every one of these users would trust. This is unbelievably ignorant and reckless of them. Its quite possibly the single worst thing I have seen a manufacturer do to its customer base. At this point I would consider every single one of these affected laptops to be potentially compromised and would reinstall them from scratch. Lenvo’s response? Typical of companies caught with their hand in the cookie jar, they try to play it down while at the same time saying they have disabled it until it can be “fixed”: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-Pre-instaling-adware-spam-Superfish-powerd-by/m-p/1863174#M79882 However its hard to see how they could “fix” this software. It’s core functionality undermines the security of SSL rendering the last decade or so of work making the web secure completely irrelevant. Source
-
- certificate
- connections
-
(and 3 more)
Tagged with:
-
A New Kind of Instant Messaging With the rise of government monitoring programs, Tox provides an easy to use application that allows you to connect with friends and family without anyone else listening in. While other big-name services require you to pay for features, Tox is totally free, and comes without advertising. Instant messaging, video conferencing, and more Messages At your fingertips. You're always in the loop with instant encrypted messaging. Calls Stay in touch. Make free and secure Tox to Tox calls. Video Seeing is believing. Catch up face to face with a secure video call. Security Tox takes your privacy seriously. With leading-class encryption, you can rest assured knowing that the only people reading your messages are the ones you send them to. Download and more infos: https://tox.im/en https://wiki.tox.im
-
Una dintre cele mai frecvent utilizate functii ale smartphone-urilor este mesageria. O comunicare privata trebuie sa ramana privata, iar comunicarea in interes de servici nu trebuie sa fie, in nicio imprejurare, interceptata; sub aceasta deviza G DATA prezinta noua sa aplicatie Secure Messaging la Mobile World Congress 2015 din Barcelona. G DATA SECURE CHAT ofera securitate extrema, text multi-criptat si comunicare chat – si totodata, garanteaza transferul securizat de fisiere media, de exemplu transferul de fotografii. G DATA se bazeaza pe protocolul securizat Axolotl, care a fost initiat de TextSecure si care are deja peste 10 milioane de utilizatori din intreaga lume. G Data prezinta si alte repere la Barcelona: INTERNET SECURITY pentru Android si Mobile Device Management. Companiile isi pot pastra smartphone-urile si tabletele in siguranta, oriunde in lume, datorita solutiei mobile de securitate “Made in Germany”. G DATA va expune la Mobile World Congress 2015 de la Barcelona in Pavilionul 6, Standul 6B40, in perioada 2- 5 martie 2015. “Protectia comunicatiilor mobile si integrarea dispozitivelor mobile in concepte de securitate la nivel de companie devin din ce in ce mai importante pentru companii. G DATA se pozitioneaz? ca un lider in tehnologie in acest sector si ca furnizor de solutii de securitate IT complete,” spune Walter Schumann, CSO G DATA Software AG. Protejarea mesajelor, datelor si comunicatiilor de voce impotriva atacatorilor cibernetici, sustragerilor neautorizate de date si atacurilor spyware este provocarea majora a viitorului.” Cu SECURE CHAT oferim utilizatorilor de smartphone-uri si tablete o aplicatie usor de utilizat, care cripteaza, extrem de eficient, mesageria mobila, si astfel, ofera o protectie eficient impotriva accesului tertilor.” O versiune gratuita a aplicatiei G DATA SECURE CHAT, cu capacitati complete de criptare text, comunicare prin chat si trimiteri de imagini, va fi disponibila pe site-ul G DATA si in Google Play Store din aprilie 2015. Comunica in siguranta, fara restrictii Protocolul Axolotl permite utilizatorilor sa comunice cu un nivel ridicat de criptare, indiferent de aplicatia de mesagerie folosita. Datorita procesului de criptare bazat pe curbe eliptice, acest protocol este considerat pe plan international ca fiind extrem de sigur, fiind practic indestructibil. Singura conditie este de a utiliza o aplicatie care utilizeaza protocolul de criptare, cum ar fi G DATA SECURE CHAT sau TextSecure de la Open Whisper Systems. G DATA SECURE CHAT pe scurt: Criptare securizata end-to-end pentru chat individual si de grup Un rapid, simplu si mai presus de toate, securizat mod de a trimite imagini si fotografii utilizand criptografia Backup al istoricului pe cardul SD Criptarea prin parola a istoricului Caracteristici ale versiunii Premium (licenta de G DATA INTERNET SECURITY FOR ANDROID este necesara): Filtru antiphishing pentru URL-urile din mesajele de pe chat Filtru pentru mesajele primite si trimise si pentru SMS-uri Capacitatea de a ascunde contactele selectate prin SMS TRUST IN GERMAN SICHERHEIT G DATA la Mobile World Congress 2015: Pavilionul 6, Standul 6B40 -> Sursa: MWC 2015: G DATA lanseaza un serviciu impenetrabil de mesagerie mobila
-
ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. Download: ModSecurity: Download Code
-
- application
- level
-
(and 3 more)
Tagged with: