Posts Tagged ‘you must learn’

A Simple, Yet Cautionary Tale

Friday, December 28th, 2012

While we don’t normally cover web development security basics, or find much to report when poking around in iOS apps, a great example of independent investigative tech journalism related to these topics broke late last week. On Nick Arnott(@noir‘s) blog Neglected Potential, he expands on a previous post involving how data is stored within an app(nice shout-out to a personal fave, PhoneView by Ecamm,) to talk about how it communicates with whatever services it may be hooked up to. Generally speaking, SSL and PKI don’t magically solve all our issues(as comically referred to here: This is 2012 and we’re still stitching together little microcomputers with HTTPS and ssh and calling it revolutionary,) and end users reflexively clicking ‘accept’ on self-signed cert warnings is the front lines of the convenience vs. security battle. No, you shouldn’t send auth in plaintext just ’cause it’s SSL. (Yes, you should be seeding any straggler self-signed certs on the devices in your purview so you don’t need to say ‘just for this ONE sites self-signed cert, please just click Continue’.) The fact that a banking users SSN number was being sent to the app on every communication was… surprising, and corrected immediately after the heightened interest resulting from the aforementioned blog post.

Security via public trust

Security via public trust

After the publicity surrounding the post, however, folks were reassured by getting an immediate audience with the Director of Engineering at Simple, Brian Merritt(@btmerr.) Perhaps the flaw may have been considered too contrived a process for traditional(read: an email to their security team) channels at Simple to respond in a way that satisfied Mr. Arnott before he went ahead and published his post. “If only Jimmy had gone to the police,” the saying goes, “none of this would have happened” – please do note that while responsible disclosure was attempted, the issue is with PKI and not Simple itself, and updates were added to the post when clarifications were worth mentioning to present the facts in an even-handed manner. A key take-away is the fact that there is no live, zero-day exploit going on, just the relative ineffectiveness of PKI being exposed.


Although a process can enable the snooping of traffic, by default proxy’d SSL wouldn’t be allowed to start a session

But even more importantly, the fact that observing the traffic was even possible (thanks to CharlesProxy, also recently mentioned on @tvsutton‘s MacOps blog) highlights the ease with which basic internet security can be thwarted, and how much progress is left to be made. Of the improvements out there, Certificate Pinning is one of those ‘new to me’ concept enhancements regarding PKI, which luckily already has proposals in for review with the IETF. (An interesting contender from about a year ago is expounded on at the site.) There are quite a few variables involved that make intelligent discussion of the topic difficult for amateurs, but the take-away should be that you can inspect these things yourselves, as convoluted as it may be to get to the root cause of security issues. Hopefully we’ll have easier-to-deploy systems that’ll enable us to never ‘give up’ and use autosign again.

Thanks to Mr. Merritt, Michael Lynn and Jeff McCune for reviewing drafts of this post.

SANS Mac OS X Fundamentals Now Avaliable

Tuesday, August 21st, 2007

The SANS Institute recently released a course by Charles Edge on Mac OS X Security Fundamentals. The course is described in the following manner:

“SANS is the leader in Information Security. This course on securing Mac OS X is the fastest way and most comprehensive way to get up to speed on applying the principals of the information security industry to the Mac. Written and taught by one of the security veterans of the Mac community, this course covers how real world security concepts are applied to the Mac with real world examples from the Mac community. The course offers a balanced mixture of technical issues making it appealing to attendees needing to understand how to effectively secure a Mac.

We begin by reviewing existing Mac exploits and then move on to covering the basic concepts and challenges of securing a Mac. Next, we review the standard security measures that should always be employed and the usability implications of each. We cover forensics, intrusion detection, firewalls, web browsers, mail programs, network infrastructure, preferences, system policies, command line tools, encryption, hardware and OS X Server. Through the course you will find thorough coverage of defense in-depth on the Mac platform.

If you’re a newcomer to the field of information security but a long time user of the Mac or a newcomer to the Mac but a long time information security expert then this is the course for you. You will develop skills that will help you to bridge the gap between the Mac administrators and the security administrators in most organizations. You will also learn the ins and outs of keeping your data private.

This is an ideal course for anyone charged with securing Mac systems. From securing a desktop to the high availability options available on the platform, this course is going to be a whirlwind overview of the Mac that will leave you ready to move to the next level!”

For more information on the course, see the following link: