BLCOMP Newsletters

July 2015

In This Issue...

1) iOS 7 - iPhone 5S - Thumbprint Cracked (Updated)
2) iOS 7 - Auto Update - Needed???
3) SQRL and why we need it
4) CryptoLocker - Terrorism and Ransom-ware on the Internet
5) Loose Your Personal Data - Wireshark in Internet Cafes



iOS 7 - iPhone 5S - Thumbprint Cracked - Updated

iOS 7 - iPhone 5S - Thumbprint Cracked (Updated)

Well it didn't take long for the new Apple iPhone 5s TouchID to be hacked...
You give enough hype on how secure something is and it's only a matter of time before someone or some group takes on the challenge of tying to hack the issue...

Well I'm sure there are many groups / individuals out there trying to hack the iPhone 5s's thumbprint technology... Which by the way is a very handy way of storing ones password... But isn't that the problem with security today?!?

The more convenient a device is the more unsecured it is?!? Why can't security be convenient?!?
Oh well... We use strong passwords today to prevent someone else from using our systems... And then we assign it to a thumbprint hoping it stays secure... Only to find out someone has found a way to bypass the security and have full access to our device... Arrrgh...

Apple is not the first to try this... In fact notebook manufactures out there have been using the fingerprint technology out there for many years... They also have gone through many type and many generations... The difference is they found static fingerprints were easy to copy... So they use a swiping system to prove the user is who they say they are... Not a copy...
Apple says their tech checks for more then the static checks... But there are videos out there saying otherwise... Maybe they are faked?!? Maybe they are real?!? I just know I won't be trusting my passwords to a fingerprint or a picture.... (Face Recognition on the Android Systems)... The technology is still in the early development stages... And I for one can remember my passwords...
Although it is unconventional to enter them all the time when needed... But it is secure!!! Isn't that what we want?!?

FYI - there is a group saying they cracked it that I found on the Internet... Their claims are theirs and theirs alone... We here are not associated with them what so ever... And we do not justify or agree with their concepts... We just find it interesting that they claim this so fast... What in less than 4 days of the 5S going on sale?

The site is: http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

See for yourself and make your own ideas... Like I said before I will not be using any fingerprint of face recognition to store any of my passwords in the near future...


Not even a week into the upgrade and there is an official update (7.02) to work out the bugs found with the login bypass screw-up... Between us after the minor upgrade I noticed the battery indicator seems to work correctly like before the major upgrade!

Read more.



iOS 7 - Auto Update - Needed???

iOS 7 - Auto Update - Needed???

A new operating system and more problems...

This however was really not foreseen (I hope)...

The issue I find is the new operating system iOS 7 has a few new services one being automatic application updates. On the one hand it seems like a great idea...

With all the updates one with an iOS device sees... It's very nice for the device to do the update itself instead of the operator when needing the app only to find there is a much needed update before using the app... Like I said before very handy... However... The more apps one has the more updating is expected and the more
bandwidth is needed to do the updates...

This doesn't sound too bad but let's just say for only one device is always updating maybe on
an average of 2-3 apps per hour... Maybe less... Maybe more... The device is always checking and polling the apple servers... Again nothing new... But what is new is if an update is found it will automatically update your app (hopefully no issues will arise during this process) and use bandwidth while doing so.., if one has a very nice network with no bandwidth issues of limitations then no problem...

But with today's Internet bandwidth caps and multiple node connections with Internet sharing it becomes an issue...
Now let's put more than one iOS 7 device on the same network... It becomes evident very fast that this is now a major issue... Just think 3 devices (an example only) all trying to automatically update with the same apps usually, causes a very crazy bandwidth issue when the updates are available... And if any thing else is using the network, say a
Skype app (a very bing bandwidth hog) then something has to give...

Limited bandwidth is like a garden water pipe with water running through it. Only one feed is connected say a sprinkler and you got a very nice pressure system running throughout it. Now connect 3 more sprinklers to the first and what happens?!? The pressure is week... Still there but not as strong... Same as bandwidth... What would take 5 mins per app to install now turns to 20 mins per app... And don't forget that Skype connection... Most likely full of pauses or digital video bumps... It might be an idea to turn off the automatic feature (like pre iOS
7) and update in manual mode... This sets the day and time the updates happen... If maybe in iOS 7.1 you can set the time to do the auto update (maybe when you sleep) then set it back to auto update... Until then I will disable all my iOS 7 devices from automatic updating...

Read more.



SQRL and why we need it

SQRL and why we need it

It might be called SQRL, Secure QR Logins, Another Protocol, A God-Send....

Whatever you want to call it WE NEED IT!!!

Let's look back to recent past... A typical issue would be person A (the soon to be unhappy one) is in a coffee shop having a relaxing hour and thought it would be a good idea to log into their bank on the coffee shops wireless network. Person B (the not so smart but knows where to get the right software on the web today) is also the the same coffee shop with his normal looking computer / screen doing what looks to be a normal event at the coffee shop configured to at as a MITM setup (that's Man In The Middle Setup).

What happens in this issue is when person A connects to the wi-fi of the coffee shop to go to any secure area over the web he also connects through person's B computer acting as MITM for all communications not knowing he is giving ALL his security information to person B to do with as they want in the future. When person A then leaves (or is even still there but logged out of the bank) person B might then login to person A's bank and transfer funds out to wherever they want to... Scary No?!? But this happens all the time!!!
Person A doesn't know what happen until they log back into the bank next time...
Yes I know the banks are getting smarter with there internal checks and balances... But what about the stock markets, personal web sites, government web sites, credit cards sites, Facebook, online job sites, online stores, simple sites where we use the same login credentials everywhere else???

Once person B has all the login information they need, all they have to do is login to said site and data mine anything they need to impersonate person A with and then they can do a lot of damage to person A's credit / online persona....

We all say it will never happen to me because I use the latest technology around... So does person B!!! And like I said person B just has to know were the software is on the web with some simple instructions.... They do not have to program it ....

Now we have SQRL (Secure QR Logins)... Hopefully to become a web standard soon... With SQRL and the above issue (person A & B) we get the same problem... But the login information person B is looking for is bypassed... They might see data comming and going but the login information is not only encrypted but also handled offsite via a phone or such....once securely logged in and communicating over a secure connection person B sees nothing they can use and is now defeated... To get the details of the per posed SQRL, check out this site (https://www.grc.com/sqrl/sqrl.htm) and you will get all the needed information you could use.., but to the simple people out there in web land.... SQRL is a technology that is so simple and secure, it's a wonder we haven't used it by now... What happens is at a login screen (that is setup with SQRL) person B has the option of entering their login credentials or scanning the QR code on the screen with their phone. After scanning with the phone the app (on the phone) then uses a pre-secure setup with the website / service to remotely login the user to the site... If done correctly person A sees their login credentials automatically enter and they are now logged in. It bypasses the keyboard, mouse and mostly the unsecured web traffic...

We need this technology so bad it isn't funny... It would stop viruses, key loggers, key sniffers, Trojans, MITM attacks, corrupted software and just anything out there that can steal a password in any environment... (Coffee shop, Public library, Internet CAFE, Public Kiosk...)

Another issue would be person A is in a School Library doing research for their school paper. After getting all the info they need they log into their remote email system thinking they are secure... What they don't know is person B has installed either hardware key loggers or virus software onto the computer to log all keystrokes from person A. After a set period of time (say a week) person B grabs all the keystrokes collected and runs it through a special software package (again easily obtained from the web) and now has person A's login credentials to do anything they want to do with... With SQRL this would be stopped!

Whatever software technology we use it's a fact we need something to stop these attacks!!! Too many people out there are getting spoofed (a term: a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage) and it needs to stop! We use the web so much these days and just to prove it's the right person doing the transaction is almost impossible. I know myself I will be using SQRL... I see the need so much... And I don't want to be spoofed!

Read more.



CryptoLocker - Terrorism, Ransom-ware and Hijacking on the Internet

CryptoLocker - Terrorism, Ransom-
ware and Hijacking on the Internet

If you haven't herd of it yet then consider yourself Very Lucky...

It's the main reason one needs to have a Cold Backup ready and updated. A cold backup is a backup that is not live or connected to your computer. A Live or Hot backup is a backup solution that is always connected to your computer. A hot backup is very convent, more so than a cold backup. In fact a cold backup is very inconvenient and could also save you $300.00 US.

Let's backup a bit... (Pun noted)... You have your computer with a lot of important files on the system. You know you cannot do without those files (pics, documents, files ect...) and being a smart person you backup those important files. The most common way is an attached drive (USB or NAS) and copy over any changed files... Another way is to copy the files to USB ext HDD and detach the drive or run a cold cloud backup such as carbonate. Note here that Dropbox is a great example of hot backup not cold. The point of cold backup is the computer system cannot see it at anytime. With NAS (Network Attached System) and USB always connected or cloud servers like Dropbox is the computer system can always see the data and modify it when needed... Like I said before very convent but not piratical with CrypoLocker.

CrypoLocker is at the very least Cyber Terrorism at its best. A secret server on the Internet (which always changes) holds your data Hostage until you pay the terrorists. You have limited time before your data is lost forever and if you attempt to fix the computer you automatically loose the data.

The data remains on the computer at all times with a list of files the program has encrypted and the master keys are on the remote server with the countdown. The terrorists await your payment via the Internet (anonymous non tracking payments) and then send you the unlock keys to decrypt your files. The encryption uses the latest technology and is useless without the unlock keys.

Authorities can always shutdown the servers when found on the Internet but a new server will pop up somewhere random later. When the Authorities shutdown the server then all the Private keys stored on that server being used to keep hostage the data of many computers will be lost and never to be used again and thus lost forever. The private keys are generated only one time on the infected computer and transmitted to the random server being shutdown. When lost they will never be generated again thus loss any chance of getting the unlock keys ever again. The sad point here is they might be up to 1000 private keys waiting payment on the server being shutdown. True the terrorists will never be paid those 1000 hijacks but it also means 1000 people with lost data never getting it back ever.

If you have a cold backup then using the list you can restore the files based on the last backup yourself and not pay the terrorists. You are now saying why not use the hot backup like the cold backup?!? The answer is when the Virus / Trojan starts to encrypt the data it doesn't stop at local files, it continues to all files the computer can see. Then it sends out the private key for the encryption and gives the operator on the screen the public key only. The private key is nowhere on the local computer and thus the Hijacking of your data.

Cyber Terrorism is Very Illegal. This is if you get caught!!! The way they accept payments you cannot trace them and cannot follow the money (bit-coin and MoneyPak). How they track the payments is via public key working with the private key. Somewhere someone will reverse the programming and fix this issue....

The only good thing that comes out of this is it makes us practice good backups using cold backups. To pay the terrorists only promotes the continuation of Virus / Trojans like this. If we could stop this from happening or make it very hard to get payments to the fools who made this program then it would stop.

Not to promote Cyber Terrorism or the use of CryptoLocker, the technology uses the very best of cryptology for the wrong use. I believe it uses RSA-2048 bit encryption at its heart for the Cyber Terrorism. Like I said we here don't condone CryptoLocker, if fact we despise the use of it.

Now for the Most important information one needs to avoid this. So far it only attacks windows machines. It comes in as an email attachment or a spoofed web site. The email attachment hopes you have HTML preview enabled (it is by default on 90% of all windows email programs) and it automatically installs itself using the program run command. The spoofed web page tries to run the java install program when viewing the web page. Depending on your login level credentials is depending on what files CryptoLocker can change and encrypt. The higher the user level, the higher the number of files it can change. In any case the new OS's (operating systems) will try to warn you before installing the CryptoLocker. Unfortunately CryptoLocker uses many tricks to fool the average user to install the program, as web statics prove its out there and the terrorists are making money.

Another problem that can arise is if you are on a network (say at work) with access to shared files that people rely on and you get infected with this horror, just imagine the out come... Not only the users local files will be encrypted but also the shared files used by the team and maybe the virus will copy over to the team computers... What an issue this worst case development could be!!!

If you need more information on this you can click Security Now Web Podcast on CryptoLocker or Cryptolocker Ransomware Information @ www.bleepingcomputer.com and educate yourself to protect you and people you know. The last thing you want is to mess with this new form of Ransom-ware!

Read more.



Loose Your Personal Data - Wireshark in Internet Cafes

Loose Your Personal Data -
Wireshark in Internet Cafes

Before we start, we at BLCOMP do not promote the use of programs like Wireshark. We do promote the use of VPN's.

Do you want to Give Everyone in a 1 Block Radius All your Personal Information???
If the Answer is yes then Go to Starbucks or Tim Hortons or Any Coffee Shop that operates Free WiFi and have just one person running a packet sniffer in the background and watch the fun begin. All a person needs to do is google a free program called "Wireshark", download it and install it. Go to the first Coffee shop with all the people using their phones / computers / tablets and turn on the program after connecting to the establishment's wi-fi. Be sure to be quiet and look at all the free data you will receive... Guaranteed you will be shocked on what data you'll get... every email in that area, usernames, passwords, login credentials, bank info and much more... this is because most traffic is handled in plain text and not encrypted... the person getting the info doesn't even have to know how it works... they just download and run the prg which does all the work. it even groups the data for you... how nice hmmm????


Here is the fix... use a VPN... (Very Private Network Software) It encrypts the device you are using to an internet end point through the current internet gateway (the coffee shop).... Some of the VPN's are Free... Some you have to Pay... As in anything you get what you pay for.... but even a free VPN is better than nothing... The point is the person (the attacker) grabbing the Data through Wireshark only sees Encrypted Data Only... It looks like Random Text. So simple to set up and use a VPN... but people do not use it, and they get taken to the cleaners...

Example: You are accessing your bank and you login thinking its secure... yes after logging in you are secure (mostly) but to login side is not secure... the attacker now has your login info and can now login to your back at their connivence posing as you to do whatever they want.

Example: You pay for something online using your credit card... now the attacker has your credit card number with security number with all the dates needed.

I for one am foolish for doing this (No VPN at Tim Hortons)... not anymore... do the right thing...

Get a VPN or find someone to set it up for you!

Read more.