watching you watching us . .

Mobile Phones

Skype for iPhone and iPod Touch: iOS Vulnerability allows comprimising the device address on reciveing a text message, just add JavaScript

Exploit in Skype on an iPhone or iPod touch, allows comprimise of your device’s address book simply by the attacker sending you a chat message. When the exploit code in the message is run, the victim’s iPhone will automatically make a new connection to a server, grabbing a larger payload, to execute and upload the iPhones entire address book file to the server.

“.. Type some JavaScript commands into the user name of a Skype account, use it to send a chat message to someone using the latest version of Skype on an iPhone or iPod touch, and load a small program onto a webserver. Within minutes, you’ll have a fully-searchable copy of the victim’s address book.

.. failure by Skype to sanitize potentially dangerous JavaScript commands from the text that gets sent in chat messages ..

It’s already been 48 hours since this vulnerability was first documented, and the vulnerable app is still available in the iTunes Store. It will be interesting to see how long it takes Apple and Skype to close the gaping hole ..”

“Skype for iPhone makes stealing address books a snap”
Dan Goodin, Malware, The Register UK, 20 September 2011
http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/ – last access 21 September 2011 – ( Full Article )

/cobramark3

Advertisements

Android Forensics Application

“While security on Android phone is pretty decent, applications can (and do) share data.  We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.”

Andrew Hoog
Open Source Android Digital Forensics Application, 1st March 2010
http://computer-forensics.sans.org/blog/2010/03/01/open-source-android-digital-forensics-application/

\solarfreek


Eavesdropping on GSM Calls

” Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software. ”

Bruce Schneier, Schneier on Security, 5 January 2011
http://www.schneier.com/blog/archives/2011/01/eavesdropping_o_5.html – ( Full Article )

I recommend subscribing to Bruce’s cryptogram newsletters, you can also visit his blog.

\cobramark3


Independent Research and Reviews of iPhone Forensic Tools

“.. This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information. For questions about our research or our services, please contact us.

Note: viaForensics is independent and is not compensated in any way by the makers of the software reviewed in this white paper.

1. About this white paper
2. iPhone Forensics Overview and Techniques
3. Cellebrite UFED
4. FTS iXAM
5. Oxygen Forensic Suite 2010 PRO
6. Micro Systemation XRY
7. Lantern
8. MacLock Pick
9. Black Bag Technology Mobilyze
10. Zdziarski Technique
11. Paraben Device Seizure
12. Mobile Sync Browser
13. CellDEK
14. EnCase Neutrino
15. iPhone Analyzer
16. Overall Rankings
17. Report Conclusions ..”

Andrew Hoog and Katie Strzempka, viaforensics, November 2010
http://viaforensics.com/education/white-papers/iphone-forensics/ – last access 26 November 2010 (Full Article )

\cobramark3