Wireless networks are basically based on the Institute of Electrical and Electronics Engineers (IEEE) 802.11 set of standards for WLANs. Following is the list of the IEEE 802.11 network protocol standards.

Protocols

802.11 network standards are shown in Figure 1.
Figure 1. 802.11 Network Standards (source: http://www.wikipedia.org)

Some years back, wireless networks were only a niche technology used for very specific applications. But nowadays they are everywhere and every now and then we find a new Wi-Fi access point through our smart phones, tablets or laptops – most of which are not even secure.

Most of us have used these access points at some point in time to access the Internet without realizing how much (In)security they provide.

An insecure Wi-Fi network poses a threat not only to the owner but to every user that accesses it. The first line of defense for a Wi-Fi network is encryption, which encrypts the data transmitted between the Wi-Fi enabled device (smart phone, tablet, laptop etc.) and the wireless router. The Wireless Protected Access (WPA) protocol and more recent WPA2 have replaced the older and less-secure practice of Wireless Encryption Protocol (WEP). It is better to go with WPA2 as WEP is relatively easy to crack. Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks by providing encryption mechanisms. But common users know little about wireless security and are scared by the available options to set up these methods.

Because of this unawareness and implementation issues with these protocols, in 2007 Wi-Fi Alliance came up with Wi-Fi Protected Setup (WPS) which allowed home users to easily add new devices to an already existing Wi-Fi network without entering long passphrases.

Wi-Fi Protected Setup (WPS), originally known as Wi-Fi Simple Config, is a computing standard that attempts to allow easy establishment of a secure wireless home network. Almost all major Wi-Fi product vendors (Cisco/Linksys, Netgear, D-Link, Belkin, Buffalo, Technicolor, etc.) have WPS-certified devices. WPS is activated by default on almost all the WPS supporting devices. The main purpose of the standard is on providing usability along with security.

Usage Methods

WPS provides four usage modes for adding a new device to an existing network, which are explained below. But first some terminology that will used in the explanation:

Terminology:

Enrollee: A new device that needs to be added to the network and does not have settings for the wireless network.

Registrar: One which provides wireless settings to the enrollee.

Access Point (AP): One which provides normal wireless network hosting and acts as middleware to pass messages between the enrollee and the registrar.

The four modes provided by WPS can be classified into two groups: In-band and Out-of-band.

This classification is made based upon the channel utilized for the information transfer.

In-Band modes:

Currently only these two modes are covered by WPS certification.

Push-Button-Connect (PBC):

The user merely has to push a button, either an actual or virtual one, on both the Access Point (or a registrar of the network) and the new wireless client device (enrollee). Support of this mode is mandatory for Access Points but optional for connecting devices. Figure 2 shows a Windows 7 machine as an enrollee. PBC on the AP will only be active until authentication has succeeded or timed-out after two minutes (or whatever amount of time the vendor has specified). This option is called wps_pbc in wpa_cli (text-based frontend) which interacts with wpa_supplicant; wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA and WPA2.

Figure 2. Activated virtual push button (Windows 7: Enrollee)
Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

PIN Mode:

In this method a Personal Identification Number (PIN) has to be read from either a label or the display unit on the new wireless device. Figure 3 shows a WPS PIN on the label of a D-Link router. This PIN must then be inputted at the representant of the network (usually AP). Alternately, a PIN on the Access Point may be entered into the new device. This can also be explained on the basis of registrar, as following.

Internal Registrar

The user enters the PIN of the Wi-Fi adapter into the web interface of the AP. This option is called wps_pin in wpa_cli.

External Registrar

The user enters the PIN of the AP into a form on the client device (e.g. computer).

This option is called wps_reg in wpa_cli.

The PIN Method is a mandatory standard method; every Wi-Fi Protected Setup (WPS) certified product needs to support it.

Figure 3.WPS PIN on D-Link router
Source: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

Out-of-Band modes:

These two modes are not covered by WPS certification.

Near-Field-Communication (NFC) method:

In this method the user merely has to bring the new client adjacent to the Access Point to permit a near field communication among the two devices. The NFC method offers strong defense against adding an unintended device to the network. Support of this mode is optional and is not widely deployed.

USB method:

In this method the user uses a USB drive to transfer data between the new client device and the Access Point of the network. Support of this mode is optional, but denounced.

Protocol

Wi-Fi Protected Setup doesn’t enhance security features to devices. It simply makes the existing security features easy to enable and configure. One of the key elements of the WPS protocols is Extensible Authentication Protocol (EAP). EAP is an authentication framework often used in wireless networks and Point-to-Point connections. It provides for the transport and usage of keying material and parameters generated by EAP methods.

The WPS protocol consists as a sequence of EAP message exchanges that are initiated by a user action and relies on an exchange of descriptive information that should precede that user’s action. This descriptive information is transmitted through a new Information Element (i.e., an information component which when combined with other information provides the required information product) that is added to the beacon (periodically send management frame by AP), probe response and optionally to the probe request and association request/response messages.

IEs will hold the possible and the currently installed, configuration methods of the device other than purely informative type-length-values (TLV).

A human trigger is required to initiate the actual session of the protocol after the identification of the device’s capabilities on both the ends. The session consists of 8 messages followed by a message to indicate the protocol is completed (in case of a successful session). The exact stream of messages may change when configuring various kinds of devices (AP or STA).

Until very recently this protocol was used to provide the users with a feature of easy implementation of security on their Wi-Fi networks, but a recently discovered flaw has again put the wireless networks, and hence the users, at risk.

Security Issue

In December 2011 a freelance information security researcher Stefan Viehböck reported a design and implementation flaw in WPS that makes it vulnerable to a very basic hacking technique: brute-force attacks, feasible to perform against WPS-enabled Wireless networks. It can be simply understood as an attacker trying thousands of combinations in rapid sequence until he/she happens on the correct 8-digit PIN that allows authentication to the device. A successful attack on WPS allows unauthorized user to gain access to the network. The research paper of Viehböck can be found at http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf. This vulnerability was also independently uncovered by Craig Heffner of Tactical Network Solutions, and involves how the router responds when incorrect PINs are inputted. When a PIN is entered, the router implementing WPS indicates whether the first or second halves of the PIN are correct or not.

The vulnerability revolves around the acknowledgement messages transmitted between the registrar and enrollee during the validation process of a PIN. The PIN, which is printed on the side label of each WPS-enabled Wi-Fi router, is an 8 digit number. As the last digit is a checksum of the previous digits,
there are seven unknown digits in each PIN, yielding a total of 10⁷ = 10,000,000 possible combinations. The first and second halves of the PIN are separately validated and reported by the registrar when an enrollee tries to gain access through the PIN.

Now the maximum number of guesses required for PIN recovery is 11,000 (10⁴=10,000 from the first half + 10³=1,000 from the second half). This is a drastic reduction of the orders of degreea from the number of PINs that would have to be tested in the absence of the design flaw (i.e. 10⁷=100,000,000). The result of this flaw is the presence of a practical attack which can be finished within hours. The difficulty of exploiting this flaw is that it is dependent on the implementation of WPS by the vendor, as Wi-Fi router manufacturers could guard against this attacks by slowing down or disabling the WPS feature after some failed PIN validation efforts.

Two tools have been developed as proof of concept to demonstrate that the attack is practical. Tactical Network Solutions, the Maryland based firm that released the first tool ‘Reaver’, states that they are aware of the vulnerability since early 2011. Tactical Network Solutions decided to release the tool after the vulnerability was made public. It is also selling a commercial version called ‘Reaver Pro’ with some more features. Reaver is hosted on Google Code at http://code.google.com/p/reaver-wps/. Its authors say that it can recover a router’s plain-text WPA or WPA2 password in 4 to 10 hours, depending on the access point.

The second tool is a PoC brute force tool implemented in Python and is a bit faster than Reaver, but supports less wireless adapters, as stated on the author’s website (http://sviehb.wordpress.com/). This tool can be found at http://dl.dropbox.com/u/22108808/wpscrack.zip.

Reaver

Reaver, developed by Tactical Network Solutions, runs on Linux. It aims the external registrar functionality mandated by the Wi-Fi Protected Setup requirement. It executes a brute force attack against an access point’s Wi-Fi Protected Setup (WPS) pin number. Once the WPS pin is found, an attacker can recover the WPA PSK and alternately reconfigure the AP’s wireless settings which could lead towards an insecure network. Although Reaver does not support reconfiguring the AP, this can be accomplished with wpa_supplicant once the WPS pin is recovered. Reaver requires the libpcap (packet capture and transmission) and libsqlite3 (database) libraries and can be built and installed by running the command:

1 $ ./configure
2 $ make
3 # make install


To remove everything installed/created by Reaver, the following command can be used:
1 # make distclean


Once installed the tool can simply be started using the command:
1 # ./reaver


The ‘–help’ argument can be used to show all the arguments available within the tool. Figure 4 shows the help list of the Reaver.

Figure 4. Help list of Reaver

(Source: http://www.hack4fun.eu/2012/01/reaver-wps-wpscrack/)

The only requirement it has is a wireless card capable of raw packet injection. To start the process the wireless card must be put on monitor mode. This can be easily done using the airmon-ng tool from the wireless security testing aircrack-ng tool suite as shown below.
1 # airmon-ng start wlan0

The only essential arguments to Reaver are the interface name and the BSSID of the target AP, an example of which is shown below.
1 # reaver -i mon0 -b 00:01:02:03:04:05

Sometimes Reaver just tries the same pin over and over again. This might be because WPS is not enabled on the AP. Run the walsh tool (included in the Reaver-1.3 release) to scan for WPS-enabled APs and make sure the target AP is listed.

For extra information output, the verbose option may be provided using the argument ‘–v’. Providing the verbose option twice (-vv) will increase verbosity and display each pin number as it is attempted as shown in Figure 5.

Figure 5. Reaver in action

(Source: http://www.hack4fun.eu/2012/01/reaver-wps-wpscrack/)

To speed up the attack the delay between pin attempts can be disabled by adding ‘–d 0? on the command line (default delay: 1 second).

1 # reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

Another option that can speed up an attack is ‘–dh-small’. This option tells Reaver to use small Diffie-Hellman secret numbers in order to shrink the computational load on the target AP. In case the attacker does not want to reveal his/her MAC address, Reaver also supports MAC spoofing with the ‘–mac’ option, but it must be ensured that the MAC address of your wireless card’s physical interface (wlan0) must be changed – not the monitor mode interface (usually mon0) – otherwise the attack won’t work. Reaver keeps on brute forcing the PINs until a successful attempt. It has been stated that some models/vendors/ISPs come pre-configured with a default pin. Some common pins are 12345670, 00005678, 01230000, etc. Reaver attempts known default pins first as a better heuristic. Figure 6 shows a successfully cracked WPS PIN in 32,286 seconds.

Figure 6. Successful Recovery

(Source:http://www.hack4fun.eu/2012/01/reaver-wps-wpscrack/)

Due to interference or low signal strength Reaver sometimes can’t associate with the AP. It might also be a driver issue.

Below is a list of wireless drivers tested by Reaver:

Supported:

The following wireless drivers have been tested or reported to work successfully with Reaver:

• ath9k
• rtl8187
• carl19170
• ipw2000
• rt2800pci
• rt73usb

Partially Supported:

The following wireless drivers have had mixed success, and may or may not work depending on your wireless card:

• ath5k
• iwlagn
• rtl2800usb
• b43

Not Supported:

The following wireless drivers/cards have been tested or reported to not work properly with Reaver:

• iwl4965
• RT3070L
• Netgear WG111v3

Technically more than one instance of Reaver can be run against an AP, but this approach is flawed as it will only result in a double resource load on AP. Reaver advanced options (using ‘–a’ attribute) can be utilized to speed up the attack.
Mitigation
End users can disable WPS to prevent an attack, but because of the unawareness most people do not turn it off. Some access points don’t even provide an option to disable WPS.

Vendors can mitigate the flaw by introducing sufficiently long lock down periods (after unsuccessful attempts) to make the attack impractical to implement. This will require a new firmware release. Vendors also need to intensively test the protocols before implementing them on their devices, so that such flaws don’t come up in the future.

Conclusion

Today we are all surrounded by many Wi-Fi networks and have used them at some point in time without realizing the issues of the security. The issues discussed in this article are not the only issues related to wireless security, but a recent and major one affecting the privacy of the end users.

As we already know, almost all major router/AP vendors have WPS-certified devices and WPS–PIN (External Registrar) is mandatory for certification, which makes a lot of devices vulnerable to such an attack.

Having a sufficiently long lock-down period (vendor mitigation method) is most likely not a requirement for WPS certification for the device. However it should be a requirement in the new specifications. The vendors need to release new firmware to eliminate the issue. The main argument this issue presents before us is that such other flaws might be already present in other devices/protocols and misused by malicious intruders, hence the only safeguard we need to take is awareness among end users. Also the certifying authorities and the vendors need to thoroughly test the devices/protocols before implementation so that security features ultimately don’t lead towards insecurity.

Sudhanshu Chauhan is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people including popular CEH and CCNA certification courses.

This past year has seen new developments in Android malware both in the wild and by researchers intent on raising awareness and improving the state of security. The Droid Dream attack against Android in early 2011 made headlines for being the first known malware infection inside of the official Android market.  The malware was packaged with seemingly legitimate applications, but once installed, the apps turned Android phones into drones in a mobile botnet. This attack had been foreshadowed by security researchers when Jon Oberheide uploaded a proof of concept app to the Android market disguised as an inside look at the upcoming Twilight movie.  Though malware analysists and network security experts have been combating botnets for years, smartphones open new avenues of both attack and control, that experts simply don’t have as much experience analyzing. For example security researchers have created proof of concept smartphone botnet scenarios that use text messaging (SMS) for command and control mechanisms.

Putting aside the continually growing sophistication of smartphone based attacks, how easy is it actually to attack Android phones? How much work would be involved to learn how to write an Android app, develop an app that performs malicious activity, and get that app up on the Android market? Is this something that a beginner could feasibly accomplish, or is Android malware solely the realm of hard core criminals with the skills, time, and money to develop cutting edge attack techniques?

I started off by learning a little bit about coding in Android. I have some coding background including in Java, the language from which the Android software development kit was derived. My only previous experience developing for smartphones was writing base operating system level proof of concept malware in C. I had never written a mobile app before. Android Developer offers beginning tutorials, which I worked through to get started.  Android prides itself on being easy for developers to pick up and dive into, and that was my experience as well.

My next goal was to write an app that performs malicious activity. Specifically I wanted to steal the smartphones personal identifier (IMEI) and send a text message without giving any indication to the user. As it turns out the Android API has built in capabilities to perform both of those tasks. The only caveat is the user has to be informed at install time that I want access to these clearly potentially dangerous capabilities.  Whenever a user installs an Android app, they are presented with a list of potentially dangerous capabilities the app requests.  An example install screen is shown below:

I then wondered if malware writers need to somehow bypass this permission model  in some way so the dangerous permissions don’t show up at install. Would having a list of dangerous permissions that would allow an app to steal data and run up fraudulent charges raise a red flag to  average Android users  and deter them from installing an app? I did a search for popular Android apps to take a look at the permissions they request. The general consensus seems to be that the top downloaded Android app of all time is from an obscure company called Facebook. The complete list of permissions the Facebook for Android app requests upon install includes: sending SMS, reading the IMEI, the smartphone’s GPS information, accessing accounts stored on the phone including their credentials, among a long list of others that can be found here. As a sometimes proud member of Facebook since it was for college kids only, I often access Facebook from my computer. Facebook seems to work just fine without sending SMS, knowing my location, or having access to my Gmail password.  It appears that being warned about potentially dangerous permissions does nothing to deter users from installing apps to their Androids. To be fair, the Facebook app comes from a legitimate and well known company. Users have less reason to be wary of Facebook than they would the sort of apps seen in the DroidDream attack. That being said, as we saw in the recent detection of spyware in the CarrierIQ service  installed by default on many smartphone platforms, any service or app can be a potential malware source, even if the developer doesn’t intend for it to be malicious.

Now that I knew I could just use the Android API’s permission model to make my malicious app, I went about writing it. I thought I would have to search through the Android Development manager to find out the correct code for what I wanted to do. As it turned out, a quick Google search for “Send SMS Android App” or “Access IMEI Android App” revealed several other curious developers asking for and providing the code snippets I needed.  For example the code to send an SMS transparently to the user is only a two lines long:

SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(number, null, message, null, null);

where number is the phone number to send the SMS to, and message is the message to send.  By requesting the right permissions I was able to quickly and easily build an app that accessed private data and sent it to another phone through SMS. The SMS does not appear in the user’s sent folder, so users receive no indication that the message has been sent.

My demo app in action video:

My last task was to see about getting my proof of concept app to the Android market. Using a Gmail account that didn’t link back to my real name I was able to sign up, and I used someone else’s credit card (with permission) to sign up. This leads me to believe it is possible for a malware author to leave no trace of her true identity on an app. I didn’t actually publish my app to the market, but other researchers have already proven that a malicious app is automatically published to the Android market upon upload.

My conclusions are that for anyone with any development experience it is easy to pick up the Android programming language. Thus any malware authors with experience on PC platforms will be able to make the switch to Android without any trouble. Also, the Android permission system is not working to keep users safe. The average, security unaware user will often simply install an app regardless of permissions. Using the API to call malicious functionality was straightforward given the correct permissions.  Finally, uploading a malicious app to the Android market is trivial.
Read more about Georgia Weidman

So, the first and most important thing to learn in my opinion is TCP/IP. You need to know it as well as you do the alphabet. The majority of people I meet in the University world and out in industry do not have a detailed and thorough knowledge of TCP/IP. For a security consultant it is best that you can look at the packets and know exactly what is taking place at the lowest level the wire. Elite hackers know TCP/IP as well as they can write their name. To be able to secure the environment and the enterprise it is imperative you know it like they do.

Take wireless for example, many people will start playing with Wireshark to observe the traffic over the wireless card, as most of you can attest to when you first use Wireshark with a wireless card you start a capture, and you see NOTHING, because you are at the application layer, and do not have a good understanding of the lower layers, and also do not understand that you need to be in monitor mode to capture traffic for the most part, and you are connected to the network, and cannot sniff the wireless traffic, so as you read the alert message that tells you to check the selection for promiscuous mode, and then you deselect it, and what do you see?  You see the 802.3 Ethernet traffic and not the 802.11 traffic you were expecting. Taking it one step further you need an understanding of the PHY layer before you start looking at a tools that analyze it for you.

The second most important thing is to learn Linux and Unix. Also, do not stop at Linux, download one of the Unix virtual machines and play with it until you get proficient at it.

A note on certifications, they are good for getting you an interview, but once you get that interview you have to convince the people there that you know what you are doing. There is no certification that can replace hands-on experience and knowledge, you can get that on your own by using virtual machines and building and running your own test labs. The concern over certifications is most are based on rote memorization, it is the same problem we have in academic circles (more on that in a moment). 

The problem with this is when you study and cram for a certification exam you memorize something take a test, and then you get certified, but what does this really mean? In my view it means you studied and took a test, and  be honest, some of these classes cram all of the information into your brain in 4-5 days, and if the class does not provide a study guide, or something similar to practice the types of questions you  may encounter you would not see 90% and above exam success rates touted by so many sites. Now, we shall discuss academic thinking, most of the “academics” without industry experience do not understand what I have been talking about either. I was on a team that developed a Master of Science in Information Security, and I was the only non-academic on the team, the entire group was made up of all PhDs but me, and as we discussed the curriculum I focused on teaching the students protocol analysis …  that is packets! Well this shocked pretty much all of the team, but I argued my point in many of the meetings, and finally swayed enough support where we had packet and protocol analysis as part of the curriculum

The most important thing I look for when hiring someone when I was running the Network Operations Center (NOC) is desire and initiative to learn. I would interview people with a list of certification as long as their arm, and when I asked them practical questions, they could not answer them, so they did not get the job. This is because I had junior personnel who could answer the questions, so how could I give someone a position over one of them at about 5 times the amount of pay they were getting. I could not justify it, and never did waiver on that. If  a person has desire that is the most important thing.  I had a guy come in fresh out of bootcamp that did not even know what UNIX was, and in 6 months he became my UNIX expert.

Another thing that helps is understanding programming, you do not have to be proficient at it, but being able to look at code and at least understand the fundamental concepts of it is very important in this field.

Finally, it is all about research, I learned to do research in Graduate school, I had a Professor Frank Coyle that specializes in using JAVA for real time systems, and he was instrumental in teaching me how to do research, and that is the intent of these short research topics, the more practice you get the better you get to be at it. Today with the amount of online information you can  research  in a few hours with the Internet. When I was in graduate school, I spent weeks doing research at libraries, take advantage of this opportunity we have today. Recommend you dedicate one hour a night to reading something, a whitepaper etc. There is a saying in the consultant field that as long as you can read the manual and understand it faster than the client you will always get the contract. That is why research is so important.

As I like to tell my clients, up until 2006 my certification count was 0, and now it is at 20, so it is not about getting a certification, it is what you do before and after you get that cert.

- Kevin

Kevin Cardwell currently works as a free-lance consultant and provides consulting services for companies throughout the world, and as an adviser to numerous government entities within the US and UK.

He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course. He is technical editor of the Learning Tree Course Ethical Hacking and Countermeasures and Computer Forensics. He is author of the Controlling Network Access course. He has presented at the Blackhat USA Conferences. He is a contributing author to the Computer Hacking Forensics Investigator V3 Study Guide and The Best Damn Cybercrime and Digital Forensics Book Period. He is a Certified Ethical Hacker (CEH), Certified Security analyst (E|CSA), Qualified Penetration Tester (QPT), Certified in Handheld Forensics, Computer Hacking Forensic Investigator (CHFI) and Live Computer Forensics Expert (LCFE), and holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas.

You can find more information about Kevin at www.elitesecurityandforensics.com

The data leakage disclosed in this post has been gathered from a technique the author refers to as Offensive Mobile Forensics.  The term forensics is usually associated with incident response and management.  In other words, an activity performed after something bad has happened.  In contrast, offensive forensics is the act of preemptively performing a forensic analysis of systems or applications as a function of security testing, or for the purpose of quantifying risk.  An interesting side-effect of applying this technique to mobile device analysis is that it enables one to truly understand the risk of an attacker stealing or finding a lost device.  For example, if your analysis turns up native or third-party applications storing user credentials in cleartext – the author has seen everything from Facebook and Twitter to enterprise users’ Exchange ActiveSync credentials stored in the clear – depending on the accounts and data available, that could be a serious issue.

This technique depends on the ability to jailbreak (iOS) or root (Android) the target device, which provides root access to the underlying file system. If the reader is unfamiliar with these terms, some great resources to learn about jailbreaking and rooting are Redmond Pie (iOS) and XDA-Developers (Android). The author typically utilizes Redsn0w for iOS and SuperOneClick for Android, performing virtually all Android analysis on Samsung devices.

iOS

After jailbreaking is complete, only one other tool is necessary, OpenSSH, used to pull data from the device to a host computer for analysis over WiFi.  However, as is always the case with information technology, there’s more than one way to accomplish your objective.  So, experiment with other tools, and tweak and tune your own methodology.

Although outside the scope of this blog post, readers interested in learning about some of the other tools used for this analysis technique can check out the iOS Insecurities article in November’s issue of Hackin9 Magazine. The article is a greatly expanded version of what’s here, and also includes a table listing physical locations on iOS devices that contain interesting information for analysis.

There are many different locations containing interesting data on iOS devices.  Data often resides in SQLite databases, the chosen format for local storage on mobile devices.  The next best place to find sensitive information is in plist, or property list files – these are the primary storage medium for configuration settings in iOS, and they are also a fantastic source of sensitive information.  User credentials are often stored here, instead of inside the KeyChain where they should be.  Rounding out the top three data sources are binary or binary-encoded files, such as the device’s keyboard cache and pasteboard.  Although storage locations commonly change with the release of new iOS firmware, it is fairly simple to poke around the general area and find what you’re looking for.

The most severe threat to mobile devices and applications is loss or theft of the device.  As the old saying goes, “if an attacker has physical access, it is game over.”  It only takes a few days of analyzing applications on a device to discover that the vast majority of mobile application developers fail to consider the threat of physical access to their data.  Simply put, they are stuck in the mindset of web application or client/server developers, where virtually all threats affect applications remotely.  Add some terrible design and implementation decisions related to native apps and services from Apple themselves, and you have a device that can pose a significant risk to enterprises and consumers in the event of loss or theft.  The following examples are provided in no particular order.

Keyboard Cache (dynamic-text.dat)

In an effort to learn how users type, iOS devices utilize a feature called AutoCorrection to populate a local keyboard cache on the device.  The problem is this feature records everything a user types that is not entered into a SECURE text field, which masks displayed data.  The author fondly refers to this feature as “Apple’s native keylogging facility”.  Data typed into text fields for virtually any application can remain in the cache for more than a year if it is not reset periodically by the user:

Settings > General > Reset > Reset Keyboard Dictionary

Developers can also disable this feature programmatically by using the AutoCorrection = FALSE directive in desired UITextFields, although studies conducted with applications disabling this feature have shown users unanimously disapprove of it.

The file itself is a binary file, so passing it to the utility ‘strings’ is all that is required to generate newline-terminated output suitable for analysis.  Figure 1 displays the result of running ‘strings’ against the file, and Table 1 provides examples of near-complete conversations recorded by AutoCorrection.

Figure 1: Keyboard cache output to stdout in terminal

The keyboard cache is a well-known weakness in the iOS system, and there are many more interesting system-related locations to explore as an exercise for the reader.

Table 1: Keyboard cache entries - read column top-down

Application Data Leakage

Third-party applications represent the greatest threat of data leakage on iOS devices.  This is usually the result of lazy or poorly-informed, or trained, developers storing user credentials or other sensitive information in clear text.  This threat can be mitigated by developers in several ways including storing user credentials in the KeyChain, encrypting sensitive information in plist files with the Common Crypto library, or encrypting sensitive information in SQLcipher SQLite databases. Figure 2 shows one example of a mobile application improperly storing credentials in a plist file.  Unfortunately, this particular application utilizes various Internet APIs for authentication including Evernote, Google Docs, Dropbox, and others, which in the event of loss or theft, could result in the compromise of each account.

Figure 2: Credentials disclosed in an application's configuration PLIST

Android

Although there are many similarities between iOS and Android, there are a few notable differences that should be discussed. First, Android does not use property list files (“plist”) for storing configuration data, which is common on iOS devices. Android uses XML files instead of plists. Also, analysts will find many more SQLite databases on an Android device. In fact, configuration information is sometimes stored in SQLite database in lieu of utilizing XML files. Similarly to the configuration files for iOS, the XML files storing preferences for Android applications commonly include user credentials and other sensitive information. Finally, there is a very rich diagnostic and debugging environment in the Android platform, and unfortunately this output is also a common source of data leakage.

A huge difference between iOS devices and Android devices is the presence of the Android Debug Bridge (“ADB”) for the latter. Using the ADB, one can push or pull files to the device, review diagnostic information, and even gain access to a remote shell. The ADB Shell is the primary method of accessing the device’s file system for the purposes of pulling data to a host computer for analysis, or performing analysis on the device itself. More information on this, and other, differences can be found in the Android Insecurities article in January’s issue of Hakin9 Magazine.

Email

The Android system, like iOS, stores email in a SQLite database. Unlike iOS however, which stores email credentials in the KeyChain, user credentials on an Android system are stored in cleartext in the email database. This may seem like a trivial occurrence of data leakage, but in addition to personal email accounts such as Gmail, Exchange ActiveSync (“EAS”) credentials are also stored there. As if credentials weren’t bad enough, the database also stores messages in the clear, along with email addresses of contacts that have sent the user mail. This could be particularly devastating for corporate enterprises utilizing EAS, in the absence of a proper mobile device management (“MDM”) solution.

EAS and personal email account credentials can be discovered in a couple of different ways.  Figure 3 shows analysis of the EmailProvider.db SQLite file in Base, a GUI SQLite client. An even easier way to find user information is by simply running the ‘strings’ utility against the database file, as seen in Figure 4.

WiFi

The email situation is bad, but equally shocking is the method in which the Android system stores WiFi configuration information. Navigating to the /data/misc/wifi directory yields a configuration file called wpa_supplicant.conf on a Samsung Captivate that stores configuration information for every WiFi network the device has connected to – in cleartext. Assuming the data is disclosed to an attacker, an organization’s only defense is the use of multifactor authentication for their wireless networks, i.e., if corporate enterprise is using a combination of username and password exclusively, this could be a serious issue. The configuration file stores SSID, key management type, and the pre-shared key for the network.

Figure 4: Email credentials disclosure

Conclusion

Now, obviously various mitigating controls exist for protecting a user’s data on a mobile device, most notably the hardware-based encryption and Data Protection on the iPhone 4 and above, and encryption Android devices with Gingerbread. Passcodes lock devices, and in the case of Data Protection, enable a secondary layer of software-based encryption. That said, a recent study indicated over 50% of users don’t use a passcode at all on their devices, and another 20% utilize a 4-character combination that can be easily guessed in the usual 10 tries allotted – 1234, 4321, 9876, and so on. Add to this the ability to deploy OpenSSH as part of the jailbreaking process for iOS devices, the most prevalent choice for the Enterprise, or simply crack the passcode, and loss or theft is illuminated as a serious threat to data security. In the current ecosystem, with physical access to the device, it’s game over.

Joey Peloquin

Joey Peloquin is the director of mobile security at FishNet Security, where he’s responsible for MDM technology review, mobile security research, testing methodologies, and business development. He’s spent the last twelve of twenty years in IT specializing in Information Security. His experience ranges from risk assessment to intrusion analysis and incident response, network and application penetration testing, and mobile forensics.

Summers are the busiest travel time of the year. Each year more than 750 million passengers move through our country’s airports raking up more than 800 billion miles of travel. (Source) Along with the increase in demand, air travel complaints are up as well. (Source PDF)

Now, we all know this year has been a special one for the airlines and air travel as a whole. From the JetBlue hostage crisis, the terrorist “dry runs” on airport security around the country, and the most recent debacle on Southwest Airlines where they asked a woman to cover up because of her lewd attire.

Also, after learning about Xeni’s experiences, reading Bruce’s article, I decided to post this. Here we go!

Recently, I had to travel to Johannesburg, South Africa for business. I had an important meeting for a big bid that was scheduled for Monday. I was scheduled to arrive on Sunday. The thing that was going to make the 25+ hour trip worth while was the opportunity to spend some time with my relatives that I have not seen in many years, so I had planned to have an extended stay.

Any way you slice it, it’s pretty crappy flight, mine was supposed to be the best of the worst according to friends that had made the same flight previously. It was certainly the least painful of all the previous routes that I have taken to Johannesburg in the past. My flight was from San Diego (SAN) to Atlanta (ATL) and then on to Johannesburg (JNB) via Dakar for some fuel. All flights on Delta. Flying coach.

I was scheduled to depart Saturday morning at 6:30 AM. I arrived at the airport on time, checked in at the Delta desk in Terminal 2 (PDF). I checked in at the First Class counter, they let me because no one else was waiting in that line.

That is when the fun began.

At the time that I place my bag on the scale I look over my left shoulder to scope out the security screening line.

Side note: Delta only lets you take 50 lbs. per bag, but they let you take two bags. I got charged $25 in overage. So much for the 70 lbs. of other international carriers.

“Jesus”, I thought to my self.

The security line was the longest I had ever seen it, dozens of switch-backs, and even extending onto the sky-bridge! Memories of the lines I endured at London Heathrow during the ‘liquid bomb’ scare flash through my mind.

I ask the Delta agent if I had a fighting chance, she said that I should have “no problem, it moves fast”.

As I get in line, I look out over the sky-bridge just in time to see the sun beginning to rise.

The line shows no sign of life for minutes. Suddenly, some action – three steps forward…

The mother in front of me with her two little girls lets out a sigh. I tell her “just when you think there is no hope.. it moves”. She laughs and asks where I’m from, I tell her that I’m a San Diego native and ask her the same question. We chat about San Diego, and where we are traveling and things of that sort. I then ask her “What time is your flight?”, “7:30″ she replies. “What about yours?”, “6:30″. She tells me that she will gladly hold my spot in line while I go to the front. I told her that I’ve got 45 minutes and there is no point getting nervous.

After fifteen minutes finally I make it inside the terminal, clock on the Blackberry reads 6:00 AM at this point. I see another nervous guy jump out of line and go up to the TSA staff and “First Class” security line. A minute passes and he returns discouraged and starts speculating about his flight leaving at 6:30, I asked him what they said. He was told to get back in line and that he would be fine. I was unimpressed with this, but figured it was just to early to start escorting passengers. I decide to wait.

The entire security line is snapped to attention when a rather large TSA employee decides that 6:05 AM is the perfect time to make an announcement at the top of his lungs. He requested that everyone make sure that all water bottles were out of the bags and that if you had anything larger than 3 oz. to come and get a zip lock bag from him. He also said that “If you have any questions, I am at the TSA desk and will be happy to help.”

It is now 6:12 AM on the Blackberry, the sign on the turnstile reads 25 minutes to go (the previous one read 15 minutes), I tell the woman and her husband, who had just arrived, that hopefully I won’t see them later (because I’ll be on my plane), but I would appreciate it if they could hold my spot. “No problem, good luck!”.

So I quickly walk up to the area where the loud TSA employee is standing and approach a woman wearing a maroon “Supervisor” polo-shirt. I tell her that I have a 6:30 flight. “Get back in line”, she tell me. With no eye contact.

I then hold out my ticket and say “Ma’am I’ve a 6:30 flight to Atlanta, I think I am going to miss my flight.”

“Get back in line”, louder this time, still no eye contact. (Think nightclub door man/bouncer.)

“Ma’am, please, I have an international connection in Atlanta I cannot afford to miss my flight.”

“I told you, GET BACK IN LINE” (Even louder, still no eye contact)

I then realize that this is going no where with this woman, and say to the TSA employee who made the announcement; “Sir, I beg you, please may I go through, I am going to miss my flight to South Africa.” He was standing right behind this “supervisor.”

This entire time, first class passengers are being allowed through their VIP entrance to their own x-ray and metal detector. No lines for VIPs. Just like a night club.

This lovely “supervisor” then snaps to him “Don’t get involved! Don’t make me call Frankie.”

Thinking that maybe this “Frankie” might have more intelligence and compassion I say, “Who’s Frankie? Lets call Frankie!”

“You don’t tell me who to call, sir!”, snaps the “supervisor” (Very loud and aggressive).

At this point, there were no more first class passengers going through this entrance.

I decide to hang around and wait, perhaps this “supervisor”, Jackie, would have a change of heart and let me through to make my flight. Given that there were no first class customers waiting, no sweat off her back. There is also no point in going back to the line, if I do that I am guaranteed to miss my flight.

At this point, I turn around and am confronted by two Harbor Police Officers. Officer Columbus Offord (Badge #3306) and Officer Walter Tucker (No badge number on his card?)

“This guy refuses to move!” Jackie pipes in from over my shoulder.

“Whats the problem?” the officers ask me.

At this point, we are in the middle of the terminal. Before I respond, the officers and I walk off to the side near the check-in counters.

“There is no problem officers. I am going to miss my flight, I have an international connection to make and she will not let me go through. I have been here with plenty of time to make it through security, but the line is not moving.”

“Well, we cannot just put you to the front of the line, you have to speak to Delta”

“Ok, I’ll go speak to Delta”

The Delta check-in desk is the closest to where I am now.

I walk over there, the officers stay put. I ask the First Class Delta employee – “Will they be holding the 6:30 flight for people that are waiting to get through security?”

“No, and if your not at the front already you wont make it”, she responds.

“Thanks” (Read: SHIT!)

So I walk back towards toward the line.

The officers then ask me, “What did they tell you?”

“That I’m not going to make it” I say.

“Let me have your passport”, demands one officer.

“What do you need it for?” (I’ve seen this movie before, I’ve done nothing wrong, but you know… abuse of power, police state, post 9/11 age, etc etc etc etc etc etc etc etc)

“So that I can know who I am talking to”, he says.

“Ok, here you go”, as I hand him my passport.

The officer then proceeds to radio my details in, and his partner just stands with me.

He then must have gotten word back from dispatch that I am NOT a terrorist, or he just wanted to log it in for their records.

He then gives me back my passport, waves his hand, and says “Go through.”

I then hand my tickets and passport to another first class “document checker”, and then Jackie says “What do you think your doing?”

“The officers said that I could come through!”, I plead.

“Oh no they didn’t, you get back in line where you were!”

Now, remember back now to the family holding my place in line? They had been watching this entire thing and were now at the front of the line, literally next in line. They waved to get my attention and say “We are here! We’re up here!”.

“I’m with those people, thats where I was”, I tell Jackie.

“Oh hell no, he’s not up there with those people, he’s got to get at the back of the line where he was.”, Jackie says.

“No, I was standing with them”, I plead again.

“They’re on Continental, they don’t know him!” (How could she know this?)

“I do know them, they are here from Florida on holiday, they were here for a week. Their flight connects in Houston!”, I say.

At this point the husband of the family, my hero – got love New Yorkers (living in Florida). Screams at the top of his lungs “He’s with us, you let him up here right now!” directly into the face of the TSA bouncer that made the announcement earlier.

The TSA officer says to the husband, “Sir, lower your voice.”

“Fine go through”, Jackie says knowing she could no longer deny me and had lost.

At the same moment I walk through the First class line behind the TSA officer. I hear the husband ask, “Why are you guys doing this to this guy, he just wanted to get on his flight?”

As I walk by, I hear the TSA officer respond – “Sir, that gentleman made a death threat on my life”. AN OBVIOUS LIE! I ignore it, as at this point I am shaking from the stress of the situation and I am nervous that I am not going to make my flight.

“Oh, I didn’t know anything about that”, the husband says.

The family and I are now parallel in the lines. I say thank you to both the husband and wife for their help and they try to calm me down, I was visibly shaking. I give the husband my business card and say please get in touch so that I can thank you. I hope he reads this and does.

I did not think a thing about the TSA officer’s “death threat” statement and went to the x-ray machine.

I take out my Powerbook and put it in a bin with the case, and toss my sandals and backpack in another.

No x-ray or metal detector alarms, and I get re-dressed.

I then run to Gate 40, basically the farthest gate in the terminal (check map linked above). I though the adrenaline would have got me there faster, but by Gate 38 my legs were running at half speed. Note: It must have been the sandals

I get to the gate counter nearly dying and say to a Delta clerk, named Ana, “Did I make it for the 6:30?”

“Nope, its already gone.”, she says.

“How long did I miss it by?”, catching my breath.

“Technically you missed it by 5 minutes, but actually you missed it by 2″, she says. (Read: SHIT!)

“Let me see you ticket”, she says.

So I hand her my ticket, tell her I’m catching a connection to Johannesburg.

She then puts me on the 8:00 AM flight to Atlanta, and tells me that I will need to run, “No Starbucks”, and puts me as far forward on the plane as she could. Seat 12C.
I ask her about my bag.

She says that it left on the plane without me, but assures me that it will be on the plane to Johannesburg.

I thank her and then go to the bathroom for a little moment. “This sucks, is it still worth going?” I think to my self.

I gather my composure and start walking back to the security screening area to find out the names of the people I had just dealt with so pleasantly at the security screening.

I spot a “security guard” on break and ask him if he knows who the woman (Jackie) at the front was and who the guy (TSA) was. He explains that TSA wear all white, and that some are private employees but still employed by the government.

He then says that he wants to see who these people were also and starts walking back with me.

On the way I see the two officers, Walter Tucker and Columbus Offord, sitting on coffee break and I approach them.

I say “Hi officers, I just wanted to let you know that I did not make my flight.” I continue, “I know you were just doing your job, but I would like to get your names and badge numbers.”

“What do you need that for?”, one says.

“You don’t need that!”, the other proclaims.

“What do you need it for?”, they both say obviously feeling defensive and threatened.

I respond, “I need it for the same reason that you needed to see my passport, so I know who I talked to. I want to be able to remember everything accurately.”

They then begin to pull out their business cards.

As the first officer, sitting on the right, hands me his business card, he says “You know you don’t come to the airport and make death threats.”

I respond by saying, “That is a ridiculous lie! You and I both know, you better than me, that if I had made a death threat to a federal officer that I wouldn’t be here right now, I would be arrested. You probably would have been the ones to do it. Its very easy for that TSA employee to make false accusations, I am just a regular citizen and I have no recourse, and he has no repercussions for making these false accusations.”

“Ok”, they say as they stare at me blankly.

After that, I walk towards the TSA kiosk, on the “secured” part of passenger screening.

I walk up to, a senior looking officer. Scott Stanfield.

I tell him, that I had a problem with some employees and I would like to know who they are so that I can file a complaint.

He says OK, but wants to make sure that he knows who I am talking about. So I tell him the woman in the front, with a maroon polo shirt, and the larger gentleman with a white TSA shirt at the desk in front. He walks me over to a more direct line of site, and points at them. I confirm that those are the people, even though I could not see the woman at the time.

He begins to tell me that the woman, Jackie, is not a federal employee, but is employed by a private firm GAT Security. I tell him thats fine, give me GAT Security’s number and the manager’s contact information and I will file a complaint with them.

Then I say I want to know who the TSA employee is, he says that he cannot give me his name because he is a federal employee. At this point I look at his badge and say “Scott Stanfield, are you kidding me? I can just go walk up and read his name off his badge, but you can’t tell me?”

“No, Sir I can’t. If you tell me what your complaint is, I will file the complaint for you”, he responds in a serious manner.

“Ok then”, I say.

At this point, several other TSA employees start to crowd around like school children trying to eavesdrop on a secret.

I tell him, that I don’t feel comfortable where we are standing and move over to the side a few feet.

I then explain to him, that as I walked behind the TSA officer he told another passenger that I had made a “death threat on his life.”

I tell Scott that this is a blatantly false accusation, and that his employees should not joke about these types of things. I also tell him, what everyone knows, that if it were true. I would be in custody.

I can see that this is not going anywhere, as he hardly agrees that this was a problem.

“This type of behavior must be encouraged”, I think to my self.

Before I go, they give me a piece of paper with – “G.A.T Security – Kyle 619-491-2864″, written on it. They say that Kyle is the Jackie’s manager. I thank them and go on my way.

When I return to Gate 40 I speak with Ana, the Delta clerk again. She says that I should go over and speak with the Delta manager, she points him out for me.

I walk up and ask the Delta Gate Manager about GAT Security and tell him my story.

He then says he will call a GAT manager to come speak with me.

I wait about 10 minutes and a guy shows up with a reflective safety vest, the GAT “manager”. He has been out on the runway, with his vest and ear plugs. This guy looks like a baggage handler, not the manager of airport security.

I explain to him what happened, and he tells me this in not the first time they have had problem with Jackie.

He then gives me the office number 619-491-2864 and Kyle’s name. I decide to give the number a call, it goes straight to voicemail on a cell phone, its Kyle’s cell phone. I start to wonder why is this number for the office going to Kyle’s cell phone?

I then go back up to Ana, she asks for my tickets again, and says if the plane doesn’t board in the next twenty minutes that I won’t make it. She wants to put on me on the same flights for tomorrow. I tell her “Ok, thank you”, and wait like the rest of the passengers.

At about 7:45 AM the plane has not boarded yet, and I get approached by another Delta manager who asks if the GAT supervisor was helpful. I tell him no. He then says, “come over here I want to lookup your flights.” He confirms that Ana had put me on for next day and says, “see you tomorrow.” It turns out that the bolt that they use to attach the plane to the vehicle for towing into the gate had broken and the plane was stuck on the runway.

I go up to Ana and thank her for being “the nicest person that I had dealt with today.” She said she was actually in a bad mood, but liked me. She asks for my tickets again, and at this point I figured I would ask about bulk-head seats for tomorrow. She said that they are only assigned the day of the flight. She then said, but don’t worry I have upgraded you to Business class. Don’t tell anybody.

I thanked her graciously and left the airport.

On my way out I see the TSA’s Scott Stanfield coming up the escalators near where this morning’s events began. I tell him that the second flight had mechanical problems and thanked him.

I spent several hours after I got home trying to find GAT Security in the White Pages and online, I could find nothing. I then decide to call the San Diego International Airport and ask for a manager… there is none. The only person to speak with is the directory assistance person.

I then try call the Harbor Police, I finally manage to get hold of a Sergeant Micksel. I explain to him what had happened with his two officers, that they initially refused to provide their badge numbers and names. I then spend nearly an hour and twenty minutes explaining to him why it was NOT appropriate behavior for them to tell me “You know you don’t come to the airport and make death threats.” He could not see why this was a problem. I tell try to walk him through the logic that it was a lie and a false accusation, and they knew it was false because if it were true they would have had to act.

Finally I tell him, “If you are not going to take my complaint seriously I will find someone who will.”

That gets his attention and he says he wants to get the dispatch logs and call me back. I wait for his call, and twenty minutes later he does call back.

He says that I dealt with “one African American officer and one Asian American officer.” I tell him, “No, actually they were both African American.” I don’t know why this was relevant?

He then tells me that all the dispatch logs said was that someone, called in “a disturbance”. I tell him that I had not created a disturbance, and the tells me that all the Harbor Police do is respond when they are called.

I then ask him how I can go about filing my complaint. He tells me to contact Internal Affairs and speak with John Reilly at 619-686-6590.

I thank him and hang up the phone.

The next morning I then decided that a trip of that length, when I have already missed my meeting is not worth taking.

My next mission is to get my ticket refunded.

I call Delta and ask for a refund, they tell me that I can’t get one even though it was a mechanical failure that prevented me from making my flight and even though I no longer need to make the trip.

I then ask how I can go about getting my bag back to San Diego… Remember? It flew WITHOUT me!

They tell me that they cannot get it, I have to go to the baggage desk at the airport.

So I go back to sleep and when I wake up I go to the airport to request my bag.

The baggage desk requests for the bag to be sent back to San Diego and delivered to my home.

My girlfriend, then says “Lets go to the Delta desk and ask for a refund.”

I oblige.

I tell the Delta clerk what happened, and that I no longer need to make the trip and would like a refund.

Interestingly, she does not offer me another ticket for another travel date. At the time I did not know that was the typical response. To be honest, I have never missed a flight before. Let’s hope this is not a new trend for me.

She then proceeds to do a TRR (Ticket Refund Request).

The manager comes over and explains that because I didn’t buy my ticket directly from Delta the amount that I purchased the ticket for does not show up in the system. Therefor, he cannot refund me today.

I tell him that I understand. The clerk then gives me a print out and tells me to call 1-800-847-0578 on the 23rd of August. They will take about two weeks to find out how much I paid and then be able to process the refund.

I thank her, and ask her about the $25.00 in over-baggage that I had to pay.

She says that they will be able to refund me when I call.

I thank her again, and go home.

Two weeks later, on Monday the 27th I call the refund center and give them my TRR number.

I am told that they can see my name in the system, but they have not yet received the actual request from the airport for a refund.

“What? I don’t understand, you have my name and the TRR number? What else do you need?”, I ask.

“We need the actual paper receipt from the airport, it can take up to 40 days”, the customer service representative replies as if this was normal.

“I have a paper copy”, I tell him.

“Ok, you can fax it to us at this number: 404-715-9256″, he explains.

So I fax it through immediately.

I wait until Wednesday and call back. I give the representative my TRR number and they tell me again that they have not received anything from the airport.

I tell them that I faxed it through already.

“When did you do that?”, she asks.

“On Monday”, I reply.

“What time?”, she says.

“Around 11:30 AM”, I tell her.

“Ohhhh I see that here, it will take at least seven business days to before anyone can get to that”, she explains.

“Ok, thanks”, I say and hang up.

Several days later I call back and ask for an update.

They tell me that they have refunded me $1943.71

I ask why the amount is $1943.71 and not $2143.71, which is what I was billed.

She tells me that there was a $200 penalty.

I tell her that I missed the flight because of Delta, and should not have to pay ANY penalty.

She says that its the policy.

I ask her about the $25.00 over baggage fee.

She says that it was not included with the refund request and cannot do anything.

I tell her that the Delta desk told me that the refund department would be able to process that at the time that my ticket will be refunded.

She tells me to go back to the airport and ask them.

And that is where we are today… So my friends, I pose the following questions:

What recourse do passengers that encounter things like this with the TSA have? This is obviously a case where the TSA officer felt that it would be easier to lie to justify his actions, rather than do the right thing and help someone.

How can Delta let my bag fly without me? I thought that airlines are supposed to remove passengers that do not board? Isn’t this a HUGE security risk? I mean, you could read my story and find a massive loop-hole in the security system at airports. Especially given that in recent “dry-runs” bags with simulated bombs made it onto planes. I know I don’t feel safe now, knowing that the baggage belonging to the guy being detained at security is on the plane even if he is not. Does keeping him off the plane make us safer?

Why should coach passengers be discriminated against? Why do first class passengers receive special security treatment? Are they paying more taxes to support the TSA? No! They should be in line with every other tax payer in coach.

Seriously, what if I end up on a “no-fly” list? What recourse does one have in a situation like this? Like this guy?

Who is GAT Security? How did a company with two employees, Jackie and Kyle, with only a cell phone get into a position where they can over rule the TSA and dictate what passengers get on to their flights and which get delayed?

Why did the TSA’s Scott Stanfield refuse to provide me the name of the other TSA employee? His excuse was bogus, if the employee wears a badge… his name is not a government secret!

Why does it take Delta? Two weeks/40 Days/Seven days to process a refund? The kicker here is that my credit card was billed by “DELTA AIR LINES ALEXANDRIA VA” and not by the website that I purchased the tickets from – Cheapoair.com? Is this just an excuse to keep our money and make it difficult to get refunds for things that they did not provide?

Thanks for reading!

So much for the friendly skies.

If you are looking for some other interesting reading check out these articles:

http://www.msnbc.msn.com/id/20298840/site/newsweek/

http://www.schneier.com/blog/archives/2007/07/airport_securit_7.html

http://www.schneier.com/blog/archives/2006/08/behavioral_prof.html

http://blog.wired.com/27bstroke6/2007/08/court-says-trav.html

http://consumerist.com/consumer/travel/flight-delays-will-only-get-worse-say-experts-296266.php

http://consumerist.com/consumer/travel/united-airlines-hires-customer-service-specialist-from-disney-296134.php

Editor’s Note: This post was not proof read and was written on my blackberry. Please excuse any grammatical errors.

Errata has combated this new hack threat with their own tools, Hamster and Ferret, which prevent attacks. It appears that the good guys are following closely behind the bad guys but they’re still slightly behind and all Wi-Fi users need to be careful.
Via [securecomputing.net.au]

Up to 30 wireless access points can be knocked out at a time as the built-in 802.11b/g adapter on the newly released phone flood the area with MAC address requests. The requests are for an invalid router address, since the iPhone making the request doesn’t get an answer it keeps asking, tying up the system for ten to 15 minutes at a time.

Right now this isn’t a huge problem but school officials are worried that the end of August will bring a huge influx of new iPhone users and more headaches than Duke can handle.
Via [networkworld.com]

In all three cities the percentage of hot spots protected by some form of encryption increased; London went from 76 to 81%, New York only grew from 75 to 76%, while Paris jumped from 78 to 80%. They also found that Wired Equivalent Privacy (WEP) is being replaced by Wi-Fi Protected Access (WPA), a much more secure method.

The number of businesses without adequate protection is a bit surprising considering what could possibly be at risk for these companies. London and Paris both had about 18% of their companies unprotected and New Yorkers topped the list with a full 21% of their businesses tempting fate.
Via [computerworld.com]

Using New York, London and Paris as their target cities, they have found the number of Wi-Fi access points have risen 49%, 44% and 160% respectively. Encryption was found to be up but only by 6% in London and less than 2% in both New York and Paris.

The analysis of the data has shown an improvement in security over previous years but an unbelievable one fifth to one quarter of all businesses have no encryption security at all.
Via [wi-fiplanet.com]

Because of WEP’s vulnerabilities, it is recommended that wireless network owners opt for WPA2, which is yet to be cracked by any known cryptographic attacks. The mechanism also provides support for infrastructure and ad-hoc networks, and includes pre-authentication and CCMP encryption features.
Via [arstechnica.com]