msmobiles.com/f

msmobiles.com_robot · Joined: 23 Mar 2004 Posts: 16777215

Since developers are not in a hurry to keep their users information secure... we feel compelled to publish - with exclusivity granted to us by author till August 21, 2006 - an article, that reveals various prob...

Read more at http://www.msmobiles.com/news.php/5474.html

wakka · Joined: 13 Apr 2005 Posts: 46

WOA another great article!

Well, everything in that papper is also available in any other OS (linux. windows wathever) you only need to gain physical access to the computer, and then you can do everything, you can dump lsa secrets, you can get the md5 password hash and then use a rainbow table, whatever!

beersoft · Joined: 18 Jul 2004 Posts: 6

Its an interesting read, but lots of scare mongering, as waka said, encryption and stuff is irrelevent if you have physical access to the device

packet sniffing is all well and good, but its normaly a man in the middle attack

plain text passwords are a major risk, if someone has access to hardware in between you and the webserver your accessing, and doing packet sniffing, or access to the server logs, but if they have access to the logs, they proberbly rooted the box.

yep, security on wm isnt that hot, but its secure enough for most people and only a risk if you loose the device, but then you can always use the remotewipe feature in ota activesync

Owen

EJR · Joined: 18 Mar 2004 Posts: 2629

cprise · Joined: 15 Aug 2006 Posts: 1

wakka · Joined: 13 Apr 2005 Posts: 46

TMorel · Joined: 06 Apr 2006 Posts: 8 Location: Birmingham UK

spacer · Joined: 06 Jun 2005 Posts: 15

I didnt see in article mention of self destruct feature in WM5... remember HTC Universal advert video? where guy lost his Universal and he phoned operator to deactivate device which casued deletion of data on device. Plus you can setup password for such devices.

Buffer overflow POC in signature checking inWM5 cought my attention however i didnt see any more details if vendor fixed it and when was notified (basics in security audit report)

Also some of warnings from article are not fully thought through like AV signature changing so malware can pass through.. if my peice of code is on the device already able to change registry key it can get or directly run any malware already.

EJR · Joined: 18 Mar 2004 Posts: 2629

these security holes are not only about virus programs but also about the ability to steal passwords when you can have somebody's Pocket PC or Smartphone just for a short time...

wakka · Joined: 13 Apr 2005 Posts: 46

Tim Surmin · Joined: 11 Aug 2006 Posts: 2

If program's security bugs are not described for some popular software, does it mean that they were tested and found secure?
For example, personal finance programs, we have Pocket Money, Webis Money, PocketExepense Pro, etc, but where are bestsellers: Cash Organizer and SPB Finance?
The same situation with Password\Credit Card\PIM Management Programs. Where is eWallet? Is it secure or not?
I think it is both useful to know, which software is secure and which is not.

EJR · Joined: 18 Mar 2004 Posts: 2629

Tim Surmin · Joined: 11 Aug 2006 Posts: 2

sethfogie · Joined: 15 Aug 2006 Posts: 1

I did test eWallet and some other programs. However, it is one thing to find a bug and say there is a problem, and another to say I couldn't find anything wrong.

Or to put it another way, I can say for sure that certain programs have issues...but I cant say certain programs are bug free. I only tested each program for a few hours and then moved on.

As far as financial programs go...I stopped testing them because I had a long enough list. There were some good password protection programs, and those used the MS Crypto API, which is why I mentioned that feature.

rmund · Joined: 25 Jul 2007 Posts: 1

Exact security vulnerability:

Any information that you enter into a Windows Mobile supported device into any secure database that does not turn off “Automatic Word Completion” during the data entry is a secure risk. Secure databases such as eWallet (by www.iliumsoft.com) is one such product. Information that is entered into databases like this include: passwords, credit information, ATM passcodes, SSNs, and .... eWallet is the only database that this flaw was verified as having, but it is highly likely that other databases (like SecureWord.Mobile, iLOCK , SplashID,...) have the same problem on the Windows Mobile platform.

Steps to reproduce the problem:

1) Turn on Word completion in Windows Mobile
2) Go into your secure database (like eWallet)
3) Enter Data like a password (might need to enter it a couple times for Word Completion to pick it up)
4) Leave the database and go to MS Word
5) Type the first few characters of your password and watch the whole password magically appear in Word

And how an attacker could exploit it:

1) Hack steals your PDA
2) The thief then dumps the Word Completion cache and finds your stuff which is not encrypted in anyway

Also I assume a remote hack is also possible.

And here is MS response to this problem:

Thanks for providing this helpful information. The detail described appears to violate one ore more of the 10 Immuatable Laws of Security, http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx. As such, a user can either turn off the Automatic Word Completion feature or use one of the freeware application to remove entries from the dictionary. For reference on the definition of a security vulnerability, please see https://www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx?mfr=true. I hope this helps.

----------

So just keep turing off MS Windows Mobile features and some day you might have no more security problems!