Can Android be an enterprise mobile OS without vpn support?

Image via Wikipedia

and here we are

Android is not only the winning mobile OS in terms of vulnerability, but in order to make things clear it is also not provided with a decent vpnipsec solution.

nNw would be useful to add, at least, a vpn support for cisco anyconnect and the major vpn vendors in the market, but till now it seems Google is not interested in making its OS a real enterprise OS.

Would you put your info on a smart device that not support ssl or ipsec vpn for business transactions? this sound like careless computing. remember the firesheep affair just I case….

just to move this thing out I would strongly suggest you put your comment and star (at the bottom of the page) on this thread on Google support.

http://code.google.com/p/android/issues/detail?id=9160

ciao

Related articles

• New Droid Pro Security Features Lead the Way (pcworld.com)
• Ask The Expert: AnyConnect Configuration – December 14th (blogs.cisco.com)

Good bye sweet Pearl 1994-2010

Just a few weeks after Misha you decided to go as well.  We’ll miss you.

Sei stata una compana fantastica, ed una gatta bellissima. Grazie per tutto quello che ci hai dato, il tuo ricordo mi accompagnerà sempre.

Ciao Pearl.

Captain Crunch needs your help

Image via Wikipedia

Captain Crunch needs your help

When John Draper aka Captain Crunch is on form, great things happen. A legendary hacker, he created the infamous Blue Box. He went on to invent EasyWriter, the first ever word processor for the Apple II.

By any standard, he’s an icon of the digital age. …

Related articles

• Captain Crunch needs your help (savingcaptaincrunch.com)
• John “Captain Crunch” Draper, the Hacker’s Hacker (secure.wikimedia.org)

shaddap you face

Image via Wikipedia

http://www.youtube.com/v/sFacWGBJ_cs?fs=1&hl=it_IT

sorry but it since this morning I have this song in my head. it’s Joe Dolce with s”haddap you face “

Testo:

‘Allo
I’m-a Giuseppe
I got-a something special-a for you
ready?
Uno
duo
tre
quatro!
When I was a boy
just abouth the eightth-a grade
Mama used to say: “Don’t stay out-a late
With the bad-a boys
always shoot-a pool
Giuseppe going to flunk-a school!”
Boy
it make-a me sick
all the t’ing I gotta do
I can’t-a get-a no kicks
always got to follow rules
Boy
it make-a me sick
just to make-a lousy bucks
Got to feel-a like a fool
And-a mama used to say all-a time:
What’s-a matter you? Hey! Gotta no respect
What-a you t’ink you do? Why you look-a so sad?
It’s-a not so bad
it’s-a nice-a place
Ah
shaddap-a you face!
That’s-a my mama. I can remember!
Big accordion solo!
Ah ! Play dat again! Really nice
really nice!
Soon-a come-a day
gonna be a big-a star
Den I make-a T.V. shows and-a movies
Get-a myself a new car
but still I be myself
I don’t want-a to change a t’ing
Still a-dance and a-sing
[ t’ing about-a mama
she used to say:
What’s-a matter you? Hey! . . .
Mama
she said it all-a da time!
What’s-a matter you? Hey!
Gotta no respect
. . .
That’s-a my mama!
Hello
everybody!
‘At’s out-a dere in-a radio and-a T.V. land
aid you know I had a big-a hit-a song in-a Italy with-a disc?
Shaddap-a you face,
I sing-a dis-a song
all-a my fans applaud
Dey clap-a da hands
dat-a make me feel-a so good;
You ought to learn-a dis-a song
it’s-a real-a simple –
See
I sing: “What’s-a matter you?” You sing: “Hey!”
Den I sing-a da rest
and den at de end
we can all-a sing:
Ah, Shaddap-a you face!
0.k.
let’s-a try it
really big –
Uno
duo
tre
quatro!
What’s – a matter you ? Hey !…

corso di perfezionamento post-laurea: GOVERNANCE E INNOVAZIONE IT: IL MIGLIORAMENTO DELL'EFFICIENZA, IL CONTROLLO DEI RISCHI, LA COMUNICAZIONE E L’INNOVAZIONE TECNOLOGICA NEI SISTEMI INFORMATIVI AZIENDALI

II Edizione del Corso di Perfezionamento Post-Laurea:

La Seconda Edizione del Corso di Perfezionamento post-laurea intitolato:

GOVERNANCE E INNOVAZIONE IT: IL MIGLIORAMENTO DELL’EFFICIENZA, IL CONTROLLO DEI RISCHI, LA COMUNICAZIONE E L’INNOVAZIONE TECNOLOGICA NEI SISTEMI INFORMATIVI AZIENDALI

si svolgerà tra MARZO e GIUGNO 2011 e fa parte delle iniziative di formazione post-laurea della Facoltà di Scienze MM. FF. NN. dell’Università degli Studi di Milano.

info here:

Firesheep overview

http://rcm.amazon.com/e/cm?t=portadiferro-20&o=1&p=8&l=bpl&asins=1565925092&fc1=000000&IS2=1&lt1=_blank&m=amazon&lc1=0000FF&bc1=000000&bg1=FFFFFF&f=ifrSearch Amazon.com for facebook hacking
There have been a lot of talking around firesheep firefox extension lately. So I wonder what the hell is this add on about?
I could have read all the readable or just done the most unsecure and stupid thing: trying it directly…. and you can wonder what I have done
Let’s start to install firseheep.
to install something you usually need to have it, first I tried to search the Firesheep add on (Google search)

Not an easy search since a lot of links comes out, the most just related to articles but at the end I found the right site.
http://codebutler.github.com/firesheep/
I downloaded an XPI file that I opened with Firefox in order to load the extension.

once the extension is loaded you can go to option and configure the interface you want to sniff

and the website you want to monitor:

now the most is done.
the extension is available on Firefox as a side bar

Once activated it will be at your left. to start the capture just click on Start capturing.
All the configuration parameters can be found on the bottom left of the sidebar. You can also add scripts to add more site to be monitored.
Once you stop something like that will be displayed on your left tab:

those are accountidentities that were accessing sites while you were sniffing.
you just have to click on one identity to access the site using the identity sniffed.
it’s simple as at. so an question? I got a couple (with answers too)
What exactly will firesheeep do?
Well it just simply sniff the traffic providing a simple interface for the user. You can have similar results with wireshark, for example, but you should manually trace the connection and find the username and password related to the site. everything would be logged, but firesheep makes everything easier and at anyone hands.

Firesheep monitors the unsecured network, such as you’d find in just about any public Wi-Fi environment, and watches for cookies being used by browsers to access websites. Firesheep collects the data within these cookies, enabling someone to access the website with exactly the same credentials. In very simple terms, you can very quickly and easily access the most popular social networking websites using someone else’s credentials – you basically take over complete access to their account!
The scariest thing about this add on is that it is terribly simple to install and use but it has limitation and it is not a whole hacking suites (luckily)
On windows (form windows XP up to the newest Windows 7) it need WinPcap 4.1.2 to work and it work only with the current version of firefox, so the beta 4 will not be suitable for this. At the same time it is not (still) available a Linux version so this add on is suitable just for mac and windows. And honestly on Mac it is easier to deal
Why it need wireless connection?
While you can think that firesheep works on wireless LAN because those are less secure, the reason is much more simpler than that. Without encryption a wireless LAN connection act like an old hub, so the collision domain cover all the hosts, that are able to see all the traffic.
Usually in a wired network you are directly connected to a switch and so your network interface, even without encryption, can see only it’s traffic (and eventually the broadcastmulticast one that is not interesting for firesheep purpose).
How can I protect myself?
Well once we understood how this work we can do a couple of considerations: the firesheep add on sniff http traffic so any redirecting technique like proxy agent of pac file to redirect to a proxy will be useless unless able to force an encryption between the device and the proxy.
The problem is that even if you don’t go directly to a website but pass through a proxy the traffic will be, anyway, http. Firesheep is looking for http traffic and will search for cookie transmitted, so it does not really care if you will use an intermediate security host (proxy or whatever) or not.
At the same time the intermediate security host can not detect any intrusion, since nothing is changed in the user traffic, it is simply sniffed without any change on the traffic itself.
In terms of products, the be clear, you would be protected either using something like the  scansafe agent Anywhere+ (because it encrypt all the traffic from the device to the scansafe cloud service), or anyconnect with it’s ssl tunnel and wsa integration.
You would not be protected by a not encrypting agent like the webroot one or proxy browser configurations like in Zscaler, MacAfee or Websense just because  you would anyway send http traffic that firesheep can sniff.
Is fireheep breaking the law?
Write the code or install the add on is legal, the use you do with the add on could be, on the other hands, a fraud. remember that stealing another user credentials is braking it’s privacy and this can led to penal consequences in several countries.

Just for fun:

this is the script used for facebook, the main parameters are the domain and url, and the cookie names to search for during the sniffing activities.

// Authors:
//   Eric Butler
register({
  name: ‘Facebook’,
  url: ‘http://www.facebook.com/home.php’,
  domains: [ ‘facebook.com’ ],
  sessionCookieNames: [ ‘xs’, ‘c_user’, ‘sid’ ],

  identifyUser: function () {
    var resp = this.httpGet(this.siteUrl);
    this.userName   = resp.body.querySelector(‘#navAccountName’).innerHTML;
    this.userAvatar = resp.body.querySelector(‘#navAccountPic img’).src;
  }
});

Basically you could find what kind of info you need to feed firesheep (or to do the same stuffs using tcpdump or wireshark) just monitoring your own traffic.

OK I admit that on wireshark the job could be a little tedious

Using httpwatch for example you can directly find the cookies involved clicking on the Cookies tab

So nothing really news under the sun with firesheep, just a very easy interface that expose something we all should know (at least who work in this area).

Do we really need something like firesheep to realize how easy can be starling credentials? if so welcome firesheep to give us a little more awareness.

hope you enjoyed the ride

cheers 

Related articles

• Firesheep Author Reflects On Wild Week (it.slashdot.org)
• Firesheep Simplifies Stealing Logins (informationweek.com)
• Twitter Embeds Encryption to Foil Firesheep Hackers (pcworld.com)
• Program allows unauthorized access on unsecured web connection ()
• Oneupweb : A Wolf in Sheep’s Clothing (straightupsearch.com)
• Twitter goes secure – say goodbye to Firesheep with “Always use HTTPS” option (nakedsecurity.sophos.com)
• Wiphishing and Firesheep (teknophilia.wordpress.com)
• Firesheep hack catches out Mr Demi Moore (go.theregister.com)
• Twitter Joins Facebook in Beefing Up Security, Foiling Hackers (fastcompany.com)
• How to Enable Persistent HTTPS in Facebook (mydigitallife.info)
• Twitter goes secure (eclectomania.wordpress.com)
• Fear Of Firesheep: Senator Asks Twitter, Amazon To Increase Web Security (paidcontent.org)

Il prode Bernabè e I cattivi content providers d’oltre oceano

Image via Wikipedia

Bernabè tuona contro I colossi del web che osano offrire contenuti ai navigatori italiani e così usano le reti che lui, con amore e devozione, vuol tenere libere da questa immondizia.

Con fiero cipiglio italico l’AD di Telecom Italia si è scagliato durante un convegno promosso da Assotelecomunicazioni contro I vari google, facebook, skype, twitter e chi più ne ha più ne metta, rei, a suo dire, di utilizzare le strutture di connettività italiane senza versare obolo alcuno portando al collasso le strutture TLC italiane.

L’amministratore delegato di Telecom, nel corso del suo intervento ha imputato a questi grandi americani di “sfruttare commercialmente la rete senza contribuire ai costi, danneggiando così la sostenibilità economica dell’attuale modello di business delle telecomunicazioni. “

Tra il plauso generale degli astanti si è consumata ancora una volta la classica farsa italiana ove, invece di ammettere le proprie carenze strutturali e manageriali, si preferisce mettere all’indice chi invece fa il proprio lavoro in maniera eccellente.

In altre parole Bernabè (sempre sia lodato) ha detto delle cose condivise sia dagli altri operatori italiani di fonia fissa e mobile, ai quali poco importa se le cose che vengono dette  (e fatte) abbiano rilevanza devastante per il tessuto sociale ed economico del nostro paese, e da esponenti del governo italiano che, invece, qualche problema di più se lo dovrebbero fare.

Ora capisco che tutti tirino acqua al proprio mulino, e che tra il cercare di cambiare il proprio modello di business e non cambiarlo la seconda strada sia preferibile (e piu facilmente percorribile) per molti managers, ma la posizione di Assotelecomunicazioni, se vista da fuori, è singolare ed almeno discutibile.

Risassunta la loro posizione è: qualcuno usando i nostri servizi ci guadagna, non è giusto…

Le domande da porsi di fronte a questa posizione sono:

• si tratta di guadagni illeciti?
• si stanno sottraendo risorse al gestore di connettività?
• questi content providers stanno offrendo in regime di concorrenza sleale (vuoi per regimi fiscali migliori o per uso di posizione dominante) servizi altrimenti appannaggio del carrier o gestore di connettività?

Temo che le risposte siano tutte negative.

Gli utenti pagano il traffico internet per accedere ai siti come facebook, google et similia.

Se è vero che i content providers non pagano nulla a telecom & co. perchè sono all’estero, sono al’estero per il semplice motivo che non esiste nessun vantaggio a stabilire sul nostro territorio simili facilities.

Ed i motivi sono pessimo stato delle infrastrutture, pessimo management e prezzi piu alti della media.

I content providers stranieri vivono di pubblicità, servizi e beni venduti. Tali proventi non sono tassabili sul territorio italiano in quanto generati all’estero, ma ciò è inevitabile visto il punto precedente.

Ora che i fornitori di servizi di connettività reclamino una fetta è quantomeno singolare, a meno che non si vogliano presentare anche come fornitori di contenuti. In questo caso però farebbero meglio ad accettare le regole della concorrenza ed iniziare a produrre contenuti invece che cercare di remunerare sul lavoro altrui.

Per quello poi che riguarda i servizi voip, questi sono piu economici per l’utenza ma molto meno remunerativi per telecom. Giusto per capirci passare da centralini tradizionali ad una infrastruttura voip per telecom vuol dire introiti ridotti ad un decimo per quello che riguarda il guadagno sul traffico voce. I guadani fatti nella vendita delle infrastrutture non possono coprire questo disavanzo, ne va da se che telecom veda voip e skype in particolare come antipatici ospiti al proprio desco.

Dare, poi, ai content providers l’onere del collasso delle strutture TLC suona veramente ridicolo. Se è vero che queste strutture collassano non è certo perche vi è un eccesso di offerta, ma perchè tali strutture sono inadeguate ai tempi.

Purtroppo in un ambiente economico che cambia la nostra italica tendenza è quella di rigettare il cambiamento e cercare di opporsi ai nuovi modelli economici. Con buona pace e copertura di una classe politica, nel migliore dei casi, poco attenta e disinformata.

se è vero che il modello business delle TLC italiane va in crisi a fronte delle nuove esigenze significa, ne prenda atto l’AD di Telecom Italia, che tale modello non è piu rispondente ai tempi. non è quindi altri che lui il responsabile e non I fornitori di servizi americani. Se poi questi verranno a fare concorrenza nel nostro paese anche in termini d connettività lo dirà il tempo, da noi (purtroppo) le barriere di ingresso sono altissime sia per I costi infrastrutturali che, sopratutto, per quelli politici.

Per altro il dott. Bernabè è lo stesso che si oppone allo scorporo della rete (alla faccia della net neutrality e della liberalizzazione dell’ultimo miglio), che si è opposto ad un agreement con gli altri operatori per fornire nuove reti di connettività, che sostiene che il digital divide in Italia non esiste e che l’Italia sia più che sufficientemente cablata ( )

In un mercato di monopolio di fatto su  almeno un’aspetto della offerta di connettività (la rete fisica) Telecom dispone di una posizione dominante che fa suonare certe affermazioni almeno come singolari.  In altri paesi la rete sarebbe stata scorporata da tempo per garantire almeno un regime di concorrenza reale (chiedete a Bell) …

Related articles

• EU: Italy Must Review Telecom Italia Access Prices (online.wsj.com)

The Firesheep firestorm

Image via Wikipedia

The Firesheep firestorm
NetworkWorld.com
Ian Paul notes an emerging security specification, from the IETF, called HTTP Strict Transport Security (STS). Essentially, it’s a policy mechanism that Web …

Related articles

• Is It Ethical For Mozilla To Refuse To Block Firesheep Add-in? (lockergnome.com)
• How To Protect Against Firesheep Attacks (yro.slashdot.org)
• Firesheep, a day later (codebutler.com)
• Liar, Liar, Sheep on Fire (boingboing.net)
• Managing HSTS Data (sidstamm.com)
• Unencrypted Wireless: In Like a Lion, Out Like a Lamb (eset.com)
• Firesheep Exposes the Soft Underbelly of Website Security (tjantunen.com)

From Italian to English

May be some of you already noticed that, things have changed those months and I have changed my role in Cisco.  this has lead to some changes, and at the end I think is time to make those changes official.
This blog was born during my IronPort times to provide some support to our channel, customer and tech community with some technical advice and interesting news.
Now I am in the greatest Cisco family and not more focused on Italy I have to make some choices.
I want to maintain the technical focus of this blog, since this is the main reason I made it alive, but as well I need to broaden the audience so I will embrace English as the reference language.
This will still be my blog and not an official  “voice” of cisco and I will post whatever I think could be useful or relevant to the security technical community. we will have discussion on cisco products, for sure, since those are the ones I know better, but I will post also on general issues related to security.
To provide support to the ones who do not like my English (sorry for native speakers ) on the blog page, right on the left, I have put a Google gadget for translation.
Thanks for following me all those years, and I hope to have you on board in the future.
good night
Antonio

Some blog statistics

Thanks Guys 🙂