Home » Experts Online » Nate Adcock's blog

Airscanner Active Sync Exploit Demonstration-Scary!

By Nate Adcock, Submitted Thursday, October 2, 2008
Topics:

The guys at Airscanner must be loads of fun at parties, particularly Seth Fogie! Demonstrated here (click on the linked image above), the vulnerable nature of unprotected Active Sync connections to your computer! The video shows working attack code establishing a connection to A/S, creating a new XP Admin-level account, and then running remote shell commands on the computer (via netcat)...yikes!!!. The proof-of-concept code is also available...Isn't that grand?! An attack GUI for Windows Mobile...

Of course, Airscanner just released a new firewall product (3.5), but it won't do any good in stopping this exploit. It would run from someone's maliciously configured handheld. All they have to do is come up and plug in to your computer, walk away, wirelessly control the device, and then attack from the parking lot. Some ways to stop or mitigate these kinds of A/S and mobile nightmares involving security?

  • Keep your computer/s patched. The flavor of exploit chosen in this case takes advantage of an old DCOM buffer overrun as an example.
  • Use the latest version of A/S, and do not use the wireless connection options.
  • Lock down USB ports in your corporate offices using policies if possible.
  • Use a reliable 2-way workstation firewall product, and try to keep open ports to a minimum. Set up your firewall to prompt you for applications requesting outbound connections (which can be a pain).
  • Disable Active Sync or remove it. Our corporate firewall product will stop A/S, but I've found ways to thwart it even (by killing firewall services, or plugging the handheld in before Symantec starts).
  • Scan your network, monitor logs, and use a sniffer to examine traffic on a regular basis.
  • Profile your systems and know what normal usage looks like. Often the best indication is abnormally high traffic or resource usage from a single resource.
  • Use an internal firewall/DMZ, and segment the network to minimize attack surface to critical systems.

Anyway, you might want to check out Airscanner's new mobile firewall product as well. Some examples of how it can also help tighten up your data security:


*A parent who wants to restrict all data access to their child mobile
device.
*Employers who only want their employees to visit corporate web sites
and download company email.
*Educators who want to ensure school provided PDA's are used for
their intended purposes.

 

Features

  • Monitor your inbound and outbound of ALL TCP/IP communication (WiFi, GSM/GPRS)

  • Filter packets at the network level

  • Control full alerting and logging functions

  • Quickly select security zones of varying strength

  • Have the option to ignore (drop packets from) a particular IP address

  • View a real-time connection overview that lists all currently open ports and their state (e.g., a “netstat” for the Pocket PC) with connected IP address.

  • Have the ability to define custom filters

  • Allow trusted computers based on IP address

 

 

Syndicate content
 

Flash®