I was recently at an event for Law Enforcement where one of the discussion points was how critical it is to protect Smartphones – actually it was more about how easy to would be to claim that my Smartphone was hacked and how proof can be found.

That you should run Anti-Malware software on phones, is nothing new (even though just very, very, very few people I know are actually running it) but I was stunned what kind of software is offered to be run on Windows Mobile/Symbian/Black Berry. Let me give you an example: There is a software called FlexiSpy. The sub-title of the product is “Protect Your Children | Catch Cheating Spouses”. I wanted to try this product once but I will never ever try to run this software on any phone with business data on. There is a demo on the page, let me give you some screenshots, what the product (once installed) is able to grab:

This is the overview over all events

Let’s look at an SMS:

So, it’s not “only” the recipient of the text, it is the content as well. The same it true for mails (!) as well.

Unfortunately the demo does not show one other key feature, which is the location tracking either via the cell you are in or via the built-in GPS…

The worst thing is that you do not see the software anywhere – neither in the installed software nor in any process running. The only thing somebody needs is brief access to your phone. So make sure, that you ran AV-software and have a PIN at your phone

Roger

This week I had – again – a longer mail thread on SQL Injection attacks. Probably it caught me at the wrong moment, as it was a very long week preparing for the IE Out of Band making sure everybody knows what they have to do. And then…

I was actually pinged by our office in Ireland as a blogger who is working heavily with our technology and seems to be a pretty experienced developer – this to set the stage.

So, the title of the post was (freely summarized): I was attacked by a SQL Injection, what is Microsoft doing against that? I then commented on his blog but unfortunately he decided not to publish my comment but get in touch with me directly. The interesting thing was (and this is the reason why I decided to blog myself about it) that I was asking him, what he was expecting from us as we published quite a bunch of guidance on how to protect against SQL Injection back in May and there is not much more we can do as SQL Injection is not a DB but an application problem as the app does not properly verify the input. I have seen some cases recently (and form the mail exchange we had over the weekend I guess that he is one of them) where a cookie was used to do the SQL Injection. So the application is saving some data in a cookie and loads the content from there directly generating the SQL Query. So if an attacker changes the content of the cookie he/she could run a different way of SQL Injections and inject a script into the DB. This blogger was actually hit pretty hard by a script called jpdog.3322. If you search for it in a search engine (you would never use Google, would you?) you find a hell lot of sites being infected. Scary!

Now, back to our blogger. I asked several times (and this goes to you as well): What else can we do to help to protect the ecosystem besides publishing the advise we already gave? I summarized the different sites back in May in posts called The latest SQL Injection Attacks and New Guidance on the SQL Injection Attacks.

Additionally we made a new version of the Security Development Lifecycle available to help you to write more secure code. See my post about that: Videos about the Security Development Lifecycle

So, his ask finally was: a patch. He is expecting us to issue a patch to solve this problem. To me, this is on the same level as you would ask us to issue a patch for the buffer overflows. Let me be clear once again: SQL Injection is about the app, not the DB!

I think at the end, he felt stupid (he got some pretty direct comments on his blog as well), which would be bad. We have been defaced based on a SQL Injection as well and I am convinced that it could happen to anybody. The key is, to make sure that you look for a solution at the root of the problem, which is the app.

Roger

You do not trust e-Business? Why do you trust “normal” business then? Read this: Newspaper 'Steals' Empire State Building in Just 90 Minutes

Roger

Go out there and install the update immediately now. Here is the bulletin: MS08-078 - Security Update for Internet Explorer (960714)

If you think that you could be infected, run a scan with the online Windows Life OneCare Safety scanner which finds the malware based on this exploit as far as we know it.

Roger

Just as a short notice: We just started to communicate that we will release a security update for the Internet Explorer vulnerability. At the moment, the update is schedule to be released approx 10:00 am PST (19:00 CET) tomorrow.

Have a look at the Advanced Notification which you can find here: http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

Please start immediately with the preparation of the distribution of the update as well start to prepare for your internal risk assessment tomorrow evening

Roger