Smartphones

Security news roundup: Free software to trace stolen laptops

This week's security events includes news of a free laptop tracking system, patches released to fix two critical holes in Firefox, a critical vulnerability of the BlackBerry Enterprise Server, and the release of Adobe Acrobat 9.

A free laptop tracking system

A yearlong research project between the University of Washington and the University of California-San Diego has yielded a tool that allows for the free tracking of lost or stolen laptops. Unlike existing tools on the market, installing this software will not result in any loss of privacy, as this tracking method does not entail any invasive remote control hardware or software. The Mac OS X version has the option to configure it to take photos via its built-in iSight camera.

Called Adeona, it is an open-source software that users can install on personal laptops that they wish to secure. Once in place, Adeona will set up an encrypted connection in which its up-to-date IP address will be sent to open source OpenDHT storage servers. In the event of laptops being lost (or stolen), another instance of Adeona can be installed on another computer. The correct password will then allow the victim to track his device via IP addresses. I suppose the assumption is that a thief will eventually use the laptop at his or her place of residence where there is a possibility of them being nailed via their IP address being linked to their ISP account.

Two critical holes in Firefox plugged

Mozilla released patches that fix two critical holes in the popular Firefox Web browser affecting both versions 2.0 and 3.0 branch of the software. One of the critical flaws is a variant of a vulnerability that could be exploited to do what is known as a carpet bombing attack. The other patch modifies the way that Firefox handles references pertaining to CSS, which (if left unfixed) could result in a forced crash where arbitrary code can be executed. (Note: Firefox 2.0 will only be supported by Mozilla until mid-December. No support in the form of security updates will be released after this date. As such, users are encouraged to upgrade to Firefox 3.0.)

Critical vulnerability in BlackBerry Enterprise Server

Administrators with BlackBerry Enterprise Server (BES) on their network might want to take note of a new flaw that involves the opening of PDF documents. As a result of a bug in the PDF Distiller component of the BlackBerry attachment service, it is possible for a maliciously crafted PDF document to result in a server compromise. A user will need to open a PDF document to trigger the flaw.

Excerpt from heise Security:

BlackBerry does not give any further information on the nature of the bug, but it can be used to inject and execute code on the server. BlackBerry Enterprise Server 4.1 Service Pack 3 (4.1.3) to 4.1 Service Pack 5 (4.1.5) and BlackBerry Unite! prior to 1.0 Service Pack 1 (1.0.1) Bundle 36 are affected.

An official patch in the form of BES 4.1 service pack 6 has been released by RIM. If it is somehow not possible to install the patch, the recommendation is to disable PDF processing in the Attachment Service as a workaround. Precise instructions to do so can be found in this security advisory from RIM.

Adobe Acrobat 9 released

It appears that version 9 of the Adobe Acrobat Reader is now available for download. It remains to be seen whether this latest version is leaner, or more bloated.

Mark Hofman over at SANS Internet Storm Center summarizes the features nicely:

As far as security upgrades, Adobe says the Security enhancements provides new digital signature functionality. The new version also adds support for 256-bit AES encryption. Other security features include SOAP/WSDL, XSD, Kerberos, W3C XML digital signatures, 256-bit AES, OASIS WS-Security, HTTP/HTTPS, RSA, XML encryption, and ECMAScript for XML (E4X) in the JavaScript interpreter. Reader is also NIST PKI test-suite compliant.

If you intend to download Adobe Acrobat Reader 9 -- or compel your users to do so -- use the below link, which some users have reported is the smallest download. Some other links might result in a "Free eBay Desktop" being selected as default, or a beta software based on Adobe AIR which cannot be unselected at install time.

Use this link from Adobe's FTP website: ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.0/enu

Feel free to to discuss the various security events here.

 

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

6 comments
kevin.carrell
kevin.carrell

Would it not be better to use the mac address? As far as I was aware from my time working on an airport network with fixed ip, the mac address was the default identifier for any machine that used tcp/ip on that network

paulmah
paulmah

This week?s security events includes news of a free laptop tracking system, patches released to fix two critical holes in Firefox, a critical vulnerability of the BlackBerry Enterprise Server, and the release of Adobe Acrobat 9.

O & G IT Guy
O & G IT Guy

Ultimately the MAC address is a unique way of identifying a network card (spoofing aside). But the MAC address doesn't give you any idea where the machine is being used. On the other hand an IP is an "address" that is given out generally by location (if you go to a different location you get a different IP) and thus can be used (with some difficulty) to track down the location of the machine and thus recover it.

Haas
Haas

The laptop tracking system will work only if the thief is not a computer savvy guy because with a new OS install, the tracking software becomes useless. But it's very useful when the thief is just an idiot looking to make an easy buck or just use a stolen laptop to surf the www. In this case the laptop can successfully be traced. Still a good idea for only the second case scenario. Haas

frodo
frodo

Does anybody have any experience getting a warrant etc. for an IP address. What would you have to prove to the police etc.?? Thanks!

Editor's Picks