Monday, July 14, 2014

iPad tied to boy's nickel allergy

from cbc.ca
The iPad is a potential source of nickel allergy reactions, say pediatricians who suggest parents choose a metal-free cover for the electronics.

Allergic contact dermatitis is becoming more common in children, especially nickel, dermatologists say. In Monday’s issue of the journal Pediatrics, doctors in the U.S. describe the case of an 11-year-old boy with dermatitis that didn’t respond to standard ointment.

He tested positive in a skin patch test for nickel allergy. At an avoidance counselling session, doctors became aware that the family had bought a first generation iPad in 2010 and that the patient was using it more frequently.

After covering his iPad and avoiding nickel, including through diet, the dermatitis improved significantly for five months, Dr. Sharon Jacob of Loma Linda University in California and Dr. Shehla Admani of the dermatology department at the University of California, San Diego, said.

Allergic reactions to Apple laptops and iPhones have been reported, but the iPad hasn’t come up as a potential source of nickel sensitization in children before, the researchers said.

They suggested patients could reduce contact between skin and devices either by using a case or cover that is nickel-free or simply applying duct tape to create a barrier.

Doctors should also consider "metallic-appearing electronics and personal effects" as potential sources of nickel exposure, Jacob and Admani said.

In 2008, dermatologists warned, people who use their cellphones for long periods may develop a rash on their ears or cheeks.

Thursday, July 3, 2014

How to steal passwords from a locked iPhone

German researchers say that they have found a way to steal passwords stored on a locked Apple iPhone in just six minutes.
And they can do it it without cracking the iPhone's passcode.
Researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) say that the attack targets Apple's password management system - known as the keychain.
Here's a YouTube video where the German researchers demonstrate their attack in action:

The only hint of a consolation is that the attack can not be done remotely - the attackers need physical access to your iPhone to steal information.
But if the attacker only needs to have his hands on your iPhone for six minutes, how much of a comfort is this really? Don't forget, it's not unusual for people to lose their mobile phones or leave them unattended on their desk while they pop off to the coffee machine.
According to material published by Fraunhover Insitute SIT, sensitive password information can be extracted from a user's iPhone without needing to know the passcode.
The researchers claim that all iPhone and iPad devices containing the latest firmware are vulnerable. At a time when Apple and its fans are pushing hard for more companies to bring iPhones into the enterprise there will undoubtedly be concerns if these vulnerability claims are found to be true.
All eyes must now turn to Cupertino to see what Apple has to say about this.

Tuesday, May 27, 2014

Hackers Use ‘Find My iPhone’ App to Lock, Hold Devices for Ransom

from http://abcnews.go.com
Some iPhone and iPad users in Australia had a rude awakening this morning when they discovered their devices had been locked and held for ransom by a mysterious hacker going by the name “Oleg Pliss.”

The people impacted by the breach reported via tweets and the Apple forum that they received messages indicating their devices had been hacked and they needed to make a payment in order for them to be unlocked.

Tuesday, April 22, 2014

Active malware campaign steals Apple passwords from jailbroken iPhones

from arstechnica.com
Security researchers have uncovered an active malware campaign in the wild that steals the Apple ID credentials from jailbroken iPhones and iPads.

News of the malware dubbed "unflod," based on the name of a library that's installed on infected devices, first surfaced late last week on a pair of reddit threads here and here. In the posts, readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

Since then, security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

In an e-mail to Ars, Esser said the malicious code works only on 32-bit versions of jailbroken iOS devices. "There is no ARM 64-bit version of the code in the copy of the library we got," he wrote. "This means the malware should never be successful on [the] iPhone 5S/iPad Air or iPad mini 2G."

reddit readers said unflod infections can be detected by opening the SSH/Terminal and searching the folder /Library/MobileSubstrate/DynamicLibraries for the presence of the Unflod.dylib file. Compromised devices may possibly be disinfected by deleting the dynamic library, but since no one so far has been able to figure out how the malicious file is installed in the first place, there's no guarantee it won't somehow subsequently reappear.

"That is why we recommend to restore the device," Esser told Ars. "However, that means people will lose their jailbreak until a new one is released, and the majority of jailbreak users will not do that."

Of course, whichever course of disinfection users of infected devices choose, they should also change their Apple ID password as soon as possible.

The unflod campaign, which was also analyzed by researchers from antivirus provider Sophos, underscores the risks associated with installing unknown apps on jailbroken iPhones.

"I will also again take this moment to point out to anyone concerned that the probability of this coming from a default [Cydia] repository is fairly low," Cydia developer Jay Freeman, aka Saurik, wrote in one reddit comment. "I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer."

Saturday, February 22, 2014

Apple security flaw could allow hackers to beat encryption


from reuters.com
A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.

If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.

"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.

But a statement on its support website was blunt: The software "failed to validate the authenticity of the connection."

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.

Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.

Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess.

The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw.

Saturday, February 15, 2014

MAC TROJAN STEALS BITCOIN WALLET CREDENTIALS

from threatpost.com
A small number of Bitcoin wallets have been raided by a newly discovered Trojan that gobbles up credentials used to guard the digital currency.

OSX/CoinThief.A was found in the wild by a security consultancy specializing in Apple security called SecureMac; the malware was spreading on GitHub via a malicious app, which has since been removed from the code repository.

“At this time we’ve seen multiple reports on Reddit and other Bitcoin forums with users indicating that they’ve fallen victim to the malware, but we do not yet know the full scope of the malware distribution,” SecureMac lead developer Nicholas Ptacek said. “As news of this malware spreads, more victims will probably come forward.”

A Reddit discussion about the incident seems to link the author of the app called Stealthbit used to spread CoinThief to a previous attack targeting Bitcoin credentials carried out through an app called Bitvanity. The author of CoinThief went by the handle trevorscool or Thomas Revor, while the Bitvanity GitHub account was registered to a Trevory. The person posting said the Bitvanity app lifted more than 20 Bitcoins—an approximate value of $14,000 USD.

“The malware author tried to take down the malicious binary from Github yesterday, and possibly didn’t realize that it would still be available from the commit history,” Ptacek said. “At some point in the afternoon, the entire Github page for StealthBit was 404′ing, but we are not sure if the malware author deleted his account, or if the page was taken down by Github.”

StealthBit pretends to be an app used to send and receive payments on Bitcoin Stealth Addresses. Instead, when victims install it, their web browsing traffic is monitored by the Trojan, which sniffs out login credentials for Bitcoin wallets.

“At this time there does not appear to be any vulnerability that the malware is exploiting, but rather it is a classic case of social engineering,” Ptacek said. “The infected users thought they were installing an app to send and receive payments on Bitcoin Stealth Addresses, but the app did more than was advertised when it installed the malware. Since the user was intending to install the app, Gatekeeper warnings wouldn’t have been effective at stopping those users from running the app.”

The consultancy said the CoinThief Trojan is a dropper that installs browser extensions on Safari and Chrome running on OS X. The extensions keep tabs on Web traffic from the browsers and watches for log-in attempts on pre-loaded Bitcoin exchanges such as Mt. Gox and BTC-e and wallet sites such as blockchain.info. The extensions, meanwhile, are generically named “Pop-up Blocker,” and arrive with an equally generic description that wouldn’t raise suspicions with the user or security researchers.

“Additionally, the malware appears to monitor specific file locations on disk, checking to see when they are modified. Analysis of this malware is still in the early stages, so more information is likely to come to light moving forward,” Ptacek said.

The attackers hosted the source code and a precompiled version of the app on GitHub, SecureMac said. The source code and app, however, were not a match. The pre-compiled app contained malware not present in the source code and infected OS X users with CoinThief. Not only does the malware watch Web traffic, but it connects to a remote command and control server where it sends the stolen credentials and also receives updates from the attackers.

“Information sent back to the server isn’t limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,”  SecureMac said on its site.

Ptacek said the remote server was registered in Australia via bitcoinwebhosting[.]net, but appeared to be hosted elsewhere. The remote server was located at www[.]media02-cloudfront[.]com, with a current IP address of 217[.]78[.]5[.]17, but it appears to be down at this time, Ptacek said.

Apple’s security restrictions make it highly unlikely the malware would have made its way onto the Apple App Store. Also, there is no indication of a mobile component of this Trojan for iOS devices.

“The Trojan only works on OS X, and we haven’t seen any indication of the presence of an iOS version,” Ptacek said. “Furthermore, due to the security restrictions Apple has built into iOS, this malware would not be able to function on iOS.”

Tuesday, February 4, 2014

Flaming iPhone 5c Battery Sets 13-Year-Old’s Pants On Fire

from cultofmac.com
0203-phonefire-1-590x330

Batteries are potentially volatile things, stuffed with electrochemical cells practically humming with electrolytes. Every once and a while, then, they’re sure to break down, and companies like Apple do literally everything in their power to make sure it doesn't happen.

Here’s why. An iPhone 5c that exploded in the pocket of a 13-year-old girl resulted in a fire so severe that she was rushed to the hospital with second-degree burns.

The iPhone was in the girl’s back pocket at the time, so it appears that the failure of the two-month iPhone might have been due to stress. She may have cracked it sitting down.

As a bigger guy who stuffs his iPhone in his own back pocket, I should probably pay attention to this girl’s misfortune before I set my ass on fire.