Friday, March 29, 2013

iPhone more vulnerable than Android, BB, and WP combined

Security is always a hot topic with mobile platforms, but most of the time the focus is on Android and the malware issues that exist for the platform if you don't use the Google Play Store. But, a new study shows that maybe we should pay more attention to the iPhone's security issues, because the study claims that the iPhone has more security vulnerabilities than Android, BlackBerry, and Windows Phone combined.

The study was conducted by SourceFire, which analyzed vulnerabilities from the Common Vulnerabilities and Exposures (CVE) data and National Vulnerability Database (NVD) over the past 25 years. Yves Younan, senior research engineer at SourceFire's Vulnerabilities Research Team and author of the report, said that the results were "surprising", especially since despite Apple constantly releasing security fixes with each update, CVE continue to grow year over year.

According to the study, the iPhone has 210 vulnerabilities, which adds up to 81% of mobile phone platform vulnerabilities in the four platforms studied. Android has just 24 known vulnerabilities, Windows has 14, and BlackBerry has 11, which combined rounds out the remaining 19%. The study didn't extend to fringe systems like Symbian, bada, and the rest. To be fair, these numbers are a cumulative total since 2007, but even removing 2007 from the mix, iPhone still has 205 vulnerabilities to Android's 24.

Younan's theory to explain the results is that cybercriminals can't get at users through the iTunes App Store, and have to work harder to find iPhone vulnerabilities, so more are found. Whereas, because Android is an open platform, that makes it easier for criminals to attack the platform.

Of course, he doesn't mention that only 0.5% of malware comes through the Google Play Store, so criminals still have to find ways to get Android users to sideload infected apps. It is still very possible that Android simply has fewer vulnerabilities because it is open-source (which tends to be more secure), and the only real serious vulnerability with Android is that users are allowed to screw things up if they aren't careful.

Saturday, March 23, 2013

New Apple Security Exploit Lets Someone Reset Your Password

"That was easy..."
UPDATE: Apple's password-reset system currently appears to be down.

An Apple account exploit allows anyone with your email address and date of birth to reset your Apple ID and iCloud account password.

First reported by The Verge, the exploit uses Apple’s own tools to break into accounts, using a modified URL and entering someone’s date of birth of Apple’s iForgot page. Directions on how to take advantage of the vulnerability were published in a step-by-step tutorial.

On Thursday, Apple launched two-step verification for Apple ID and iCloud account passwords. When set up, two-step verification would prevent someone from using the vulnerability to access accounts.

Much like the two-step verification process for other services, Apple's two-step-verification verifies your identity when your account is accessed from a new device.

Verification is done using another one of your devices, such as your iPhone. For instance, if you buy a new computer and sign into iCloud on it, Apple will send a numerical code to your iPhone via text message. You take the numerical code sent to your phone, and enter it into your computer to verify you are in fact who you say you are.

You can, and should, set up two-step verification on your Apple accounts now.

Monday, March 11, 2013

Mac malware that infected Facebook bypassed OS X Gatekeeper protection


New family of Mac malware masqueraded as printer software.

Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report.

Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps, according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It's unclear exactly how the malware gets around Gatekeeper.

Once installed, Pintsized establishes a reverse shell to a command and control server controlled by the attackers. It uses a modified version of the OpenSSH utility to encrypt traffic, a measure that can help it remain undetected on infected networks. One of the domain names that hosted such a server was It caught the attention of members of Facebook's security team, tipping them off that there was an infected machine inside their network. When they later took control of the domain, they discovered multiple other companies were also compromised by the same attackers. Around the same time, Apple, Twitter, and Microsoft were also hit with attacks that meet the same pattern.

The Security Ledger brought to light several other new revelations about the attacks. For one, attackers used a variety of third-party websites to infect employees who frequented pages involving a variety of topics, including the development of applications for Google's Android operating system. Previously, only, a website for iPhone developers, had been identified as being compromised. Also interesting, the latter site was booby-trapped in such a way that it attacked some visitors and not others. Investigators are still investigating exactly what caused the selective exploiting and how specific targets may have been chosen.

Apple left App Store open to attack

Somebody left the gate open
Summary: Apple failed to use HTTPS on its App Store for at least six months, leaving it open to man-in-the-middle attacks that could trick users into installing paid apps or steal their passwords.

The Apple App Store had been running without SSL encryption for a period of at least six months, leaving it open to password theft, privacy leaks, and app manipulation vulnerabilities.

Apple recently updated its "Apple Web Server notifications" document, which is actually the credit roll for people that have reported security issues on Apple's web servers. Among the entries, Apple acknowledges Bernhard "Bruhns" Brehm of Recurity Labs, Elie Bursztein of Google, and Rahul Iyer of Bejoi LLC for pointing out issues with the domain.

The three researchers pointed out that information sent to and from the domain was not protected using HTTPS. Following their reports, Apple addressed the issue earlier this year, and now notes that "active content is now served over HTTPS by default".

According to Bursztein, by not using HTTPS, an attacker could carry out four different attacks on users whenever they were on a shared networks, such as those at airports or coffee shops.

Bursztein's attacks are done by intercepting the unencrypted traffic over the network and modifying Apple's response. The first attack, stealing a user's password, intercepts the App Store app's request for updates from the iTunes server, and injects code to produce a pop up asking for the users' password.

From the victim's perspective, it would appear that the App Store app has asked for the user's password upon being opened. This information can then be sent to the attacker.

The second attack fools the user into thinking they're downloading one application when they're not. The attack again intercepts the details presented on an application's page, leaving the original details of the application intact, but changing the details sent to Apple's servers when the user clicks buy or install.

"Abusing the lack of encryption on the application detail pages, the attacker is able to swap application purchase/download parameters with those of his choice. As a result, the attacker is able to force the victim to install/buy an app of his choice when the victim tries to install/upgrade any application," Bursztein wrote on his blog.

"The attacker would be able to monetize this attack by having his own (benign) very expensive application available through the market and forcing the user to install it using the app swapping attack."

This can be combined with Bursztein's third attack, which hijacks genuine updates to installed apps and, similar to the app-swapping attack, points to another app to install.

Lastly, Bursztein highlighted in his final attack that using the previous attacks, but changing the application to be installed/downloaded to one that is already on the device, an attacker could effectively stop the victim from installing any app, therefore blocking them from the App Store.

It is also possible to determine which apps a user has on their device, according to Bursztein, because when the device contacts the upgrade server, it sends a list of this information.

"It can also allow an attacker to track users, as a list of installed applications is pretty unique to each user (it seems likely that it will generate more than the 31 bits of entropy needed to uniquely identify a user)."

In addition to the video showing the app swapping attack, Bursztein has created videos demonstrating password stealing and the fake upgrade attack.

Any idiot would ask why it was't done that way from the beginning.

Friday, March 8, 2013

Apple iCloud E-mails with Naughty Phrases Deleted


If you use Apple’s iCloud service for e-mail, you might want to watch what you say.

According to several reports, Apple is silently filtering and deleting e-mails that contain certain phrases. The issue first came to light last November, when Infoworld reported that Apple had deleted one user’s e-mails with the phrase “barely legal teens.” Now, both Macworld and Macworld UK have done their own testing and confirmed that e-mails containing the phrase do not always get delivered.

The filtering applies not only to the body of the e-mail, but to the content of attachments. In Macworld’s tests, iCloud deleted e-mails even when the phrase was inside a zipped PDF file.

Apple told Macworld that on occasion, ”automated spam filters may incorrectly block legitimate email.” But the strange thing is that these e-mails weren’t merely passed along to iCloud’s junk folder, they were deleted outright.

I see two problems here, which both point to broader dilemmas with Apple as a company. And no, I’m not talking about the notion that Apple is a prudish company that seeks “freedom from porn,” as Steve Jobs once put it.

The first problem is transparency. Apple doesn’t say which phrases it blocks, and doesn’t tell users when iCloud’s filters have deleted an e-mail. The fact that some Macworld commenters say they can’t reproduce the filtering only adds confusion. Users are in the dark as to how the system works.

We’ve seen Apple grapple with transparency before. A few years ago, the company faced calls to relax its iOS App Store guidelines, or at least be clearer about what developers can and can’t do. It’s easy to see why Apple resisted: setting hard rules could prevent the company from being flexible on a case-by-case basis. Eventually Apple did publish some guidelines, but left itself an escape clause: “This is a living document, and new apps presenting new questions may result in new rules at any time. Perhaps your app will trigger this.”

Being more transparent about iCloud e-mail filtering would have its own drawbacks. If Apple told users when an e-mail was deleted, spammers could use this to figure out which phrases were banned, and work around them. It’s easier to be opaque; most people will never even notice.

The other problem, and the one that tends to irk me more about Apple, is a lack of flexibility for users. This e-mail issue would be easily solved by giving people an option to never have any of their e-mails deleted, but Apple tends to resist niche options in favor of simplicity. You can’t set a default browser besides Safari on the iPhone. You can’t install apps from outside the App Store. When Apple changed the iPad’s rotation lock switch to a mute switch, it took months of complaints before the company added a toggle in iOS settings. Again, it’s a dilemma, because caving to every single demand for more options means adding more clutter and confusion.

Still, in the case of iCloud e-mail, Apple needs to figure out a solution. It’s one thing to be opaque about app policies or to resist bloat-inducing features. Deleting people’s private communications is much worse, no matter what the intention, and it makes iCloud less desirable as a result.

Monday, March 4, 2013

Malware attacks spike against Apple OS X users in China enclave

The increase is further proof that users of any system are vulnerable to hacks.
One of the pages displayed by a booby-trapped Word document that exploits a vulnerability Microsoft patched in 2009.
Researchers are reporting a spike in hack attacks targeting Mac OS X systems for the purpose of surreptitiously monitoring users' e-mail and chat contacts and maintaining persistent control over their computers.

The increased attacks are targeting supporters of the Uyghur people, a Turkic ethnic group who primarily live in a region of China, according to two separate reports independently published by researchers from Kaspersky Lab and AlienVault Labs. They are the latest to document the growing vulnerability of Mac users to so-called advanced persistent threats, which target users over a span of months or years to mine specific proprietary or social information of interest to the attackers.

"With these attacks, we continue to see an expansion of the APT capabilities to attack Mac OS X users," wrote Costin Raiu, director of Kaspersky's global research and analysis team. "In general, Mac users operate under a false sense of security which comes from the years-old mantra that 'Macs don’t get viruses.'"

As with some of the previous attacks, the perpetrators of the campaign documented in Wednesday's reports tricked users into opening booby-trapped Microsoft Word documents that exploit a vulnerability that was fixed in 2009. Those who fall for the ruse and are using out-of-date versions of Word are infected with an off-the-shelf backdoor known as TinySHell. The malware is configured to connect to command and control servers that have been used for years in APT attacks.

Macs have been successfully targeted in a variety of other espionage campaigns, as Ars has reported previously.  Last year, commercially motivated malware known as Flashback also infected an estimated 500,000 Macs by targeting a vulnerability in Oracle's Java browser plugin.

Malicious hackers generally only do as much work as necessary to infect their targets, and that may explain why the tools in this campaign are relatively primitive. If the targets are using old systems with no antivirus protection and haven't been trained to avoid e-mail-borne attachments, the perpetrators have little reason to use more valuable firepower. Indeed, attacks that have succeeded for years against Windows users also employ easy-to-defeat techniques. Wednesday's reports are a good reminder that no matter what kind of computer people are using, users are vulnerable to attacks that can completely compromise their personal, business, and social secrets.

Readers are reminded to install security patches as soon as possible and avoid clicking on links included in e-mails, even when they appear to come from a friend, work colleague, or other known sender. Readers may also want to consider the use of third-party antivirus protection. Mac AV is available from a variety of providers, including Sophos, Intego, Kaspersky, and Avast, to name just a few.