Wednesday, October 22, 2014

China Attack Aims at iCloud, Apple’s Service for Storage

from nytimes.com
HONG KONG — For Apple in China, trouble seems to be the
new normal.

Cybersecurity monitoring groups and security experts said on Monday that people trying to use Apple’s online data storage service, known as iCloud, were the target of a new attack that sought to steal users’ passwords and then spy on their activities.

Starting over the weekend, when many users across China tried to sign into their iCloud accounts, they may have been giving away login information to a third party, in what is called a man-in-the-middle attack.

“You think you are getting information directly from Apple, but in fact the authorities are passing information between you and Apple, and snooping on it the whole way,” said a spokesman for an independent censorship-monitoring website, GreatFire, who declined to be named because of fear of reprisal.

The back-end I.P. address targeted by the attack was changed Tuesday by Apple, according to a tweet from GreatFire.

News of the vulnerability came just as the new iPhone 6 arrived in Chinese stores after a monthlong regulatory delay tied, in part, to concerns about the phone’s security.

Activists and security experts say they believe the attacks are backed by the Chinese government because they are hosted from servers to which only the government and state-run telecommunications companies have access, according to GreatFire. They are also similar to recent attacks on Google, Yahoo and Microsoft aimed at monitoring what users were retrieving on the sites.

“All signs point to the Chinese government’s involvement,” said Michael Sutton, vice president for threat research at Zscaler, a San Jose, Calif., security company. “Evidence suggests this attack originated in the core backbone of the Chinese Internet and would be hard to pull off if it was not done by a central authority like the Chinese government.”

The targeting also potentially reveals a new Chinese government effort to adapt to initiatives by Internet companies — most notably new encryption techniques — to protect user data from government spying.

“The Chinese government could no longer sniff traffic, so they intercepted that traffic between the browser and the iCloud server,” Mr. Sutton said.

Chinese officials could not immediately be reached for comment.

Many web browsers, like Apple’s Safari, Google’s Chrome and Mozilla’s Firefox, flashed a warning to users that a so-called encryption certificate that is supposed to identify who is on the other end of a web session should not be trusted. That indicated that users were inadvertently communicating with the attackers, rather than iCloud. In effect, the hackers stepped into the middle of the online conversation.

Mr. Sutton noted that Qihoo, a browser offered by the Qihoo 360 Technology Company that is popular in China, did not flash a warning to users.

“As more sites move to encryption by default — which prevents the censorship authorities from selectively blocking access to content — the Chinese authorities will grow increasingly frustrated with their ability to censor that content,” said the GreatFire spokesman.

“In some ways their hands are being forced. They can attempt these man-in-the-middle attacks or choose to outright block access to these sites. The more sites they block, the more they cut off the Chinese populace from the global Internet,” he added.

The timing of the attack, aligned with the release of the new iPhone in China, is a potential indicator that the government is trying to harvest sign-in data from a large number of users who are switching over to the iPhone 6. The new phone comes with better encryption to protect against government snooping.

In September, Apple, based in Cupertino, Calif., said its latest operating system, iOS 8, included protections that made it impossible for the company to comply with government warrants asking for customer information like photos, emails and call history.

The change prompted the Federal Bureau of Investigation director, James B. Comey, to say in a recent speech that new encryption by Apple and others “will have very serious consequences for law enforcement and national security agencies at all levels.”

“Sophisticated criminals will come to count on these means of evading detection,” Mr. Comey said.

In August, Apple began storing data for iCloud on servers in China in a move it said was intended to enhance performance of the service there. The company said the state-owned service provider China Telecom, which owns the servers where the data is stored, did not have access to the content.

But security experts say it appears that Beijing has found a workaround, by coordinating man-in-the-middle attacks on a mass scale.

Apple on Tuesday acknowledged a network attack, but clarified that its iCloud servers were not breached. On a security webpage, it implied that man-in-the-middle attacks were being used to direct people to fake connections of iCloud.com, making their user names and passwords vulnerable to theft.

On the webpage, Apple explained how people could distinguish an authentic iCloud.com site from a fake one. Basically, users will receive warnings when the browser detects a fake certificate or an untrusted connection. Apple advised people to heed those warnings and avoid signing in.

“Apple is deeply committed to protecting our customers’ privacy and security,” said Trudy Muller, an Apple spokeswoman. “We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously.”

Ms. Muller declined to comment on whether Apple had identified the Chinese government as the source of the attacks.

Security experts said users should not visit websites if they receive a browser warning. Mr. Sutton also advised users to turn on two-factor authentication whenever possible, a procedure in which a user is prompted to enter a second one-time password that has been texted to the user’s phone. That way, he said, even if an attacker intercepts a password, they cannot use it to log into a site without the second password. “Users should treat this seriously,” Mr. Sutton said.

Friday, October 10, 2014

Phishers Find Apple Most Tasty Target

from technewsworld.com

"Follow the money" isn't just the war cry of journalistic bloodhounds hot on the trail of political corruption. It's the mantra of Web predators, too. That's why PayPal consistently has been the top brand targeted by phishers -- although that appears to have changed.

Apple now has the dubious distinction of most-phished brand, according to the latest report from the Anti-Phishing Work Group.
For the first half of this year, 17.7 percent of all phishing attacks were aimed at Apple -- a first for the brand -- followed by PayPal (14.4 percent) and Chinese shopping site Taobao.com (13.2 percent), the APWG reported.

Have phishers suddenly become more interested in stocking their music libraries from iTunes than siphoning money from PayPal? Not quite.

"We're seeing a lot of account takeover types of stuff, and your Apple ID is tied into everything," report coauthor Rod Rasmussen told TechNewsWorld.

Target Churn

Phishers can get into all kinds of mischief with an Apple ID, suggested Rasmussen, who also is president and CTO of IID.

"I'm betting some of the naked celebrity photos were stolen with the use of Apple IDs," he said.

"They can be also used to lock a user out of their phone and ransom it back to them for money," Rasmussen continued. "There are lots of different attack vectors, which adds up to why Apple is being phished as heavily as it is."

A greater variety of institutions now are being targeted by phishers, compared to the past, the APWG report notes. For example, in the first half of this year, the group found 756 unique institutions targeted by phishers. Almost half those targets -- 347 -- hadn't been phished in the previous six-month period.

"This amount of churn, or turnover, shows phishers trying out new targets," APWG reported. "They are looking for companies that are newly popular, have vulnerable user bases, and/or are not ready to defend themselves against phishing."

Behavioral Defenses

If the mammoth data breaches in recent months illustrate anything, it's that perimeter defenses alone aren't adequate to keep attackers at bay. Defenders need to accept the fact that their systems will be penetrated and deploy defensive strategies to deal with that inevitability.

One strategy is to combine behaviorial analysis with big data to identify those internal threats.

Intruders that have penetrated a system can be very difficult to identify without some kind of machine assistance.

"Once they're inside, they'll look like regular employees, because they've hijacked an employee's credentials," Idan Tendler, CEO of Fortscale, told TechNewsWorld.

Intruders eventually engage in behaviors that give away their masquerade, though.

"The only way to identify these suspicious users is by profiling their behavior, by analyzing system logs that document their behavior," Tendler said.

The profiles can be used to establish a normal behavior pattern, and "from that, you can automatically spot abnormal behavior by users," he explained.

Profiling Misbehavior

An added benefit of identifying intruders who've compromised an employee's credentials is that potential malware attacks also can be identified. For example, a large proportion of Advanced Persistent Threats -- 76 percent by some estimates -- eventually end up stealing credentials on a system.

"Why?" asked Tendler. "Once the malware infiltrates the enterprise, it hijacks credentials to be used for reconnaissance and exfiltration of information from the system."

Behavioral analysis also can be used to make perimeter defenses stronger.

"If you have a website that's public-facing, or a mobile app, you want to understand who your customer is -- because, as we've seen, passwords are becoming less and less effective," said NuData Security Director Of Customer Success Ryan Wilk.

"You need better ways to find these anomalies to give a customer better insight into who is touching their website and how it's being used," he told TechNewsWorld, "so when an account or transaction is created, you can know if that account or transaction is valid."

Behavioral analysis can be a way for system defenders to see the bad trees in the forest of data moving through their networks every day.

"Bad behaviors will stand out drastically from good behaviors," Wilk said. "It's very easy to identify these artifacts when you're pulling together all this data, creating behavioral profiles and seeing what the anomalies are."