This Week's Sponsor:

DEVONTHINK

Store, Organize, and Work the Smart Way

Posts tagged with "security"

Apple Increasing Security of Apple ID Accounts on iOS

Apple Increasing Security of Apple ID Accounts on iOS

The Next Web reports Apple has begun enhancing the security of Apple ID accounts on iOS devices and iTunes by asking users to pick three security questions.

In the past 24 hours, Apple appears to have started prompting iOS devices owners and those with Apple IDs within iTunes to make their accounts more secure, requiring them to pick three security questions and enter their answers when they download a new app.

The company is also asking users to enter a backup email address, in order to better protect their device but also their account (which is tied to Apple’s Retail website and all of its media services).

Apple’s motivation to educate users on security by urging them to enable security questions is laudable, especially considering the many cases of phishing and hacked App Store accounts reported in the past years. However, it is worth noting how, on the other hand, several users have been asking Apple to be more flexible with entering an account’s password on the iOS App Store, letting users download free apps and updates without asking for a password after periods of inactivity.

Permalink

Security Researcher Demoes Bug To Execute Unsigned Code on iOS Devices

Security researcher Charlie Miller, former NSA analyst now working for consultancy firm Accuvant, plans to publicly demonstrate a new security hole that could allow regular App Store apps to download and execute unsigned code on any iOS device. As Forbes reports, Miller, who isn’t new to the Mac and iOS hacking and security scene, plans to detail his discoveries at the SysCan conference in Taiwan next week.

Full details of the security hole aren’t available – Miller is apparently saving the presentation for next week to give Apple time to fix the issue, and the company is indeed already working on an iOS 5.0.1 update – but Miller had a “stealth app” approved by Apple in the App Store to record a video of the hidden “functionality”. The app was called Instastock, and it behaved as a regular stock monitoring app until Miller recorded a video of his iPhone being subject to malicious attacks through the app, which has since been pulled. Apparently, since Apple found out about Miller’s app and YouTube video, he’s also been removed from the iOS Developer Program.

As you can see in the video, the app gets downloaded from the App Store as any other free or paid app. The first time Miller runs it on his iPhone, nothing happens and the app performs as advertised. But as soon as Miller activates the hidden functionalities on his web server, somehow connected to the iOS app, the app “phones home” and starts downloading and executing unsigned code. As per Apple’s technical rules and guidelines, App Store apps can only execute code approved by Apple. Yet with Instastock, Miller managed to make the iPhone vibrate remotely, open a YouTube video, and even download the device’s entire Address Book remotely. The app is seen exposing parts of the iOS filesystem, listing installed apps, and presumably giving access to a user’s documents, photos and more. In the video – which we’ve embedded below – you can also watch Miller execute commands remotely (from his computer to iPhone) using a command line interface.

Apparently, the hack has been made possible by a flaw in Apple’s JavaScript engine Nitro, introduced with iOS 4.3, that makes a series of system exceptions for Mobile Safari to render web pages faster. Forbes quotes Miller as saying “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Instastock has already been pulled from the App Store, and it’s unlikely that anyone else will figure out the exact bug that Miller has discovered before Apple releases iOS 5.0.1, which has reached beta 2 status and has been reported to introduce security fixes for iOS devices. Apple will likely include a fix for Miller’s discovery in iOS 5.0.1, but  in the meantime you can check out the interesting demo after the break.
Read more

Security Update 2011-005 Released, Addresses DigiNotar Certificates

Earlier this afternoon Apple released two security updates for OS X Lion and 10.6.8 Snow Leopard to address an issue with compromised digital certificates issued by DigiNotar weeks ago.

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

The updates are available on Software Update, or directly on Apple’s Downloads website. DigiNotar’s servers were hacked last month, and began issuing false certificates, leading to security concerns among several companies. As Apple also notes, it was possible to remove the certificates manually by deleting the root entries in Keychain Access.

Direct links:

Security Update 2011-005 (Lion)

Security Update 2011-005 (Snow Leopard)

Firm Behind MacDefender Malware Likely Busted in Russian Raid

If you run an organization that runs a rogue pharmacy business and provides malicious support for fake anti-virus programs, then it’s likely you’re going to get caught. Such is the case with ChronoPay, whose offices were raided by Russian authorities at the end of July after the co-founder was arressted for allegedly launching denial-of-service attacks against payment processing firms in an attempt to undercut his competitors. The firm under inspection, ChronoPay, has been found with “mountains of evidence” that show the company running illegal anti-virus scams including MacDefender, which plauged Mac users earlier this year with fake pop-ups that scared users into thinking they had viruses, and even tricked users into supplying their credit card information via registration through the fake virus-removal app. MacDefender was crticized by Ed Bott as the start of something big, although security and malware news has been quiet last month, and the MacDefender threat itself could be diminished after this recent raid.

MacRumors writes,

The last release of MacDefender occurred on June 18. ChronoPay’s offices are raided June 23. A coincidence perhaps, or Russian law enforcement saving Mac users from fake antivirus software.

Companies in the business of writing and supporting malware such as MacDefender can rake in a lot of money in a short period of time. It’s an incredibly profitable business, feeding off the fear of individuals whom become victims to the scare tactics malware and phishing scams employ. While the takedown of ChronoPay will have a significant negative impact in revenues against cyber criminals in the black market, these raids are only short-term wins.

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

To spread malware, companies like ChronoPay can hire affiliates who can deploy malware and get paid based on how many systems are infected (how many programs are installed). The end result is that business is profitable for all the parties involved: fake anti-virus programs can offer “malware-removal” at the same market prices as legitimate anti-malware programs (the victim doesn’t know the difference), the distributors of malware are also paid wealthy amounts based on how successful that malware is, and you can begin to see how and why these types of businesses function in black markets. MacDefender was efficient since it preyed on Windows-to-Mac converts who are unfamiliar with legitimate solutions available, and thus fell for its tricks. MacDefender, while it garnered a lot of attention, has seemingly died down and is hopefully squashed for good with ChronoPay out of the picture.

MacDefender wasn’t some malware written by a couple young adults in their basement as we’d expect — this was a rare case of serious malware backed by a company (with a lot of money and mal-intent) and its affiliates. Hopefully, if evidence against ChronoPay turns out to be the real-deal, it’ll lead to more arrests and a safer Internet. The battle is far from won when it comes ot malware, but its always comforting knowing that there’s one less threat to deal with.

[Krebs on Security via MacRumors, (Image via ZDNet)]

 

Apple Promises Software Update To Fix iOS PDF Vulnerability

Following the release of @comex’s latest jailbreak tool yesterday, JailbreakMe 3.0, many wondered how long it would take for Apple to take action and patch the security hole that allows special PDF documents opened through Mobile Safari to give admin privileges to code hidden inside them. The method, discovered and developed by comex, enables JailbreakMe to install Cydia on devices running iOS 4.3 and above with a simple click, making it the easiest jailbreak ever developed for a variety of devices including the iPad 2. The exploit works on various versions of iOS after 4.3, but the iPad 2 is only being targeted on iOS 4.3.3. As a preliminary version of the exploit leaked online before the official jailbreak was released, comex had already warned users that Apple would soon issue a software update to patch the vulnerability.

The Associated Press reports [via The Next Web] Apple Inc. spokeswoman Bethan Lloyd has confirmed the company is aware of the issue and is developing a fix that will be available via Software Update. A group of German researchers took a look at comex’s exploit yesterday, and warned Apple that any maliciously crafted PDF could take advantage of the Safari hole to install code on a device without a user’s consent.

Apple Inc. spokeswoman Bethan Lloyd said Thursday the company is “aware of this reported issue and developing a fix that will be available to customers in an upcoming software update.”

She declined to specify when the update would be available.

In the past, Apple closed another PDF vulnerability that allowed the installation of Cydia through JailbreakMe 2.0 in roughly a week. Whilst Cydia developers are relying on an exploit that could also be used by malware creators, they’re also taking the necessary steps to prevent the vulnerability from working again after the jailbreak is done and Cydia is installed. In fact, they have released a “PDF Patcher” tool that, once installed from Cydia, will make the exploit used to jailbreak a device unusable. For this reason, Apple will soon issue a software update to officially close the hole, but it’s very likely that several users who don’t want to lose their jailbreaks, yet want to stay secure, will install the unofficial patcher from Cydia.

Firefox 4 Will Not Receive Any Security Updates, Firefox 5 Is The Only Supported Version

In line with its more rapid release schedule, Firefox 5 was released just three months after Firefox 4, which had arrived earlier this year. According to the Mozilla Security Leader, Daniel Veditz, it also means that Firefox 4 will no longer be receiving any more updates, including any for potential security issues.

Several people have repeatedly said in public places (newsgroups, planning meeting, Monday meeting; could not find a blog or wiki page) that Firefox 5 will be the security update to Firefox 4, and that there will be no 4.0.2

Effectively this means that if you use Firefox, you are expected to be running the latest major version; otherwise you will face safety risks with using a browser that will no longer be receiving security patches. With this kind of a strategy, Mozilla has taken more than just the rapid release schedule from Google Chrome; it is also following the Chrome idea of only supporting the latest releases.

In some ways it does make sense, both Firefox 6 and Firefox 7 are expected to arrive this year. Supporting older versions would become very difficult whilst wasting resources that could be going into developing new features.

[Via Digitizor]

Common Lockscreen PINs to Avoid on your iPhone

For those paranoid about both losing their phone and having your information be susceptible to criminal eyes, you probably lock your iPhone with a four digit PIN. While even I could tell you that ‘1234’ isn’t the finest choice in password security, Daniel Amitay took a moment to see what his customers were locking their phones with in his free app, Big Brother Camera Security for the iPhone. The passwords were recorded anonymously, and Daniel takes a look at everything from the most common passwords to suspect birth years in his results. Heck, the guy even built “heat maps” of the most digits pressed.

Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

With 15% of all passcodes represented by just 10 of these common passwords (out of a possible 10,000), Daniel concludes that 1 out of every 7 iPhones can be unlocked if a thief simply went through the list. Dear commenters, I now ask you, “Do you use one of these common passwords?” The results are fascinating, and I encourage anyone interested in keeping their iPhones secure to hit the source link for lots of juicy details.

[Daniel Amitay via Lifehacker]

New Mac Defender Variant Bypasses Apple’s Security Update

Last night, we reported Apple issued a Security Update for Snow Leopard users to update the OS X malware definitions, enhance File Quarantine’s functionalities and, more importantly, automatically find and remove known variants of the Mac Defender malware that’s been spreading among Mac users in the past month. By enabling OS X to update definitions daily in the background with a new daemon, Apple is taking the necessary measures to make sure new versions of Mac Defender and, overall, malware targeting Mac machines in the future can be removed safely and quickly a few hours / days after they’re discovered. As reported by Ed Bott at ZDNet, a new variant of Mac Defender coming with a new installer package has already been released, and it’s capable of circumventing Apple’s new security update and work exactly like Mac Defender and Mac Guard used to until yesterday.

The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released. On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

Bott suggests this “cat and mouse” game is just the beginning, and Apple will have to begin addressing new variants that are discovered every day. The system put in place by Apple to provide updated definitions for easy removal of malware should allow users to prevent computer infections by automatically finding suspicious packages downloaded from the Internet. [via MacRumors]

Behind The Scenes of Verizon iPhone: Special PIN Security Protocol, “ACME” Code Name

In a lengthy report published earlier today, TechnoBuffalo shares some of the interesting details behind the launch of the Verizon iPhone 4, which went on sale in the United States in February. In the months leading to the launch of the CDMA device, speculation was running wild on the Internet as to whether Apple was really ending AT&T exclusivity to release an updated version of the iPhone to support Verizon Wireless’ CDMA infrastructure; citing a source “close to the action”, TechnoBuffalo says only top executives at Verizon knew about the device, which internally used to be mentioned as “ACME device” to avoid other employees would hear the “iPhone” name and leak information outside of the company. Public testing of the CDMA iPhone 4 began at Apple Stores (and obviously, Apple’s own campus, where Steve Jobs said they had installed Verizon and AT&T towers) six months ahead of the official launch, meaning in summer 2010 shortly after the release of the AT&T iPhone.

Though key employees and executives were in the loop, everyone else at the carrier knew little more than the rest of the public. And it would seem the higher ups wanted to keep it that way. No one talked about the Apple smartphone externally, and even internally, it was still a hush-hush operation. In fact, says the source, the word “iPhone” was never uttered; only its codename was referenced: It was called the “ACME” device.

Between NDAs to sign, corporate secrets and internal discussions about field-testing and cooperation with Apple, the most interesting tidbit details how, rather than installing geo-location software (like Find my iPhone) on the prototypes to make sure they wouldn’t end up in the wrong hands (as the AT&T iPhone 4 did), Verizon testers were required to text a PIN code every 12 hours as a confirmation the device was being used internally for testing purposes only.

Our source describes a unique protocol requiring staffers to text a secret PIN code to a dedicated phone number every 12 hours. This served as ongoing confirmation that the handset was still in the proper hands. So no PIN code, no functionality.

Unlike the original iPhone 4, Apple managed to keep the Verizon iPhone closely under wraps until the official announcement, not even allowing Verizon to tease anything at CES 2011 in Las Vegas a few weeks before. The security measures taken by Apple to ensure devices were only used internally are particularly interesting, and a sign Apple must have reconsidered its testing process after the AT&T iPhone got leaked to Gizmodo.com in Spring 2010, months before the WWDC announcement.