Tag Archives: iOS

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Security News for the Week Ending August 30, 2019

Lenovo “Crapware” Allows Attacker to Compromise Any PC in 600 Seconds

I am not going to get on my soapbox about why you should not buy a PC built by the Chinese government because I know people love their old IBM Thinkpads, but handle this issue no matter what.

Apparently the Lenovo “Solutions” Center has a bug that allows any user (meaning a hacker that has installed any malware on your computer – so your computer has to be compromised at some small level for this to work) to  become an admin in 10 minutes, the frequency that Solutions Center runs.  You can read the details in the link, but the simple fix is to delete the app completely.  Lenovo has a new app that does not have this vulnerability if you actually use the Solutions Center functionality.  Source: The Register.


Should You Block Newly Registered Domains?

Researchers say that OVER 70% of newly registered domains are malicious or otherwise potentially harmful to organizations.  Newly registered means 32 days.  Some organizations are already blocking these or alternatively giving users a warning if they go there.

Two thoughts on this – if YOU plan on launching a new domain, you should plan in advance and buy the domain early.  Many hackers do not have the patience to do this (and in fact their domains are only live for a few hours) and second, you should consider implementing a block or warning on newly registered domains to protect your users.  Source: Help Net Security.


House Dems Ask FSOC to Regulate AWS, Azure and Google Cloud

Two House Democrats have asked the Financial Stability Oversight Council (FSOC), which is comprised of Federal bank regulators, to consider making the big 3 cloud providers “systemically important” to the banking industry and as a result directly regulate them.

This was directly in response to the Capital One breach, even though that breach was the fault of Capital One’s bad security practices and not a security failure at Amazon.

It is probably obvious but I will point out that given the current political climate, it is unlikely that the administration will do anything that Democratic Party lawmakers suggest.  Still it does point to the possibility that Congress will try to legislate that if the administration doesn’t do anything about cloud security.  Source: Rep. Velazquez.


Cloud Archive for Dentists Hit By Ransomware Attack

DDSSafe, a cloud archive solution for dentists, was hit by a ransomware attack that encrypted the data of hundreds of practices.  This follows the FBI/DHS alert that hackers were going after cloud service providers because one attack can generate a massive payday.  In this case it is believed the hackers were asking $5,000 per practice and if 500 practices were affected, that would represent a $2 Mil+ payday.  Tax free.  Source: Krebs on Security.


Google Reveals Websites That Hacks iPhones With No Interaction

Google’s Project Zero identifies bugs in a variety of software from every vendor.  This week they announced 14 flaws which, when chained together in different ways, created 5 different ways an iPhone user can be totally compromised just by visiting a malicious web site, without clicking on anything.  The flaws were shared with Apple in February and Apple fixed them in version 12.1.4 of iOS.  Successful attacks allow a bad guy to steal your photos, contacts, location and passwords.  The bugs go back to iOS 10 and the web sites have been serving up malware for two years.  The nature of the attack was such that rebooting the phone (and not visiting those sites again) would get rid of the  malware.  Source: Computing.

Security News Bites for the Week Ending February 8, 2019

Text Messaging for Two Factor Authentication is Under Attack

We have talked on occasion about a basically theoretical attack against text messages as the second factor for authentication.  It is likely that the feds know more than they are telling us about that since the National Institute of Standards and Technology has deprecated the use of text messaging for two factor for new systems.

Now we are seeing a large, in the wild, attack against real two factor authentication, specifically in banking.

Britain’s National Cyber Security Centre (NCSC), part of their GCHQ spy-guys, admitted that they are aware that this is being exploited.   As are the telephone carriers.

The attack vector still requires a very sophisticated hacker because it requires the attacker to compromise some phone company and inject fake SS7 commands into the system for the targeted phone number.  Hard, but far from impossible.

Still, in light of this being a real-world-empty-your-bank-account kind of attack, financial institutions should begin the transition away from text messaging to two factor apps (like Google Authenticator and others) to protect client accounts sooner rather than later.  Source: Motherboard.


Unnamed Energy Company (Duke) Fined $10 Million for Security Lapses

An unnamed energy company received the largest fine of its type ever at $10 million for security lapses,  including letting unauthorized people into secure areas and allowing uncleared computers to connect to secure networks, sometimes for months at a time.

The fine covers 130 violations.

The reason the company is unnamed is that it is likely the list of identified vulnerabilities is not complete and the identified holes are not all closed.

The WSJ reports that the company is Duke Energy.  So much for keeping their name out of the media.

This certainly could explain why many people say that the bad guys already “own” our energy utilities.  Source: Biz Journals.


Another Cryptocurrency Debacle

I keep saying that attacks on Cryptocurrency will not be on the math (encryption) but rather on the systems and software.

This week QuadrigaCX filed for the Canadian version of bankruptcy protection saying that they stored the vast majority of their assets in offline storage wallets and the only person who had the key was their CEO, who died suddenly.

They claim to have lost access to $145 million in a variety of cryptocurrencies and do not have the money to repay their customers.

Some users and researchers are skeptical of this story (really, no backup?  To over $140 million)?  Seems hard to swallow.

The researchers, after looking at the block chain, say that they can find no evidence that QuadrigaCX has anything close to $100 million in Bitcoin and perhaps the founder’s death was faked as an exit scam.

Assuming this all plays out the way it seems, customers are going to be waving bye-bye to $145 million of their cold, hard crypto coins.  Source: The Hacker News.


Apple to Release iOS 12.1.4 to Fix Facetime Bug This Week

In what has got to be the worst iPhone bug in a long time – one that allowed hackers to eavesdrop on iPhone users by exploiting a Facetime bug until Apple deactivated group calls on Facetime worldwide – Apple seems to be slow to respond.  Uncharacteristically.  Very.  Slow.

My guess is that the problem was technically hard to fix even though it was technically easy to exploit.  In any case, iOS 12.1.4 should be out this week and it is supposed to fix the security hole. Source: ZDNet .


Online Casino Leaves Data on 100+ Million Bets Unprotected

Security Researcher Justin Paine found a public Elastic Search database unprotected online.

Contents include information such as name, address, birthdate, email, phone, etc. as well as bet information such as winnings amount.   When ZDnet reached out to the companies involved – there seems to be multiple companies with some common ownership and based in Cyprus and operating under a Curacao gaming license, they did not immediately reply, but the server went dark.

The company, Mountberg Limited, did reach out later thanking Justin for letting them know, but not making any statement about their client’s data.  Source: ZDNet .


Germany Tells Facebook Not to Combine User Data Without Explicit Permission 

The Europeans are not happy with U.S. big tech.

In a ruling NOT related to GDPR, Germany’s Federal Cartel Office (FCO) says that Facebook cannot combine Instagram, Whatsapp and third party data into the user’s Facebook profile without explicit user permission and having the user check a box that says, something like, “we are going to do some stuff; you should read our 19 page description” is not adequate.

The regulator says that by doing this Facebook is abusing its monopoly power.  Facebook, not surprisingly disagrees and says that the regulator is out of line.  Stay tuned.  If this rule stands, it could have a big impact on all companies that aggregate data from third parties without fully telling their clients.  Source: BBC .

Update Your iPhones and Macs to Fix This HUUUGE Bug

About a year ago, Android users were fighting something called the Stagefright bug.  Buried deep in the bowels of the operating system was a series of bugs that would allow an attacker to send you a specially crafted text message and take over your Android phone.  Stagefright affected close to a billion phones in the worst case scenario, but more likely about half that number – still a HUUUGE problem.

This week it is Apple’s turn. Cisco’s security research arm, Talos, discovered what is really a similar problem to Stagefright.  All an attacker needs is your phone number – likely not hard to get.  Then they send a specially crafted iMessage or MMS message.

The attack could be exploited via Safari by getting the user to visit an infected web site.

In any case, no user interaction is required.

So what can the attack do for the hacker?

Nothing important.  Just leak your authentication credentials stored in memory to the hacker.  Forbes says this includes any credentials the target is using in the browser such as website credentials or email logins.

Due to other security mechanisms in the iPhone, the attacker can’t completely take over the phone, but this is sufficiently bad.  Apparently, on a Mac, the problem is worse because the Mac sandbox works differently.

And, this even affects WatchOS.

In addition to this bug, the researchers at Talos also found a memory corruption bug.

And a security engineer at Salesforce found a flaw in FaceTime that would allow hackers who were located on the same network as the user (i.e., they came from outside but already compromised some other PC on your network) to spy on your FaceTime conversations.  Apple says “an attacker in a privileged network position (which they don’t define) may be able to cause a call to continue transmitting audio while appearing as if the call was hung up.

In total, 43 bugs were fixed in the new version of iOS.

If you are not running iOS 9.3.3 which was released on July 18th or MAC OS El Capitan 10.11.6, released on the same day, you should update now.

Given the complexity of computers and phones these days, it is not completely surprising that serious bugs are found.  This means we need to make sure that researchers are not hampered by Washington’s lack of understanding of technology – but that is a whole ‘nother post.

Like Stagefright, this bugs affect all versions of iOS before the one that was released 4 days ago.

According to Apple, 14% of iPhones run iOS 8 or earlier.  Likely these are older phones that might not be able to run iOS 9 for some reason.  Those phones will never be patched unless the upgrade to iOS 9.  Talk about a ‘target rich environment’.  That represents close to a hundred million phones that may never be patched – like older Android phones.

How many of the more than 1 billion iPhones are running a version of iOS older than 4 days ago?  Likely a large number.  Probably several hundred million.

This just reinforces the fact that we really need to figure out, with the billions of phones and tablets out there, how to get people to upgrade to the MOST CURRENT version of the OS.  That means that old phones need to crushed and melted.  I know people don’t want to spend the money to replace phones that still function, but the alternative is to use a phone with bugs that allow attackers to, in this case, steal your passwords.  I guess you could sell your old unsupported phone on eBay and make it someone else’s problem 🙂

Information for this post came from Forbes and Quartz.


iPhone/iPad user’s turn in the SSL bug spotlight

For those of you who read the security news, you know that this last 12 months has brought an amazing number of SSL bugs to the surface (see a few of my blog posts here and here and here).  Now iPhone and iPad users have their turn to deal with an SSL bug.

The bug, in an open source toolkit used by developers to connect to the web called AFNetworking, disabled validation of SSL certificates that iApps received from a server.  What that means is that any old certificate would be just fine.  One from your bank.  Or a hacker.  Or anyone else.

If I can get on my soapbox for just one minute, this is another example of software supply chain issues just like the Lenovo/Superfish bug.  The developer (Uber is one, for example), used a third party library.  In this case, they may have tested the heck out of it – or not.  When they first started using it, it was reasonably secure.  Then they came out with an update that was not secure. Now Uber’s app is vulnerable.  Worse yet, even if Uber did test the updated app, it is unlikely that they would have tested for the condition that made this app vulnerable.  The software supply chain problem is not going away any time soon.

The good news is that the bug didn’t exist for long.  The bug was created with the software release dated Feb 9, 2015 and fixed with a release dated March 26, 2015 – a period of about six weeks.

Now the bad news.  There are over 100,000 apps in the iStore that use this library.  However, we only have to deal with ones that were updated during this period (technically, this may not really be true because a developer could download the affected library during this window and not update it before releasing it outside this window, but this is the best indicator we have) – that represents about 20,000 apps.  Next we have to narrow it down to which, of the 20,000, used the SSL features of AFNetworking.  That is only about a thousand apps.

Now the badder news – or maybe gooder.  The affected apps include ones from Yahoo, Microsoft, Uber, Citrix and others.  Which means while over a million downloads were affected, those big companies will likely read the newspaper and update their apps quickly.

SourceDNA has created a web site where you can enter a developer name (such as Microsoft) and see what apps they have and if they are affected.  This means that you have to enter each developer’s name and read the results – a time consuming effort.  What would be much nicer is if someone would write an app to look at what is installed on your iDevice and tell you what is affected.  That I have not found yet.  Still, it is better than nothing.  The website for SourceDNAs lookup is here.

For more details, see this article in ITWorld.

iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.