Apple App Store Bug Patched

(hat tip to abeerkadhem, who posted about this first. I’m just jumping off with my thoughts.)

It took 4 days, but apple has patched a bug found by security researcher Charlie Miller. He was able to get an app approved that ran unapproved code. The app seemed to be a stock monitoring app, but in actuality, it ran commands from his remote server. Miller was a security researcher, so obviously his intent was not to harm iphone/ipad users, however this bug in the wrong hands could be used to send potentially malicious code into your mobile devices.

Included in this patch was a fix to another bug that “allowed an ipad’s password to be bypassed using a smart cover to get access to some data.” (source)

Miller’s developer license was revoked for his app, but Apple did credit him for discovering the bug.

“Miller had told Apple about the code signing bug nearly a month ago, and plans to present details on his exploit at SysCan in Taiwan late next week.” (source)

He told them about this bug a month ago, with no update. He creates an app exploiting the bug, and a patch comes out in 4 days. I understand that what he did went against the App store security policies, and that they had to revoke his developers license because of it. However, I think it’s sad that it takes a concerned developer making a proof-of-concept app to get these companies to fix their security flaws.

Operation Ghost Click

A bot net consisting of over 4mil bots was taken down this week. The operation was conducted by the FBI with help from Estonian officials, who took 6 suspects into custudy in adition to shutting down around 100 botnet servers November 8th, 2011. The take down is the result of a 2 year investigation.

The infected computers had their DNS settings altered to point to foreign IP addresses, which redirected the computers to malicious websites without the user even being aware of it.

It’s pretty impressive how a botnet that big can be dismantled. You can learn more from the FBI’s official statement here.

Over 490,000 accounts released in Finland

 

 

 

 

AnonFinland announced yesterday that they were releasing nearly 500k emails and passwords. The information was stolen from several Finnish websites. The accounts haven’t been confirmed as legitimate yet, because AnonFinland only released the emails and passwords without what websites they belonged to.

The group announced the release in true Anonymous fashion on twitter:

 

The emails (sans passwords) are available here, so if you were wondering if your information was compromised, you can check for your email there. I believe all the accounts compromised were the result of cleartext passwords.

 

 

Smart Phones Listening to Our Keystrokes

A recent study from Georgia Tech found a way to turn smart phones into key loggers. They utilized the accelerometer in newer smart phones, listen to the vibrations of your typing.

The accelerometer would need to be pretty sensitive. The researches said that the Iphone 3GS, for example, does not work as accurately. The Iphone 4 is sensitive enough to utilize this software.

It comes in the form of an app that you would presumably download, not realizing that the spying softwar was hidden within. When ‘listening’ to your key strokes, the app recognizes combinations of letters, based on whether the key strokes are on the right or left of your keyboard.

The article I read gave this example:

For example, take the word “canoe,” which when typed breaks down into four keystroke pairs: “C-A, A-N, N-O and O-E.” Those pairs then translate into the detection system’s code as follows: Left-Left-Near, Left-Right-Far, Right-Right-Far and Right-Left-Far, or LLN-LRF-RRF-RLF. This code is then compared to the preloaded dictionary and yields “canoe” as the statistically probable typed word. Working with dictionaries comprising about 58,000 words, the system reached word-recovery rates as high as 80 percent.

80 percent is pretty impressive, but that’s relying on a few things. For one, the phone has to be pretty close to the keyboard. You also need to be working on a solid, stationary surface. If you work at a desk, it’s pretty easy to imagine setting your phone down next to your keyboard to work. If you’re like me, however, you don’t work at a desk. I often work with my laptop on my lap, so this sort of attack would not work.

Easy ways to thwart this sort of attack would be simply putting your phone in a purse or farther away from the key board. The researchers at Georga Tech even said that it was a pretty difficult attack to create. As technology advances, and accelerometers in phones become more sensitive, this sort of attack is conceivable in the future.

Do you guys work at desks? If so, do you leave your phone near your computer? Do you feel safe from this sort of attack, or will you be keeping your phones away from your keyboards from now on?

Does this look like a phishing attempt to you?

Yesterday I received this email:

The email address looked convincing enough. Fedex.com is the real website for FedEx. Day-definite is a legitimate shipping service FedEx provides. I find it a bit odd that a customer service email would come from an email address named after a shipping method, however.

The next red flag that went up was the zip file. FedEx would never send zip files, especially if it actually was just an invoice. A further inspection of the zip file revealed there was a executable file within it. I run a mac OS so it’s not as if an .exe file would have even ran on my computer. Many of these phishing attempts are targeted at windows users, but I still wouldn’t go around clicking odd attachments in emails myself.

I googled the subject of the email and found a very similar fishing attempt that went around from UPS a few years ago. I couldn’t find anything too recent however, so I assume this is a fairly new round of attacks. If you were to click the attachment, the executable file would appear on your desktop with a microsoft word icon, to trick you into clicking it.

I’m still curious how they were able to get an email address from the real FedEx domain though.

Japanese ‘Boyfriend Tracker’ Allows You To Stalk Your Loved Ones

According to this article, the Japanese company Manuscript is being forced to modify their app, Boyfriend Log. The app was designed so that people could track their significant other through their phone.

The app would run invisibly in the background of any Android phone. It would use the built in GPS of the phone to relay current position to their website so that you could see where your spouse, or anyone with the app installed, was at anytime.

That’s not all it could do though. It would also relay other information, such as apps downloaded, and battery status. If you pay for a platinum membership, you could even get a call log.

The main issue raised with this app is the fact that it runs in the background without the user knowing. ‘Girlfriends’ are encouraged to instal it on their significant other’s phone without them knowing, and they would never even know that they have it running on their phone. In response to these concerns, the company now has an icon that appears on the phone when it is running, however all of it’s features are still the same.

Image taken from the official website is here, though it’s entirely in Japanese. This was translated using Google Chrome. To get around legal concerns, it looks like the app requires you to get the users consent before you install the app on their phone. We all know how easy it would be to forge consent on an app like this.

What do you think? Should it be legal to install these on someone’s phone, even with the icon? How easy do you think it would be to hack their site and get the locations and information from all it’s users?

Evilgrade: Exploiting Automatic Updating

Evilgrade is a framework created by infobytesec that you can download and use to exploit various programs that use online automatic updating insecurely. Essentially what happens is when a program you’re attacking goes to look for an update, you intercept it and send it your own update instead. This could obviously be used to send malicious updates,  Evilgrade provides the framework for making your own updates for various programs.

There are over 60 different modules that you can play around with including:

- Safari
- iTunes
- Quicktime
- APT
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate

For each module, there is the proper framework needed to imitate an update from that program.

The reason this works is because many programs don’t bother to use crypted keys for updates that only their program should be accessing. To prevent this, there needs to be proper authentication and validation within the update system. Because these programs don’t have that, they are prime targets for exploitation.

The best guidelines I found for creating a secure updater are from security researcher, Dan Kaminsky. According to him, for an update to succeed, the update package must be:

- Signed.
- Signed by you.
- Signed by you, using the right EKU (Extended Key Usage)
- Signed from an unrevoked signature
- Be the same product
- Be a new version

An updater utilizing all of those security guidelines would be much more secure. Unfortunately, today there are still many security gaps in the programs that we use all the time. So next time your computer asks you is you want to update a program, see if your application updates require some authentication and verification. If they don’t, then be careful.

A video showing exactly how Evilgrade works can be found here.

Trojan disguised as a pdf attacking Macs

Last friday, researchers at the security company F-secure announced that they’ve found some new malware for Mac. As of now, they know that the trojan opens pdf file to distract the user while it installs a back door.The pdf contains chinese text of a political nature, that is said to be offensive to some.

While it is not impossible to get viruses and malware on Macs, there is a general understanding that you don’t have to worry about it as much. Some naively think that this is because Macs are more secure. In reality, the Mac OS can be just as easily hacked as Windows.

The reason that Mac feels safer than Windows is simply because there aren’t as many malicious programs and viruses being developed to attack Mac. Windows PCs hold 90% of the market, and are therefor the bigger target. A hacker has very little monetary incentive to go after Mac because they hold such a small chunk of the market. No wonder earlier this year on the official Internet Explorer blog they stated that “1 out of every 14 programs downloaded is later confirmed as malware” (Robert McMillan).

The few hundred pieces of malware found for Mac certainly seem insignificant compared to the nearly 2 million pieces found across the market (wired.com). However, most Mac users don’t utilize anti-virus programs because they feel they don’t need to. Because of this, even though there is much less malwar out there that could infect them, they’re much more vulnerable to attack.

So this newly discovered pdf Trojan is concerning. It’s just another sign that as Apple’s share of the market grows, the target on Macs will only get larger, and more needs to be done to protect and educate their users.

[For more info on this specific Trojan]

 

Do you feel safe using Paypal?

 If you’ve ever shopped around the internet, you’ve probably come across Paypal before. It’s one of the biggest online payment transfer companies there is. The question is, how secure is this site, and with big names like Ebay requiring you to use it, do we really have any choice in the matter?

According to the Paypal site, they think their site is pretty secure:

PayPal automatically encrypts your confidential information in transit from your computer to ours using the Secure Sockets Layer protocol (SSL) with an encryption key length of 128-bits (the highest level commercially available). Before you even register or log in to the PayPal site, our server checks that you’re using an approved browser – one that uses SSL 3.0 or higher.

Once your information reaches the PayPal site, it resides on a server that is heavily guarded both physically and electronically. PayPal servers sit behind an electronic firewall and are not directly connected to the internet, so your private information is available only to authorized computers.

I’ve personally never had any problems with Paypal, and I’ve used it quite often. There are certainly horror stories though. Even having known there is a risk using this service, and now that I’ve researched this in more detail and read all the stories of people who’s accounts were frozen, and lost thousands of dollars, I’m undoubtably still going to use Paypal. I don’t have much of a choice. There’s also an inherent risk in doing any transactions online, no matter where you go. So unless I find an amazing alternative, and sites start supporting that alternative, I’ll stick to paypal.

What do you guys think? Do you use Paypal, and if so, do you feel safe?

Aftermath of the PSN hack: Are we stupid?

In April of 2011, Sony was forced to shut down the PlayStation Network (PSN). The outage, which lasted nearly a month, was in response to a hack into the system that compromised 77 million accounts. In addition to the obvious security failures, Sony also received much criticism for their handling of the situation, perhaps most significant, the fact that they didn’t inform their customers of the danger until a week after their information had first been accessed.

Personally, I thought that this catastrophic failure would result in a permanent lost of trust from their customers. However according to their CEO, the PSN is doing just fine.

“I’m pleased to tell you that the PSN is more secure and better than ever. We are aggressively expanding its content. We have more than three million new customers since the network came back online, and sales are exceeding what we had before the cyber attacks. This year, we at Sony have been flooded, we’ve been flattened, we’ve been hacked, we’ve been singed. But the summer of our discontent is behind us. The past is a prologue to future possibility.”

- Howard Stringer, Sony CEO

More than 3 million new customers, just months after the network was breached? Are we stupid?

Is it that we have a lot of faith in Sony and the PSN, or is it because we all really want to play Uncharted 3?