JailbreakMe: Apple issues emergency iPhone/iPad security patch
August 12, 2010 by admin
Filed under Security News
Apple has kept true to its promise, and released a security patch for users of iPhones, iPads and the iPod Touch, closing the door on a vulnerability that could have exposed them to malware and other malicious attacks.
The vulnerability first came to the public’s attention after it was used by a website, JailbreakMe.com, which made it simple for iPhone and iPad users to jailbreak their devices.
As I reported earlier this month, the drive-by jailbreak exploited a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts. Therefore, just visiting the JailbreakMe website could run code on the visitor’s iPhone, iPod Touch or iPad.
Such a vulnerability, if left unpatched, leaves open opportunities for hackers to spread malicious code to Apple’s mobile products.
The iOS 4.0.2 update for iPhone and iPod Touch can be downloaded and installed using iTunes, with further information available in Apple’s support advisory HT4291.
The same process can be used to update Apple iPads to version 3.2.3 of iOS, with detailed information about the vulnerability published on Apple’s support knowledgebase.
Apple Security Breach Gives Complete Access to Your iPhone
August 7, 2010 by admin
Filed under Security News
Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch, or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.
Update: Initially we thought that this exploit only effected iOS4 devices, but it turns out all iPhones, iPod Touches and iPads running 3.1.2 and higher are susceptible.
The vulnerability is easily exploitable. In fact, the latest one-click, no-computer-required Jailbreak solution for iOS 4 devices uses this same method to break Apple’s own security (although in a completely benign way for the user).
How it works
It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.
The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.
This is not the first time that something similar has happened. At the beginning of the iPhone’s life there was a problem with TIFF files that also caused the same security breach. Apple patched the bug after a while, but back then there were very few iPhones compared to the current installed base. Apple says that there are 100 million iPhones, iPod touches, and iPads in the world. Obviously, malicious hackers are racing to get a slice of that market.
How can you avoid it?
Right now, the easiest way to avoid this problem is by not going to any PDF links directly and not loading any PDF from any non-trusted source.
You can also jailbreak your iPhone and install a program that will ask for authorization every time your browser encounters a PDF (just look for “PDF loading warner” in Cydia).
While this doesn’t solve the security problem at all, at least it will remind you every single time.
Source : http://gizmodo.com
JailbreakMe: Security warning for iPhone and iPad owners
August 5, 2010 by admin
Filed under Security News
A website that has made it simple for iPhone and iPad users to jailbreak their devices may not just be a headache for Apple, but also a portent for future malicious attacks.
Owners of Apple gadgets who visit the JailbreakMe website in Safari have found that all they need to jailbreak their device is slide a button to give permission, opening up the possibility of installing apps that have not been approved by the official AppStore.
Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.
As a number of YouTube videos have demonstrated, it’s a pretty slick process:
What concerns me, and others in the security community, however, is that if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability? Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.
UK Government: We’re sticking with Internet Explorer 6
August 5, 2010 by admin
Filed under Security News
Gulp. At the end of last week, along with thousands of other Brits, I received an email from the UK Government telling me that they had responded to a petition I had signed urging the Prime Minister to encourage government departments to upgrade from Internet Explorer 6.
You can read the UK Government’s response here.
In a nutshell, Her Majesty’s Government says it is more cost-effective to stick with Internet Explorer 6 (which has been dogged with security issues) rather than switch to an alternative browser or a more up-to-date version.
Too expensive, huh?
You have to wonder if that’s going to be considered an acceptable excuse by the general public when there’s a serious security breach that exploits a creaky old browser that’s been around since 2001.
Where’s the wisdom in sticking with IE 6 when Microsoft itself has urged users to upgrade to a more secure version, many websites are dropping support for it, and security professionals advise that installations of Internet Explorer 6 should be taken outside and beaten with a heavy stick.
Details of 100 million Facebook users were *already* exposed on the net
August 1, 2010 by admin
Filed under Security News
Have you seen the headlines? They’re pretty scary-looking.
Here’s just a handful – although there were hundreds more to choose from:
“A fifth of Facebook users names ‘leaked’ to file-sharers”, Techwatch
“Details from 100 million Facebook profiles posted online”, Network World
“Details of 100m Facebook users collected and published”, BBC News Online
At first glance these headlines might appear frightening. But there’s one thing you need to know. All of this information was already available to anyone on the internet.
What’s happened is that a security consultant called Ron Bowes wrote some scripts to harvest publicly-available information from the profiles of Facebook users who had left their profiles open for anyone to view.
In total he managed to scrape the names and urls of some 100 million Facebook users (about 20% of their population), and posted the database of snaffled information up on a peer-to-peer file-sharing network for anyone to download.
This wasn’t really a “hack” as such, as the guy who collected this information didn’t have to break into accounts to access the information. The personal information from users’ Facebook profiles was already available to anyone because individuals’ privacy settings had not been properly secured, and they had effectively left their lights on and curtains open for anyone to peek in and make a note of anything they could see.
The real problem here is that users haven’t secured their profiles well enough – but I don’t think they’re the only ones at fault. Facebook has gradually eroded its users’ privacy over the years, in an attempt to share more information with the rest of the internet. In fact, it’s even recommended that users use settings that share more information – and some users may not have been aware that going with Facebook’s recommendations would leave them open to being snooped on in this fashion.
The problem is that once you’ve shared your information with “everyone” on the net in this fashion, there’s no going back. You can’t withdraw your data – and now the user details have been harvested they will forever be available for anyone to access.
Facebook users need to wake up to the risks of sharing too much information online, and examine their Facebook security settings closely to ensure that they are not divulging too much to people they don’t know, and are comfortable with their choices. Today the news story is about names and urls being scooped up – maybe tomorrow it could be more personal information that is gathered from poorly secured Facebook users.
Mozilla pulls password-sniffing Firefox add-on
July 15, 2010 by admin
Filed under Security News
Mozilla has issued a warning that a Firefox add-on available from the official Mozilla Add-Ons website was secretly sending users’ stolen passwords to a remote location.
“Mozilla Sniffer” was uploaded to the Firefox add-on site on June 6th, but was only determined at the start of this week to contain code that sent the contents of website login forms to a remote location.
In other words, if you installed this add-on (and according to Mozilla about 1800 people did) then everytime you entered your password on a website you were potentially handing over your confidential login details to an unknown party.
And this isn’t the first time that Firefox add-ons have made the security headlines. For instance, earlier this year Mozilla revealed that the Master Filer add-on was infected by the LdPinch password-stealing Trojan.
Back then Mozilla said it would strengthen its vetting procedures, scanning all add-ons with additional anti-virus tools. Clearly that wasn’t enough in this latest breach, and there is a proposal to introduce a requirement that all add-ons be code-reviewed before they are published on the site. More details on this proposal are available in a document about the new review model.
Mozilla has now block-listed the “Mozilla Sniffer” add-on, meaning that users who are already running the code will be promoted to remove it.
If you’re one of the potential victims, however, I would go further than just removing the add-on. Make sure you change your passwords too.
Security risks for those who stay with Windows XP SP2
July 13, 2010 by admin
Filed under Security News
Tomorrow (Tuesday 13 July 2010) Microsoft will issue its last ever security patches for Windows XP Service Pack 2 (SP2).
The service pack, which was first released in August 2004, will no longer be supported by Microsoft after Tuesday meaning that users will no longer receive any security patches – regardless of how critical any discovered vulnerability may be.
Furthermore, it’s not just Windows XP SP2 that Microsoft won’t be updating – but your installations for Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components also won’t receive security patches if you’re running that version of the operating system.
You may be wondering – “What’s the problem? After all, Windows XP SP3 was released in 2008, and replaced SP2, right?”
Well, yes. It did. But recently published statistics suggest that an alarming 77% of organisations are running Windows XP SP2 on 10% or more of their PCs.
That’s an awful lot of computers which may not be properly protected when a new vulnerability is discovered – and could potentially be vulnerable to a malware attack.
Microsoft would probably like you to update your computers to Windows 7, but that may be a tall order for many older PCs. If you’re not ready for Windows 7, make sure you apply the free update to Windows XP SP3. Windows XP SP3 will be supported by Microsoft until at least April 2014.
Malware Sales Through Social Networks
June 30, 2010 by admin
Filed under Security News
Social media has affected business organizations in many different ways through the years and these effects caused the development of a rather complicated relationship between the two.
Social media has proven to be an effective marketing tool for businesses. Data collected last year from Fortune’s Global 100 revealed that more than 50 percent of the said companies have Twitter, Facebook, and YouTube accounts. On the other hand, social media tools such as social networks have been reported to affect office productivity and also serve as popular media for online threats.
In the same way that businesses use social media, cybercriminals do as well. Just recently, we saw an advertisement for fake point-of-sale (POS) devices in an underground forum where the seller offered a fake POS device for 1,000 EUR.
This time, we found an advertisement for a malicious tool, in a more “mainstream” channel.
The YouTube video above is actually an advertisement for a distributed denial-of-service (DDoS) tool. A screenshot of the tool is shown on the video while features and other details such as the price and the URL where to purchase the tool are indicated in the details. (It has since been taken down by YouTube.)
Notably, the video had more than 600 views. Though the number is relatively small, one can’t help but wonder how many of those viewers were enticed enough to visit the given site and to purchase the tool. After all, it’s only US$15.
The said post is just one of the many malware ads in social networks. If anything, the above-mentioned advertisement only goes to show that cybercriminals are using social networks the same way legitimate businesses do to gain “customers” even if the customers in question are other cybercriminals.
For best practices to follow in managing a social network account, you can check our white paper, “Security Guide to Social Networks.”
Critical patches: Update your Adobe Flash player now
June 11, 2010 by admin
Filed under Security News
Adobe has issued a security bulletin detailing critical vulnerabilities that have been discovered in the current versions of Adobe Flash Player for Windows, Macintosh, Solaris and Linux.
An update issued by Adobe claims to resolve 32 vulnerabilities in Flash Player – which if left unpatched could leave open a door for hackers to infect innocent users’ computers. Some of the security holes are already being exploited by malicious hackers.
Adobe is recommending that users upgrade to Adobe Flash Player 10.1.53.64.
If you’re not sure which version of the Adobe Flash Player you have installed, visit theAbout Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Adobe further recommends that users of Adobe AIR version 1.5.3.9130 and earlier versions update to Adobe AIR 2.02.12610.
It is becoming more and more common for cybercriminals to exploit vulnerabilities in Adobe’s software – so it would be a very good idea for everyone to update vulnerable computers as soon as possible.
iPad owners’ email addresses exposed: let’s stay calm
June 11, 2010 by admin
Filed under Security News
One of the hottest security news story today revolves around the news that a weakness on AT&T’s website allowed outsiders to grab the email addresses of early adopters of the Apple iPad – at least those who had chosen to subscribe via AT&T.
The news was broken as an “exclusive” by Gawker in a story entitled “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”.
As my fellow blogger Paul Ducklin points out, it’s Gawker’s lead story right now – alongside continuing coverage of Debrahlee Lorenzana, the so-called “Hottie Banker” who alleges that she was sacked from her job at Citibank because she was too sexily distracting for her male co-workers.
If you can divert yourself away from Debrahlee Lorenzana’s charms for a second to read the Gawker story you’ll find that it has some very scary things indeed to tell you:
"dozens of CEOs, military officials, and top politicians. They - and every other buyer of the cellular-enabled tablet - could be vulnerable to spam marketing and malicious hacking"
"the most exclusive email list on the planet"
"the breach will also likely unnerve customers thinking of buying iPads that connect to AT&T's cellular network"
"One affected individual was William Eldredge, 'who commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force'"
and so it goes on..
Reading on in the report it appears that a group called Goatse (don’t Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (that’s an internal code used to associate a SIM card with a particular subscriber).
The hacking group deluged the website with so many made-up requests that some were bound to reflect genuine ICC-ID codes, and effectively “stick”. When this happened the website believed them to be a genuine iPad user and revealed the associated email address.
Ok. So I can see how this embarrassing, and it shouldn’t have happened. But, as Paul Ducklin underlines, it’s just an email address and you reveal your email address everytime you send an email.
