JailbreakMe: Security warning for iPhone and iPad owners
August 5, 2010 by admin
Filed under Security News
A website that has made it simple for iPhone and iPad users to jailbreak their devices may not just be a headache for Apple, but also a portent for future malicious attacks.
Owners of Apple gadgets who visit the JailbreakMe website in Safari have found that all they need to jailbreak their device is slide a button to give permission, opening up the possibility of installing apps that have not been approved by the official AppStore.
Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.
As a number of YouTube videos have demonstrated, it’s a pretty slick process:
What concerns me, and others in the security community, however, is that if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability? Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.
Justin Bieber fans under fire in YouTube XSS attack
July 5, 2010 by admin
Filed under Security News
If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.
But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.
A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.
Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.
Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.
It took about two hours before Google, YouTube’s parent company, got things under control.
XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.
Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)
February 24, 2010 by admin
Filed under Security Channel
Twitter users are being warned about a widespread phishing attack spreading across the system, designed to steal the usernames and passwords of unsuspecting members.
Messages include
Lol. this is me??
lol , this is funny.
Lol. this you??
followed by a link in the form of
http://example.com/?rid=http://twitter.verify.bzpharma.net/login
where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.
Watch this YouTube video for more details:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.
It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.
As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!
Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.
The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.
Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:
If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.
We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.
Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.
By Graham Cluley, Sophos
Facebook privacy settings: What you need to know
December 11, 2009 by admin
Filed under Security News
Facebook is making big changes to its privacy settings that may mean millions of people begin to expose information that they previously considered to be restricted to only their Facebook friends to the entire internet.
This YouTube video explains more.
Facebook is recommending that users adopt a series of new privacy settings that would reveal their personal data to anyone on the internet. Chances are that when you login to Facebook today you’ll be advised to make various pieces of your personal information available for “Everyone” to see.
To get a clear picture of what Facebook means by everyone (and its implications) you should check out the revised Facebook privacy policy:
"Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."
"The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."
So, let’s make this clear. If you make your information available to “everyone”, it actually means “everyone, forever”. Because even if you change your mind, it’s too late – and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook.
There’s a real danger that people will go along with Facebook’s recommendations without considering carefully the possible consequences.
by Graham Cluley, Sophos
