CyberInsecure.com

Archive for the ‘Apple’ Category

Apple’s iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they’re protected by the SSL, or secure sockets layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization’s IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.

“If the user accepts, the attacker can make changes to the phone’s configuration which can cause harm,” Miller explained.

The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author’s rogue update.mobilconfig file was accepted and executed.

The author claimed the hack could be used to change an iPhone’s proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn’t sure such an attack was possible, but he didn’t rule it out, either.

“It definitely allows them to change the trusted certs which means that you can’t trust SSL anymore,” Miller wrote. “I don’t have the cert the guy generated to really confirm things on my own. I’m very confident that it can do a lot though.”

In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.

For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been “verified” and would have to click OK to install it.

The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn’t sure how useful that would be.

“If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL,” he said.

Credit: The Register

A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday. Critical patches for Adobe Systems software keep coming. This time, they fix serious security bugs in the company’s Shockwave Player. Apple has also released a major security update designed to fix security bugs, some of which present a critical security risk on unpatched systems.

Microsoft update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.

Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.

Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.

For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday’s patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.

Adobe is strongly urging users to upgrade. Unlike the vast majority of patches, the Shockwave fix requires users manually uninstall the out-of-date version, reboot their systems, and then install the latest version. For an application with more than 450 million installations, that’s downright primitive.

More importantly, making it inconvenient for users to upgrade is a guarantee that a sizable portion of them will remain vulnerable. Adobe has recently unveiled an automatic updater for its Reader application. It’s about time the software maker made seamless updating for Flash and Shockwave standard too. The critical patch, assuming it’s installed, will update Shockwave to version 11.5.6.606.

Patches released by Apple on Tuesday address a malware injection risk in the CoreAudio media player, Flash Player plug-in bugs and a similarly critical vulnerability involving Image Raw. The update also tackles a recently discovered OpenSSL renegotiation exploit. Security fixes for CUPS and Image IO make up the remainder of the patch batch.

Most of these updates are connected with third party software. For example, seven of the twelve CVEs are connected with the update for Adobe’s flash player plug-in. The remainder of the bugs are the usual file format parsing problems that we’ve seen a lot of in the past.

Apple advisory can be found at http://support.apple.com/kb/HT4004.

Credit: The Register

A Swiss iPhone developer has released a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.

The application, called SpyPhone, uses the public iPhone API that Apple made available for application developers, and does not need any exploits or hardware attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone’s developer, Nicolas Seriot, exploited.

Seriot has posted the source code for SpyPhone online and gave a talk about SpyPhone’s capabilities at a security conference this week. All of SpyPhone’s operations are conducted in the background, without the knowledge of the iPhone’s user, and the application can be set to email reports on each infected phone back to the attacker.

Once on the iPhone, the application begins looking at the stored data that’s available in various other programs, such as the email address book and the keyboard cache, which keeps a record of every keystroke the user enters in a non-password field, Seriot said. This data normally is used for the iPhone’s autocomplete feature, but can be a gold mine of information for an attacker searching for intelligence on the iPhone’s owner.

By default, the iPhone will tag any photos taken with the device with the date and location of the picture. The user can turn this feature off, but if it’s enabled, SpyPhone can access that data, as well as the log of which WiFi hotspots the device has connected to. All of this gives the attacker a better picture of the iPhone’s owner, his location and his interests, which is valuable data.

Apple has taken pains to keep strict control over what applications can run on the iPhone, but malicious apps have been found in the company’s AppStore in the past. And while Apple has to approve all of the programs in the AppStore, users who have jailbroken iPhones can run any app they choose on their devices. That leaves plenty of opportunity for seemingly innocuous apps that contain malicious components.

Credit: Threatpost.com

The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users’ of the attack via its website, as well as briefing front line call centre staff on the threat.

Mikko Hypponen, chief research officer at F-Secure, said the threat had in any case been neutralised. “It [the worm] was targeting ING. The websites it needed for this to work have now been taken down.”

Anti-virus analysts, still in the process of analysing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. We’re yet to hear back from ING Direct on this point but we’ll update this story as and when we hear more.

What is clear is that the “Duh” or Ikee-B worm, like the earlier Rickrolling worm, exploits an SSH backdoor on jailbroken handsets in order to spread.

Part of the process of jailbreaking iPhones to allow unofficial software to be installed can involve installing SSH (secure shell) remote access. Users who go through this step but fail to change the default root password of iPhones from alpine leave a backdoor that wide open to attack.

Although Duh exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users’ wallpaper to an image of cheesy pop warbler Rick Astley.

Duh also searches across a wider range of IP ranges than Ikee, which only ever affected Optus users in Australia. It includes IP ranges allocated to carriers in several countries, including The Netherlands, Portugal, Australia, Austria, and Hungary. All the infections reported thus far have happened in The Netherlands. The attack only came to light after a Dutch ISP noticed unusual traffic and began to investigate.

As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions.

SophosLabs researcher Paul Ducklin used a password cracking tool to discover the malware changes iPhone root passwords from ‘alpine to ‘ohshit’.

In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones.

Security experts strongly advise users of jailbroken phones to change their passwords from ‘alpine’ immediately to avoid further attacks along the same lines.

Credit: The Register

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley. Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling.

The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

“I foolishly had forgot to change my root and user password last time i had jailbroke my phone,” wrote one forum participant. In addition to his own iPhone being attacked, he said a flatmate’s iPhone 3G was also sullied with the image of Astley. Users who tried to delete the image were chagrined to find it reappear once they rebooted their device.

The attack is a wakeup call for anyone who takes the time to jailbreak an iPhone. While the hack greatly expands the capabilities of the Apple smartphone, it can also make it more vulnerable. Programs such as OpenSSH, which can only be installed after iPhones have undergone the procedure, can be extremely useful, but if owners haven’t bothered to change their root password, the programs also represent a gaping hole waiting to be exploited.

Indeed, a hacker going by the moniker ikee and claiming to be responsible for the worm said here that he wrote the program to bring awareness to the widely followed practice of failing to change the iPhone’s password.

“I was quite amazed by the number of people who didn’t RTFM and change their default passwords,” the unidentified worm writer said. “I admit I probably pissed of [sic] a few people, but it was all in good fun (well ok for me anyway).”

Ikee said the worm disables the SSH daemon so it can’t be targeted further.

So far, there are no reports of people outside of Australia getting infected. And the attack appears to do nothing more than Rickroll victims with the Astley wallpaper. But because the writer released source code for four separate variants, it wouldn’t be surprising for copycats in other regions to appropriate the attack code and potentially imbue it with more malicious payloads.

Credit: The Register, Sophos

Yesterday, a message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup. The message said: “Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your phone right now!”

Through a combination of port scanning and OS fingerprinting of T-Mobile’s 3G IP range, a Dutch teenager has for the first time automatically exploited a known security vulnerability introduced on jailbroken iPhones - the SSH daemon which unless modified remains running with default users root and mobile, using the same password on each and every device.

The now taken offline site was featuring the following message:

“Dear iPhone user,

Your iPhone is not secure. That’s the reason your visiting this page, isn’t it? Well you can pay me $4,95 at my paypal account PureInfinity92@mailinator.com, and I’ll mail you very easy instructions on how to secure your iPhone. You can also contact me at PureInfinity92@gmail.com

If you don’t pay, it’s fine by me. But remember, the way I got access to your iPhone can be used by thousands of others. And they can send text messages from your number (like I did..), use it to call (or record your calls), and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It’s just my advise to secure your phone (: Have a nice day!”

Following the media coverage, active discussions across popular Dutch IT forums, and the timely shut down of his PayPal account, the opportunistic and unethical pen-tester quickly changed his attitude and posted an apology followed by step-by-step guide on changing the default SSH password, which he was originally offering for a fee.

Credit: ZDNet.com Security Blogs

People who use public WiFi to make iPhone calls or conduct video conferences take heed: It just got a lot easier to monitor your conversations in real time.

At a talk scheduled for Saturday at the Toorcon hacker conference in San Diego, two security researchers plan to show the latest advances in the open-source UCSniff tool for penetrating voice-over-internet-protocol systems. With a few clicks of a mouse, they will eavesdrop on a call between two audience members using popular iPhone applications that route the calls over the conference network.

For more than a year, UCSniff has provided everything a hacker needs to plug a laptop into a network and within seconds begin intercepting VoIP transmissions. But until now, the program has allowed eavesdroppers to reassemble the conversations only after they were concluded, a limitation that was far from the elite bugging capabilities shown in Mission Impossible and other spy thrillers.

“As the private call is in progress, we can see and hear what is happening,” said Jason Ostrom, a developer of UCSniff and director of Viper Labs, the research arm of security firm Sipera Systems. “There’s real-time violation of confidentiality.”

In addition to monitoring voice conversations as they happen, UCSniff can also bug video conferences in real time. Ostrom said he and fellow Viper Labs researcher Arjun Sambamoorthy plan to show those capabilities at Toorcon as well.

With the proliferation of iPhones and other smartphones, plenty of businesses and individuals have sought to save money on roaming charges by routing calls over the internet instead of over carrier networks. Adam Boone, a vice president at Sipera, said one large, unnamed client logs more than 1 million minutes per month in such VoIP calls.

The problem, he added, is that many of the iPhone apps for VoIP calls don’t provide encryption capabilities, making the conversations ripe for eavesdropping. (Sipera plans to unveil a new product to protect such users next week).

No doubt, traffic traveling over unsecured networks has always been vulnerable to snoops. UCSniff just streamlines their work by bundling a hodgepodge of tools that previously were only available piecemeal.

It turns any laptop into a man-in-the-middle node. A VLAN hopper then traverses the virtual local area network until it accesses the part that carries VoIP calls. UCSniff automatically injects spoofed address resolution protocol packets into the network, allowing all voice and video traffic to be routed to the laptop.

Ostrom said the tool is designed to help penetration testers quickly assess the security of clients’ networks and to help security providers to stay abreast of the latest attacks.

“If we can do this, there are many, many people out there who can do this. It’s not rocket science,” he said. “The end game here is to help them improve their products, to know what types of attacks can happen so they can build security features into their products.”

Credit: The Register

A researcher has unearthed fresh evidence of cyber criminals’ growing attraction to Apple’s OS X platform with the discovery of a now-disbanded group that offered 43 cents for every infected Mac.

Mac-codec.com was just one of hundreds well-organized affiliate networks that pay a small bounty each time their malware is installed on an unsuspecting end user’s computer. What makes this one stand apart is its dedication to the Mac platform.

The site advertised various promotional materials Mac-based “video players” and offered “webmasters” the fee in exchange for each installation on Macs that visited their exploit sites. The 43-cent fee is slightly lower than the 50 cents to 55 cents the codec-partnerka pay for infections of Windows-based machines.

The outfit was holding out the offer in January and February of this year, but has since closed its doors, said Samosseiko, who is manager of Sophoslabs in Canada, a research arm of anti-virus firm Sophos. He presented his findings as part of a larger discussion about codec-partnerka presented at this week’s Virus Bulletin conference in Geneva. The groups’ malware typically masquerades as legitimate video codecs or anti-virus software.

“I suspect that it wasn’t as profitable to target the Mac platform at that point,” he explained. Mac-codec.com “probably closed because it wasn’t commercially viable for them to conduct business.” “I suspect there are others targeting other Mac users,” he said.

Infiltrating the highly secretive networks is by no means an easy task. Most of them are based in Russia or elsewhere in Eastern Europe, and interlopers must first gain the trust of other members. Although Mac-codec.com is no longer active, Samosseiko doesn’t believe that’s the end of the bounty program for infected OS X systems.

Credit: The Register

Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. Affected browsers include Microsoft’s Internet Explorer 8, Mozilla Firefox, Google Chrome, Apple Safari and Opera.

During a research project concluded earlier this year, the Microsoft Research team discovered a set of vulnerabilities exploitable by a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer.

According to Microsoft Research team, in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers — they affect all major browsers and a large number of websites.

According to a SecurityFocus advisory, attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how sites are rendered to the user. Other attacks are also possible.

Originally, it was believed that this issue only affected Mozilla’s browsers but the advisory was update to reflect that the issue affects multiple browsers, not just Mozilla products.

Credit: ZDNet.com Security Blogs

Apple on Wednesday patched 18 holes in its Mac OS X operating system, seven that could allow an attacker to remotely take over a machine when a user does nothing more than view a booby-trapped image. The patches, which arrive as part of OS X 10.5.8, also fixed bugs in MobileMe.

The ImageIO Framework, which helps Mac applications read and write popular image formats, was responsible for five of the image vulnerabilities. A color management interface known as ColorSync and a component known as ImageRAW were to blame for the other two. The vulnerabilities create an ideal scenario for attackers, who could use specially manipulated PNG, OpenEXR and RAW files to remotely execute malicious code on the machines of oblivious users.

The flaws are the result of unitialized memory errors, unitialized pointer issues and heap, stack and integer overflows. Other patches fixed code-execution vulnerabilities in the OS X kernel, login window and other components in the OS.

At least one of the remote-execution vulnerabilities, contained in a component known as XQuery, involved buggy code that implements data based on the XML, or Extensible Markup Language, standard. Earlier Wednesday, security researchers in Finland warned of critical vulnerabilities in open-source XML Libraries that affect an enormous array of applications, but at time of writing it was unclear if the two were related.

Credit: The Register