Posted by: David Harley | July 23, 2014

iOS through the backdoor?

[Update: useful commentary on the same issue for the Sophos blog from John Zorabedian here: iSpy? Researcher exposes backdoor in iPhones and iPads]

The Register has updated its article – HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads - from earlier in the week regarding Jonathan Zdziarski’s paper claiming that iOS devices contain data discovery tools that could be (mis)used, especially by adept government snoopers.

Apple has responded (according to El Reg) that “…services identified by Zdziarski are not deliberately provided for government agencies to exploit. Instead, they are for “diagnostic” purposes and to allow enterprise IT bods to manage workers’ devices.” (Ah: so it’s all the fault of security-minded commentators advising that CYOD is better than BYOD, huh?) However, Zdziarski is not convinced, citing the lack of user control over the feature.

David Harley
Small Blue-Green World

Posted by: David Harley | July 18, 2014

Ripening of the Big Blue Apple

big blue apple 2

Gavin Clarke’s article for The Register seems to have more typographical errors than any Register article I’ve ever seen (guys, it’s a colour palette, not a colour pallet!), but it does make some interesting points about the new era of Apple/IBM cooperation, mobile computing, BYOD and CYOD (Choose Your Own Device), Microsoft’s flagging impetus, and so on.

Why has sexy Apple gone to bed with Big Boring IBM?

Meanwhile, over at Daring Fireball, John Gruber has assembled an impressive array of commentary on the Apple and IBM marriage of convenience, among other things. I don’t always agree with Gruber, but he’s usually well worth reading and certainly keeps his eye on the journalistic workspace.

David Harley
Small Blue-Green World

Posted by: David Harley | June 24, 2014

iOS Activation Lock

Graham Cluley imparts some useful information for Intego’s blog: iPhone thefts drop in major cities as result of iOS 7′s Activation Lock. As it happens, I was asked about the Microsoft/Google kill switch and was slightly sceptical about some of the conclusions based on the Attorney General’s statistics, but as far as the iPhone is concerned, the implementation of the Activation Lock has certainly coincided and maybe resulted in a sizeable reduction in attacks targeting iPhone users. In any case, Graham’s summary of the iPhone mechanism is well worth reading if you have an iPhone.

David Harley
Small Blue-Green World

Posted by: David Harley | June 24, 2014

Sophos Security Tips

For Sophos (specifically the Naked Security blog), John Zorabedian offers the article Apple users: Try these five tips for better Mac security. While advising that ‘it’s time to upgrade to Mavericks’, that isn’t actually one of the five tips. However, as is fairly clear from the comments to the article (including responses in which Sophos security guru Paul Ducklin contributes huge doses of common sense and less common expertise), Apple’s fading support for earlier OS X versions has a direct bearing on the availability of security patches and updates, so that advice is highly relevant.

David Harley
Small Blue-Green World

Posted by: David Harley | June 12, 2014

iOS 8, Android, Yosemite

A few interesting issues that have come up recently:

MAC randomization in iOS 8 – a couple of interesting references that Aryeh Goretsky brought to my attention:

Meanwhile, Richard Henderson writes for Fortinet on What Do the New Features in OS X Yosemite and iOS 8 Mean For Privacy and Security?

John Zorabedian for Sophos/Naked Security: Apple’s iOS 8 will help keep out Wi-Fi marketers and snoops, but not totally

A little further back, Tim Cook happily conceded that Android is ahead of iOS in terms of susceptibility to malware:

David Harley
Small Blue-Green World

Posted by: David Harley | June 12, 2014

The Increasingly Strange Case of the Antipodean iOS Ransomware

[A shorter version of this article originally appeared on the ITsecurity web site.]

It’s not clear exactly what happened in the mysterious case of the Antipodean iOS ‘ransomware’ attack – in particular, why the only people affected initially seemed to be in Australia and New Zealand, though there have been subsequent reports of victims in the UK.

There’s a good blog/FAQ by Graham Cluley (who has done his usual excellent job of following the story) for Intego here, offering several possible thoughts as to what might have gone wrong, but most of them don’t really address the localization issue. The later arrests of two people in Moscow alleged to have carried out a similar attack against Russian iGadget users may shed more light on these events, but at the time of writing, as Thomas Reed has pointed out, there is at present no proven link between the two attacks on very different localities, offering no further answer to the question ‘why the Antipodes?’.

The Australian attacks seem to use the “Lost iDevice” feature, and affected Apple devices displayed this message: “Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to [email address]”

The Russian attacks seem to have been effected by setting up a phishing site in order to capture iCloud credentials, then using the access thus obtained to lock the devices. However, according to Reed, the message in this case translates to “Your device is locked in relation to the complaint. And can help you unlock it. Check your email!”

My colleague at IT Security, Kevin Townsend, wrote in a recent blog:

The problem with this scam is that there is no malware that Apple can block in the future: it is the business process rather than the device software that is hacked. That means that other hackers can use the same methods again and again in the future – and it is quite likely that there will be other copycat attempts in the future.

It’s not impossible that the same parties carried out both attacks using a similar modus operandi based on phishing and social engineering, of course, but I think it’s too early to assume that the case is all but closed. It could even turn out that there is in fact some issue that can be addressed by patching or some form of re-engineering, though I’ve no grounds for suspecting the existence of the kind of vulnerability that Apple has already dismissed as a possibility. Frankly, there just isn’t enough information at present. Either way, Kevin is certainly right to stress the importance of taking advantage of the precautionary measures that are currently available.

Irrespective of what part of the world you live in, the most important (hopefully) preventative measure is to enable Apple’s 2-factor authentication for Apple ID credentials – as far as I can ascertain, no-one in Australia or New Zealand who’d done this had the Oleg Pliss problem. See Apple’s knowledgebase article for details of how to implement it. Essentially, this allows you to authenticate using a password and a 4-digit PIN (verification code) texted to a trusted device at each login, and also generates a 14-digit recovery in case of emergency.  This might also be a good time and reminder to change your AppleID password and ensure that you’re not re-using a password that might have been exposed by the compromise of another service.

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary, and insists that an iCloud breach is not responsible.

Another colleague, Stephen Cobb, observed for WeLiveSecurity:

Regardless of where you live, this incident should serve as a wake-up call to Apple users who have not yet done the following:

  • Turn on Apple’s 2-factor authentication for Apple ID credentials
  • Establish a backup regime, using one or more of iCloud, iTunes, Time Machine
  • Create a strong and unique password for your AppleID

While Apple’s “walled garden” approach to protecting your devices from bad stuff and bad people is an excellent model, it is we, the Apple users who can sometimes be the weak link. Please take the time to do all three of the above.

For people who have been affected, you can try to erase and the device and its passcode using recovery mode. This is how http://support.apple.com/kb/ht1212 describes the procedure for people who haven’t synched with iTunes, don’t have Find My iPhone set up, or can’t restore from iTunes or iCloud backup via their own computer:

  • Disconnect all cables and turn off the device
  • Press and hold down the Home button while connecting to iTunes
  • When you do, iTunes should offer to restore the device.

Stephen noted:

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary. The company has apparently stated that an iCloud breach is not responsible for this rash if incidents. Regardless of which hemisphere you are in, if you get a ransom message on any Apple device I suggest you head straight to the nearest Apple store. Apart from anything, this will help Apple learn more about the problem.

He also noted that there is no evidence that malware is involved and that the attacks are not related to more common types of ransomware that encrypt data and demand that the victims pay a ransom to get the decryption keys.

I don’t know of an instance where an Australian victim actually paid the ransom demand, but there’s no reason to assume that if they had the criminal would actually have restored the victim’s access to the affected device(s). It’s likely that victims might have paid and yet still had to do what amounts to a factory reset in order to get back the use of their iGadgets. Clearly, some Russian victims did pay up, since the alleged criminals were caught on CCTV withdrawing payments from those victims from an ATM.

Other links:

David Harley
Small Blue-Green World

Posted by: David Harley | May 28, 2014

iOS ransomware in the Antipodes

Ordinarily I’d probably have posted something here first, but I took the opportunity to put up my first proper security-focused blog at a new-ish independent security site. (Site founder Kevin Townsend has already been posting there for a while.) 

Antipodean iOS ransomware looks at a flurry of reports of people finding their iGadgets locked with a demand for money for unlocking them, and summarizes some of the measures that have been suggested for preventative and remediative measures. Also adds a couple of useful links. 

David Harley
Small Blue-Green World

Posted by: David Harley | May 22, 2014

Bypassing the iOS activation lock

Graham Cluley for Intego: Have Hackers Defeated the iPhone Kill Switch?

Report by Shaun Nichols for The Register: Hackers lay claim to exploit that defeats iPhone anti-theft tools: Dutch duo say they have thwarted remote locking mechanisms

Kelly Hodgkins for MacRumors: Hacker Team Claims Compromise of Apple’s iCloud and Activation Lock, Possibly via SSL Bug [Updated] (the update mentioned in the title is that ” One of the hackers has denied that the bypass involves an SSL bug.”

In brief, “AquaXetine” and “MerrukTechnolog” are reported to have found a way to bypass the iOS Activation Lock and also to access sensitive data from iCloud. The original report comes from the Dutch newspaper De Telegraaf.

David Harley
Mac Virus/Small Blue-Green World

Posted by: David Harley | May 17, 2014

If you’re looking for your /Users folder…

For a couple of days now I’ve been meaning to look properly into a couple of posts from John Gruber’s Daring Fireball blog about an issue with the Users Folder in OS X 10.9.3.

Fortunately, Graham Cluley has been paying closer attention: Buggy iTunes 11.2 update opened serious security hole on Apple Macs

Apparently there is an update that fixes the buggy update, so you probably don’t need to look into the workaround referenced in one of Gruber’s articles. Even if you don’t have multiple user accounts on your 10.9.3 system(s), it probably makes sense to update. Again.

David Harley
Small Blue-Green World 

Posted by: David Harley | April 27, 2014

Apology and Acknowledgement

Unfortunately, work, travel and other pressures have prevented me noting some interesting developments in Apple and mobile security recently. Sorry, but normal service will probably be resumed at the beginning of May.

In the meantime, I’d like to thank ICSA Labs for renewing the registration of the Mac Virus domain, which they own, but redirects to this site.

David Harley
Small Blue-Green World

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.

Join 35 other followers