Posted by: David Harley | August 21, 2014

Apple on message, spammers on iMessage?

Robert McMillan reports for Wired that Apple’s iMessage Is Being Taken Over by Spammers.

I haven’t used it, but iMessage sounds like a nice messaging app for communication between devices running iOS or OS X, as long as you stick with those platforms. However, Cloudmark now claims that it carries 30% of all mobile spam, because it’s so easy to use a Mac to send messages to multiple addresses using an Applescript. AppleInsider, however, asserts that the Report claims iMessage spam on the rise, but little evidence appears in support, citing Cloudmark’s previous admission that its tracking database may not distinguish well between iMessage spam and SMS spam, and low traffic related to the issue on Apple forums.

John Gruber also thinks that the title of the Wired article rather overstates it, though he has some (unspectacular) personal experience of iMessage spam.

David Harley
Small Blue-Green World

Posted by: David Harley | August 16, 2014

To Jailbreak or not to Jailbreak?

If you’re wondering whether it’s worth jailbreaking your iGadget in order to break away from Apple’s iron-fisted control, you might want to read Graham Cluley’s blog for Intego: Don’t Jailbreak Your iPhone if You Want to Stop Government Spyware.

In fact, while not all iOS malware has been dependent on the victim device being jailbroken, that iron fist does seem to reduce the risks.

David Harley
Small Blue-Green World

Posted by: David Harley | August 15, 2014

I Can Name that iTune in – Oh, I’m Infected…

Researchers at the Georgia Institute of Technology will present a paper at Usenix on 20th August On the Feasibility of Large-Scale Infections of iOS Devices. The abstract asserts that “…infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage…”

I look forward to reading the paper after it’s presented, but it seems to me a bit of a stretch from demonstrating that a single compromised Windows machine can be used to install malicious apps and steal data, to asserting that that ‘23% of bots will eventually have connections with iOS devices, thus making a large scale infection feasible’. That assertion is based on the statement that  ‘23% of bot IP addresses demonstrate iOS device existence and Windows iTunes purchases’, which isn’t at all the same thing. I don’t say that large scale infection isn’t possible, but first there has to be a large scale infection of Windows devices with malware ultimately and specifically targeting iOS devices.

In fact, I’m more in sympathy with John Leyden’s suggestion in The Register that ‘smaller scale attacks are much more likely to escape notice and therefore arguably present the biggest concern…’

An article in Computer World by Jeremy Kirk notes that one of the researchers observed that ‘they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X’.

David Harley
Small Blue-Green World

Posted by: David Harley | August 14, 2014


A nice analysis on the Virus Bulletin site by Axelle Apvrille of the surprisingly widespread malware iOS/AdThief (a.k.a. Spad, though I personally hate it when the malware author gets to choose the name of the threat): Paper: Inside the iOS/AdThief malware. Sparked by earlier research by Claud Xiao.

As good an argument for not jailbreaking your iGadget as I’ve come across to date.

Articles that also refer:

David Harley
Small Blue-Green World

Posted by: David Harley | July 23, 2014

iOS through the backdoor?

[Update: useful commentary on the same issue for the Sophos blog from John Zorabedian here: iSpy? Researcher exposes backdoor in iPhones and iPads]

The Register has updated its article – HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – from earlier in the week regarding Jonathan Zdziarski’s paper claiming that iOS devices contain data discovery tools that could be (mis)used, especially by adept government snoopers.

Apple has responded (according to El Reg) that “…services identified by Zdziarski are not deliberately provided for government agencies to exploit. Instead, they are for “diagnostic” purposes and to allow enterprise IT bods to manage workers’ devices.” (Ah: so it’s all the fault of security-minded commentators advising that CYOD is better than BYOD, huh?) However, Zdziarski is not convinced, citing the lack of user control over the feature.

David Harley
Small Blue-Green World

Posted by: David Harley | July 18, 2014

Ripening of the Big Blue Apple

big blue apple 2

Gavin Clarke’s article for The Register seems to have more typographical errors than any Register article I’ve ever seen (guys, it’s a colour palette, not a colour pallet!), but it does make some interesting points about the new era of Apple/IBM cooperation, mobile computing, BYOD and CYOD (Choose Your Own Device), Microsoft’s flagging impetus, and so on.

Why has sexy Apple gone to bed with Big Boring IBM?

Meanwhile, over at Daring Fireball, John Gruber has assembled an impressive array of commentary on the Apple and IBM marriage of convenience, among other things. I don’t always agree with Gruber, but he’s usually well worth reading and certainly keeps his eye on the journalistic workspace.

David Harley
Small Blue-Green World

Posted by: David Harley | June 24, 2014

iOS Activation Lock

Graham Cluley imparts some useful information for Intego’s blog: iPhone thefts drop in major cities as result of iOS 7′s Activation Lock. As it happens, I was asked about the Microsoft/Google kill switch and was slightly sceptical about some of the conclusions based on the Attorney General’s statistics, but as far as the iPhone is concerned, the implementation of the Activation Lock has certainly coincided and maybe resulted in a sizeable reduction in attacks targeting iPhone users. In any case, Graham’s summary of the iPhone mechanism is well worth reading if you have an iPhone.

David Harley
Small Blue-Green World

Posted by: David Harley | June 24, 2014

Sophos Security Tips

For Sophos (specifically the Naked Security blog), John Zorabedian offers the article Apple users: Try these five tips for better Mac security. While advising that ‘it’s time to upgrade to Mavericks’, that isn’t actually one of the five tips. However, as is fairly clear from the comments to the article (including responses in which Sophos security guru Paul Ducklin contributes huge doses of common sense and less common expertise), Apple’s fading support for earlier OS X versions has a direct bearing on the availability of security patches and updates, so that advice is highly relevant.

David Harley
Small Blue-Green World

Posted by: David Harley | June 12, 2014

iOS 8, Android, Yosemite

A few interesting issues that have come up recently:

MAC randomization in iOS 8 – a couple of interesting references that Aryeh Goretsky brought to my attention:

Meanwhile, Richard Henderson writes for Fortinet on What Do the New Features in OS X Yosemite and iOS 8 Mean For Privacy and Security?

John Zorabedian for Sophos/Naked Security: Apple’s iOS 8 will help keep out Wi-Fi marketers and snoops, but not totally

A little further back, Tim Cook happily conceded that Android is ahead of iOS in terms of susceptibility to malware:

David Harley
Small Blue-Green World

Posted by: David Harley | June 12, 2014

The Increasingly Strange Case of the Antipodean iOS Ransomware

[A shorter version of this article originally appeared on the ITsecurity web site.]

It’s not clear exactly what happened in the mysterious case of the Antipodean iOS ‘ransomware’ attack – in particular, why the only people affected initially seemed to be in Australia and New Zealand, though there have been subsequent reports of victims in the UK.

There’s a good blog/FAQ by Graham Cluley (who has done his usual excellent job of following the story) for Intego here, offering several possible thoughts as to what might have gone wrong, but most of them don’t really address the localization issue. The later arrests of two people in Moscow alleged to have carried out a similar attack against Russian iGadget users may shed more light on these events, but at the time of writing, as Thomas Reed has pointed out, there is at present no proven link between the two attacks on very different localities, offering no further answer to the question ‘why the Antipodes?’.

The Australian attacks seem to use the “Lost iDevice” feature, and affected Apple devices displayed this message: “Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to [email address]”

The Russian attacks seem to have been effected by setting up a phishing site in order to capture iCloud credentials, then using the access thus obtained to lock the devices. However, according to Reed, the message in this case translates to “Your device is locked in relation to the complaint. And can help you unlock it. Check your email!”

My colleague at IT Security, Kevin Townsend, wrote in a recent blog:

The problem with this scam is that there is no malware that Apple can block in the future: it is the business process rather than the device software that is hacked. That means that other hackers can use the same methods again and again in the future – and it is quite likely that there will be other copycat attempts in the future.

It’s not impossible that the same parties carried out both attacks using a similar modus operandi based on phishing and social engineering, of course, but I think it’s too early to assume that the case is all but closed. It could even turn out that there is in fact some issue that can be addressed by patching or some form of re-engineering, though I’ve no grounds for suspecting the existence of the kind of vulnerability that Apple has already dismissed as a possibility. Frankly, there just isn’t enough information at present. Either way, Kevin is certainly right to stress the importance of taking advantage of the precautionary measures that are currently available.

Irrespective of what part of the world you live in, the most important (hopefully) preventative measure is to enable Apple’s 2-factor authentication for Apple ID credentials – as far as I can ascertain, no-one in Australia or New Zealand who’d done this had the Oleg Pliss problem. See Apple’s knowledgebase article for details of how to implement it. Essentially, this allows you to authenticate using a password and a 4-digit PIN (verification code) texted to a trusted device at each login, and also generates a 14-digit recovery in case of emergency.  This might also be a good time and reminder to change your AppleID password and ensure that you’re not re-using a password that might have been exposed by the compromise of another service.

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary, and insists that an iCloud breach is not responsible.

Another colleague, Stephen Cobb, observed for WeLiveSecurity:

Regardless of where you live, this incident should serve as a wake-up call to Apple users who have not yet done the following:

  • Turn on Apple’s 2-factor authentication for Apple ID credentials
  • Establish a backup regime, using one or more of iCloud, iTunes, Time Machine
  • Create a strong and unique password for your AppleID

While Apple’s “walled garden” approach to protecting your devices from bad stuff and bad people is an excellent model, it is we, the Apple users who can sometimes be the weak link. Please take the time to do all three of the above.

For people who have been affected, you can try to erase and the device and its passcode using recovery mode. This is how describes the procedure for people who haven’t synched with iTunes, don’t have Find My iPhone set up, or can’t restore from iTunes or iCloud backup via their own computer:

  • Disconnect all cables and turn off the device
  • Press and hold down the Home button while connecting to iTunes
  • When you do, iTunes should offer to restore the device.

Stephen noted:

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary. The company has apparently stated that an iCloud breach is not responsible for this rash if incidents. Regardless of which hemisphere you are in, if you get a ransom message on any Apple device I suggest you head straight to the nearest Apple store. Apart from anything, this will help Apple learn more about the problem.

He also noted that there is no evidence that malware is involved and that the attacks are not related to more common types of ransomware that encrypt data and demand that the victims pay a ransom to get the decryption keys.

I don’t know of an instance where an Australian victim actually paid the ransom demand, but there’s no reason to assume that if they had the criminal would actually have restored the victim’s access to the affected device(s). It’s likely that victims might have paid and yet still had to do what amounts to a factory reset in order to get back the use of their iGadgets. Clearly, some Russian victims did pay up, since the alleged criminals were caught on CCTV withdrawing payments from those victims from an ATM.

Other links:

David Harley
Small Blue-Green World

Older Posts »



Get every new post delivered to your Inbox.

Join 37 other followers