Friday, June 13, 2014

Apple Device Ransom Attack Revelations

--


Recently there has been what appears to be a series of attacks on Apple devices, both OS X and iOS, from various sources. I had been watching the issue, but it wasn't amounting to a serious problem. That changed earlier this week when a pair of hackers were arrested in Russia for attempting to pull off a real working ransom scheme. A couple of my colleagues have written up articles about the situation. I would like to draw your attention to them as well as the subject in general.

Originally, this was considered to be one attacker using the moniker of '‘Oleg Pliss’ performing what I considered to be merely a proof-of-concept attack. The kidnapped Apple devices had messages pop up telling victims to send money to a Paypal account that never existed.

Then this happened:

Hackers suspected of holding Apple devices to ransom detained in Russia
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom. 
The hackers - aged 17 and 23 - were detained in the course of "operational activities" by the Russian Interior Ministry, Russia's Ministry of Internal Affairs said. They are both residents of the southern administrative district of Moscow and one has been tried before, it said. 
According to Russian media outlet MKRU,  the hackers were caught by CCTV when they withdrew victims' ransom money from an ATM.
. . . 
It appears that just over a week before Australian users began reporting similar hijacking attacks, a Russian publication reported Russian citizens were being targeted. The same hackers then may have used their techniques to hijack Australian devices although it it may have been copycats.
The first impression was that these were the hackers passing as "Oleg Pliss". But there are strong indications that they are not. Their scheme turns out to be significantly different from and more elaborate than the "Oleg Pliss" attack. As The Sydney Morning Herald article above indicates, their attack to predates the "Oleg Pliss" attack. Details are still being collected regarding exactly what they were doing. But here are a few details:
…The hackers used two "well-established" schemes to conduct their activities.  
"The first was to gain access to the Apple ID of a victim's account by creating phishing pages, [gaining] unauthorised access to email, or using social engineering techniques," the Ministry of Internal Affairs said. "The second scheme was aimed at binding ... devices to a pre-arranged account." 
The pre-arranged account was one that hackers owned then "leased", or sold, to users by offering movies and music. But in order to access the content, users needed to link their devices to the account, which left the devices vulnerable to being hijacked by hackers who knew the log-in details.
This wasn't any proof-of-concept attack. It was serious and working, until the Russian police caught the two red-handed.

Until such time as Apple makes changes to its 'Find My Mac' system, this ransom scheme is likely to happen again. Note that the 'locked' devices are entirely recoverable as long as the users have followed The #1 Rule of Computing and have made a backup. Sadly, as usual, there will be the newbie, granny and LUSER factors that will mean trouble for those users. That's going to potentially be a big problem. We'll see how it goes. I don't want to FUD the situation, but the ransom problem is now very real for Apple users. So keep your eyes open and keep your Apple ID information safe from hackers while we wait for further revelations.

Current details are available in articles by my colleagues Thomas Reed and Topher Kessler:

Russian iCloud hackers arrested


Russian hackers arrested in possible ‘Oleg Pliss’ iOS ransom attack




--

Tuesday, June 10, 2014

Adobe Patch Tuesday Security Hole Circus

--

Another Adobe Patch Tuesday, another pile of security holes we didn't know were there all along.

I decided to take another tack in my attack against Adobe's crapware. Below is a rant I posted up on MacUpdate along with my half-star rating of Adobe's Flash Internet plug-in.


~ ~ ~

This is why I hate Flash, this stuff, this constant insecurity STUFF:

"These updates resolve cross-site-scripting vulnerabilities (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533).


"These updates resolve security bypass vulnerabilities (CVE-2014-0534, CVE-2014-0535).


"These updates resolve a memory corruption vulnerability that could result in arbitrary code execution (CVE-2014-0536)."


These are all the security holes patched in this update. This profound patching happens with EVERY update. And we know damned well that there are a hundred+ MORE security holes in this crap code that haven't been patched yet. Could this crap be programmed any WORSE? And Adobe dares defend the use of Flash on the Internet. Shut up Adobe and kill this skanky thing DEAD already! 


Oh and did you know that Adobe incorporates an old, unpatched, security hole riddled, zero-day attack prone version of Flash in their crappy Shockwave Internet plug-in, and that Adobe don't give a rat's about the consequences? IASSOTS Adobe.


ADVICE: Don't install EITHER Flash OR Shockwave if you want to stay safe on the Internet. They're the #2 and #3 MOST dangerous software a Mac user can run, close behind Oracle's crap Java Internet plug-in.

~ ~ ~

I think that gets the point across.

STILL no new Shockwave update. How dare you Adobe? After all the flood of hate from the Internet community about your implementation of Flash in Shockwave you do N O T H I N G ? We got the message. You hate your customers.


Oh and, as per usual, if there are Flash security holes, there are AIR security holes. If you still are forced to use this crapware, be sure to update BOTH.


What DO you care about Adobe? Besides the money?


--




Friday, June 6, 2014

Heartbleed Bug Part 3.
OR: More OpenSSL Shoes Keep Dropping
And They Hurt!

--

[Updated June 7th at ~10:45 am, thanks to assistance from my colleague Al Varnell.]

I've been delaying writing up another sequel in my Heartbleed Bug series of articles. Today's revelations kicked me back into gear. This is insane and soooo disappointing:

Stop. Put down the cup. Six new bugs found in OpenSSL – including a hole for snoopers
On a scale of 1 to Heartbleed, this is a 7

I could link to more professional reports of this new OpenSSL mess. But the subject deserves The Register's harsh *snark* treatment. (O_o)
OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.
[Expletives Deleted], this is awful

Here is the list of security holes:

https://www.openssl.org/news/secadv_20140605.txt

The worst of these six holes, quoting The Registry:
A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers.
. . . .

An SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.
. . . . 
All OpenSSL users should be updating.
For Mac users, the ramification is that Apple has some patching to do! At this time, Apple uses OpenSSL v0.9.8y, which has the CVE-2014-0195 security hole. That's very bad. Apple has to patch: EVERY version of OS X, including 10.9.3. Hopefully, the upcoming 10.9.4 update will have either updated or entirely removed OpenSSL.

As of OS X 10.7.x, Apple deprecated OpenSSL in favor of Common Crypto. However, Apple still has OpenSSL v0.9.8y within OS X for occasions when Common Crypto is not suitable. My colleague Al Varnell left a comment below regarding why Apple still integrates OpenSSL:
My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I don't know that they will be in any hurry to replace it.
Theoretically, Apple will release a new 2014 Security Update to solve their OpenSSL problems. Keep an eye out.

NOTE: There are also XWindows applications and services using OpenSSL. Therefore, if you have installed any X11/XQuartz/Fink/MacPorts stuff, UPDATE THEM NOW. You know what to do. (I don't cover XWindows apps in this blog as it is beyond the scope of my intended audience).

Update: Al Varnell notes:
I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk. 
~ ~ ~ ~ ~

Meanwhile, back to the Heartbleed Bug:

Several resources have been made available to help Mac users sort out:

A) What websites are still unpatched.
B) What websites are/were affected.
C) What websites require users to create a new password due to the bug.

My colleague Josh Long has put together an excellent list of Heartbleed Bug affected and unaffected websites. Save it to your desktop and refer to it as you surf the net. Or go through the list of websites you log into and check whether you must change your password there or not:

Heartbleed Affected More Sites Than You Realized
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.
Josh provides the following sections in his Heartbleed list:
  • Change Passwords NOW
  • Change Passwords NOW (but make sure you do it while connected to a trusted network) [IOW: Not while on an open Wi-Fi hub]
  • Unknown/Ambiguous
  • Known Safe - No Password Change Needed (according to the company and/or third-party tests)
  • Further Notes and Explanations
  • Other Lists of Current/Past Allegedly Affected Sites
  • Test Pages - How to Check Whether a Site Is/Was Vulnerable
Another tool I've found is the Chromebleed add-on for the Chromium series of browsers:

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

If readers find other such tools, please let us know in the comments! Thanks.

:-Derek
--



Wednesday, May 28, 2014

Apple Fumbles Again:
Software Update Broken Because
Apple Neglected To Update SSL Certificate

--

This crisis has ended, but…

Oh, if only I was the security boss over at Apple these days, my guillotine would be rusty with blood. Fumbling Bumbling Buffoonery. Better not hire me Apple.

But I digress. Check out these articles over at MacRumors and MacWorld (which itself has had recent severe incidents of fumbling and bumbling) about Apple breaking their Software Update system by way of forgetting to update its SSL security certificate. This is pure idiocy by Apple. Idiocy.

Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update

Apple neglects to renew SSL certificate, breaks Software Update in the process

Apple, do you have a higher priority than user security?

No you do not.

Get your act together please. This is a trend. It deserves loud computer community criticism.


--

Thursday, May 15, 2014

Invalid Apple PGP/GPG Key!
Is It Fake?
Or Is It A Blunder?

--

[Updated and solved at 3:22 pm. See the Addendum below.]

At 1:57 pm today, I received an email from 'Apple' entitled "APPLE-SA-2014-05-15-1 OS X Mavericks v10.9.3". 

The problem? It is signed with an INVALID PGP/GPG KEY. The public key in question is ID 0xEE3A8EED. No such key!

For those unfamiliar with PGP or GPG, a public key is part of a key exchange process which allows someone sending email to verify exactly who they are. They have uploaded their public key to the public key server, used by everyone for such exchanges. When they send an email, that public key is sent along in the email. Then the receiver can verify exactly who sent them the email by checking for the key on the key server.

Obviously, Apple uses public keys in order to allow you and me to know when an email message from them is real, as opposed to being FORGED by some crook or loon.

So what are we to make of an email from 'Apple' that has an INVALID KEY?!

The answer is: 
Assume it's a FAKE!

So Apple! Did you really send me this 10.9.3 announcement?
OR
Is this a fraud?!
OR
Is the Public Key Server messed up?

If Apple really did send me this email, and the server is working: OOPS! Apple pulled a HUGE BLUNDER!

I'm not going to share the email here in case it really is fraudulent. More later as my colleagues and I investigate this mysterious situation.


--

ADDENDUM: The Solution!

I beat Apple's key to the key server!

The key in question is NOW valid. There is no way to know when Apple uploaded this new key to the key server. But clearly, it was not being read out by the server at the time they sent their 10.9.3 announcement.

So the problem is, I have to assume, the PGP/GPG key server has a lag AND Apple delayed uploading their new key to the server until today. Their new key was created on May 2nd, would you believe. So that's apparently quite a delay between key creation and key upload to the server. I wish there was zero delay at the key server. How much is server lag contributing to the problem? I'm concerned enough to investigate that aspect of the further. I have networked with the GPG developer folks for years. Therefore, I'll attempt to chat with them about this situation.

CONCLUSION: Case Closed!

--

Sunday, May 4, 2014

Privacy Badger:
EFF Attacks 'Do Not Track' Deniers

--

Lately, I've been bashing away at all the applications and add-ons that seek and destroy Evercookies, those evil code danglers our web browsers leave exposed to the world, allowing nefarious marketing morons (vs marketing mavens) and #MyStupidGovernment to TRACK us wherever we go and whatever we do on the Internet. 

I for one condemn our surveilling overlords.

One fun browser add-on that just hit my radar is Privacy Badger, from my pals at EFF, the Electronic Frontier Foundation. It's currently in alpha testing, which means it's guaranteed to be broken and annoying. But I think it's going to be fun to test it out.

There is one big fat problem at the moment: 
Privacy Badger is Apple Safari illiterate, and so apparently are it's developers. That's really bad IMHO. So let's nag EFF to figure out how to make the two compatible. Or as EFF put it: 
If you have an idea for how to make Privacy Badger work for Safari…, please let us know!
Here's the Privacy Badger page at EFF:

https://www.eff.org/privacybadger

Here's an article about Privacy Badger and it's hope for the future:

Watch out, Yahoo! EFF looses BADGER on sites that ignore Do Not Track
Browser plugin nudges companies toward compliance

Me: I'll be trying out Privacy Badger on Firefox. Yes I know, Firefox for OS X can be an awful PITA to use, ruining web page rendering, requiring frequent cache dumps and page reloads. But it does have some lovely tools for wrestling the dark side of the Internet into total submission. I like that.

(I recently dumped Chromium as I am sick of it nagging me to log into Google every time I run the thing. I now consider Chromium to be 'nagware', which I never abide).

Some day in the future I'll be comparing the two prominent cookie control applications as well as the safe and reliable browser add-ons that kill tracking cookies dead. I also have this great idea for a new add-on for all web browsers that sends a header to all tracking websites that says "HA HA! YOU CAN'T TRACK ME!" What a glorious day that would be.

In case you didn't know: Privacy is a natural human right. Here in the USA, we have the Fourth Amendment to the US Constitution that spells it out quite elegantly and simply. But as we all now know, #MyStupidGovernment enjoys pretending the US Constitution doesn't even exist. That's a bad thing.

Total end-to-end encryption of everything on the Internet is now the goal. #MyStupidGovernment brought it on themselves.
--
For reference purposes:

The Fourth Amendment to the US Constitution:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Some relevant quotes:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
- Benjamin Franklin, Historical Review of Pennsylvania, 1759
To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public.
- Theodore Roosevelt - Kansas City Star, 7 May 1918
--

Monday, April 28, 2014

Adobe Flash Player v13.0.0.206:
Critical Out Of Band Update,
Exploit In-The-Wild

--

Today Adobe released a critical, out of band update of Adobe Flash Player. The new version is 13.0.0.206. There is an exploit of previous versions of Flash in-the-wild. Update immediately please.

Adobe's security bulletin can be found here:

http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that an exploit for CVE-2014-0515 exists in the wild, and is being used to target Flash Player users on the Windows platform. Adobe recommends users update their product installations to the latest versions. . . .
These updates resolve a buffer overflow vulnerability that could result in arbitrary code execution (CVE-2014-0515).
At this point, the exploit is only on Windows OS computers. But it can easily be exploited on other platforms as well.

[Cross fingers that Adobe managed to compile this version correctly for ALL supported versions of OS X. (0_o)]




--