Friday, June 13, 2014

Apple Device Ransom Attack Revelations

--


Recently there has been what appears to be a series of attacks on Apple devices, both OS X and iOS, from various sources. I had been watching the issue, but it wasn't amounting to a serious problem. That changed earlier this week when a pair of hackers were arrested in Russia for attempting to pull off a real working ransom scheme. A couple of my colleagues have written up articles about the situation. I would like to draw your attention to them as well as the subject in general.

Originally, this was considered to be one attacker using the moniker of '‘Oleg Pliss’ performing what I considered to be merely a proof-of-concept attack. The kidnapped Apple devices had messages pop up telling victims to send money to a Paypal account that never existed.

Then this happened:

Hackers suspected of holding Apple devices to ransom detained in Russia
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom. 
The hackers - aged 17 and 23 - were detained in the course of "operational activities" by the Russian Interior Ministry, Russia's Ministry of Internal Affairs said. They are both residents of the southern administrative district of Moscow and one has been tried before, it said. 
According to Russian media outlet MKRU,  the hackers were caught by CCTV when they withdrew victims' ransom money from an ATM.
. . . 
It appears that just over a week before Australian users began reporting similar hijacking attacks, a Russian publication reported Russian citizens were being targeted. The same hackers then may have used their techniques to hijack Australian devices although it it may have been copycats.
The first impression was that these were the hackers passing as "Oleg Pliss". But there are strong indications that they are not. Their scheme turns out to be significantly different from and more elaborate than the "Oleg Pliss" attack. As The Sydney Morning Herald article above indicates, their attack to predates the "Oleg Pliss" attack. Details are still being collected regarding exactly what they were doing. But here are a few details:
…The hackers used two "well-established" schemes to conduct their activities.  
"The first was to gain access to the Apple ID of a victim's account by creating phishing pages, [gaining] unauthorised access to email, or using social engineering techniques," the Ministry of Internal Affairs said. "The second scheme was aimed at binding ... devices to a pre-arranged account." 
The pre-arranged account was one that hackers owned then "leased", or sold, to users by offering movies and music. But in order to access the content, users needed to link their devices to the account, which left the devices vulnerable to being hijacked by hackers who knew the log-in details.
This wasn't any proof-of-concept attack. It was serious and working, until the Russian police caught the two red-handed.

Until such time as Apple makes changes to its 'Find My Mac' system, this ransom scheme is likely to happen again. Note that the 'locked' devices are entirely recoverable as long as the users have followed The #1 Rule of Computing and have made a backup. Sadly, as usual, there will be the newbie, granny and LUSER factors that will mean trouble for those users. That's going to potentially be a big problem. We'll see how it goes. I don't want to FUD the situation, but the ransom problem is now very real for Apple users. So keep your eyes open and keep your Apple ID information safe from hackers while we wait for further revelations.

Current details are available in articles by my colleagues Thomas Reed and Topher Kessler:

Russian iCloud hackers arrested


Russian hackers arrested in possible ‘Oleg Pliss’ iOS ransom attack




--

Tuesday, June 10, 2014

Adobe Patch Tuesday Security Hole Circus

--

Another Adobe Patch Tuesday, another pile of security holes we didn't know were there all along.

I decided to take another tack in my attack against Adobe's crapware. Below is a rant I posted up on MacUpdate along with my half-star rating of Adobe's Flash Internet plug-in.


~ ~ ~

This is why I hate Flash, this stuff, this constant insecurity STUFF:

"These updates resolve cross-site-scripting vulnerabilities (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533).


"These updates resolve security bypass vulnerabilities (CVE-2014-0534, CVE-2014-0535).


"These updates resolve a memory corruption vulnerability that could result in arbitrary code execution (CVE-2014-0536)."


These are all the security holes patched in this update. This profound patching happens with EVERY update. And we know damned well that there are a hundred+ MORE security holes in this crap code that haven't been patched yet. Could this crap be programmed any WORSE? And Adobe dares defend the use of Flash on the Internet. Shut up Adobe and kill this skanky thing DEAD already! 


Oh and did you know that Adobe incorporates an old, unpatched, security hole riddled, zero-day attack prone version of Flash in their crappy Shockwave Internet plug-in, and that Adobe don't give a rat's about the consequences? IASSOTS Adobe.


ADVICE: Don't install EITHER Flash OR Shockwave if you want to stay safe on the Internet. They're the #2 and #3 MOST dangerous software a Mac user can run, close behind Oracle's crap Java Internet plug-in.

~ ~ ~

I think that gets the point across.

STILL no new Shockwave update. How dare you Adobe? After all the flood of hate from the Internet community about your implementation of Flash in Shockwave you do N O T H I N G ? We got the message. You hate your customers.


Oh and, as per usual, if there are Flash security holes, there are AIR security holes. If you still are forced to use this crapware, be sure to update BOTH.


What DO you care about Adobe? Besides the money?


--




Friday, June 6, 2014

Heartbleed Bug Part 3.
OR: More OpenSSL Shoes Keep Dropping
And They Hurt!

--

[Updated June 7th at ~10:45 am, thanks to assistance from my colleague Al Varnell.]

I've been delaying writing up another sequel in my Heartbleed Bug series of articles. Today's revelations kicked me back into gear. This is insane and soooo disappointing:

Stop. Put down the cup. Six new bugs found in OpenSSL – including a hole for snoopers
On a scale of 1 to Heartbleed, this is a 7

I could link to more professional reports of this new OpenSSL mess. But the subject deserves The Register's harsh *snark* treatment. (O_o)
OpenSSL today pushed out fixes for six security vulnerabilities – including a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems.
[Expletives Deleted], this is awful

Here is the list of security holes:

https://www.openssl.org/news/secadv_20140605.txt

The worst of these six holes, quoting The Registry:
A DTLS invalid fragment bug (CVE-2014-0195, affects versions 0.9.8, 1.0.0 and 1.0.1) can be used to inject malicious code into vulnerable software on apps or servers.
. . . .

An SSL/TLS MITM vulnerability (CVE-2014-0224, potentially affects all clients, and servers running 1.0.1 and 1.0.2-beta1) is arguably worse.
. . . . 
All OpenSSL users should be updating.
For Mac users, the ramification is that Apple has some patching to do! At this time, Apple uses OpenSSL v0.9.8y, which has the CVE-2014-0195 security hole. That's very bad. Apple has to patch: EVERY version of OS X, including 10.9.3. Hopefully, the upcoming 10.9.4 update will have either updated or entirely removed OpenSSL.

As of OS X 10.7.x, Apple deprecated OpenSSL in favor of Common Crypto. However, Apple still has OpenSSL v0.9.8y within OS X for occasions when Common Crypto is not suitable. My colleague Al Varnell left a comment below regarding why Apple still integrates OpenSSL:
My reading of why Apple provides openssl 0.98y is as a convenience to third party developers that rely on openssl for whatever reasons and that it never uses it for any OS X or Apple apps, so I don't know that they will be in any hurry to replace it.
Theoretically, Apple will release a new 2014 Security Update to solve their OpenSSL problems. Keep an eye out.

NOTE: There are also XWindows applications and services using OpenSSL. Therefore, if you have installed any X11/XQuartz/Fink/MacPorts stuff, UPDATE THEM NOW. You know what to do. (I don't cover XWindows apps in this blog as it is beyond the scope of my intended audience).

Update: Al Varnell notes:
I did check early yesterday morning and MacPorts had already updated their version to 1.0.1h which is the newly recommended version to fix all currently known issues. That might be one quick way of reducing risk. 
~ ~ ~ ~ ~

Meanwhile, back to the Heartbleed Bug:

Several resources have been made available to help Mac users sort out:

A) What websites are still unpatched.
B) What websites are/were affected.
C) What websites require users to create a new password due to the bug.

My colleague Josh Long has put together an excellent list of Heartbleed Bug affected and unaffected websites. Save it to your desktop and refer to it as you surf the net. Or go through the list of websites you log into and check whether you must change your password there or not:

Heartbleed Affected More Sites Than You Realized
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.
Josh provides the following sections in his Heartbleed list:
  • Change Passwords NOW
  • Change Passwords NOW (but make sure you do it while connected to a trusted network) [IOW: Not while on an open Wi-Fi hub]
  • Unknown/Ambiguous
  • Known Safe - No Password Change Needed (according to the company and/or third-party tests)
  • Further Notes and Explanations
  • Other Lists of Current/Past Allegedly Affected Sites
  • Test Pages - How to Check Whether a Site Is/Was Vulnerable
Another tool I've found is the Chromebleed add-on for the Chromium series of browsers:

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

If readers find other such tools, please let us know in the comments! Thanks.

:-Derek
--