Tuesday, March 10, 2015

CIA Hacked Apple Hardware and Software!
Including: Xcode Development Software, the OS X Updater, iPhone and iPad

--
This post is to draw attention to a report out today from The Gaurdian that the US CIA hacked together a corrupt version of Apple's XCode development software that allowed the insertion of surveillance backdoors into the resulting developed programs.

CIA 'tried to crack security of Apple devices'
Agency tried to create dummy version of development software that would allow it to insert surveillance back doors into apps
The modified version of Xcode would allow the CIA, NSA or other agencies to insert surveillance backdoors into any app created using the compromised development software. The revelation has already provoked a strong backlash among security researchers on Twitter and elsewhere, and is likely to prompt security audits among Apple developers.

The latest revelations of sustained hacking efforts against Apple devices are set to further strain already difficult relations between the technology company and the US government.

Apple had previously been a partner in the Prism programme, in effect a legal backdoor to obtain user information by the NSA and its allies, but in the wake of the Snowden revelations it has stepped up efforts to protect user privacy, including introducing end-to-end encryption on iMessages.

Tim Cook, the CEO of Apple, warned Barack Obama in public remarks this month that history had shown “sacrificing our right to privacy can have dire consequences”.
The original report of this situation was published on The Intercept website earlier today:

THE CIA CAMPAIGN TO STEAL APPLE’S SECRETS
BY JEREMY SCAHILL AND JOSH BEGLEY
RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
. . . .
The security researchers also claimed they had created a modified version of Apple’s proprietary software development tool, Xcode, which could sneak surveillance backdoors into any apps or programs created using the tool. Xcode, which is distributed by Apple to hundreds of thousands of developers, is used to create apps that are sold through Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable spies to steal passwords and grab messages on infected devices. Researchers also claimed the modified Xcode could “force all iOS applications to send embedded data to a listening post.” It remains unclear how intelligence agencies would get developers to use the poisoned version of Xcode.

Researchers also claimed they had successfully modified the OS X updater, a program used to deliver updates to laptop and desktop computers, to install a “keylogger.”
[All bolding above is mine, added for the emphasis of key information.]

The depth of success of the CIA's Apple gear hacking strategies is unclear. But it is evident that a corrupt version of Xcode was successfully created with the intention of distributing it to unsuspecting software developers. Presumably, back-doored Mac and iOS software resulting from the use of this corrupt version of Xcode exist in the wild. No doubt there will now be efforts to determine exactly what software is affected.

Me Stuff

My point of view regarding the incessant hacking of computer technology by the US CIA, NSA, etc. is mixed. 

We already know that the CIA and NSA have illegally spied on US citizens on US soil without a legal warrant or justified cause specified in the Fourth Amendment to the US Constitution. All such acts must be prosecuted, without question. It makes no difference if the resulting impeachments reach the top of the executive office or US Congress. These are treasonous crimes. Trials for treason are required.

The legality of secretly damaging/hacking copyrighted and patented software for the purpose of surveillance is out of the scope of my knowledge. However, I find it difficult to imagine these acts could be found to be legally justified.

Whether these acts have been and continue to be in pursuit of the protection and defense of US citizens remains significantly unanswered. There has been to this point extremely little publicly released data that indicates these efforts by the US CIA, NSA, etc. have resulted in useful information. We may never know. We're stuck having to hear statements asserting that governmental hacking has been useful and important from the mouths of proven liars such as James R. Clapper, the current US Director of National Intelligence. I've heard retired General Clapper speak publicly. He appears to be an intelligent, serious and earnest defender of US citizens. And yet he is guilty of knowingly lying under oath to the US Congress. He is also a vehement critic of whistle-blower and patriot Edward Snowden. With such people representing US intelligence strategies, clearly the credibility of the ongoing damaging/hacking of computer technology is extremely dubious. That's shameful. 

All US citizens of course would like to believe their government behaves legally in their best interests, instead of against them. We are left instead with a government that has severely damaged its credibility. New information further damaging that credibility continues to be published on a consistent basis. No evidence of reform of US intelligence gathering agencies or their methods has been forthcoming. The phrase 'hell bent' comes to my mind. I'm not interested in 'hell' anything. I personally demand that my government be 100% accountable to, loyal to and in the defense of its citizens at all times within the framework of the US Constitution and laws. 

If the US intelligence agencies can work within their mandatory legal framework, then I support them. If not, then I want those responsible tried and punished for their crimes against US citizens, We The People, even if that includes impeachment of the current and past Presidents of the USA. 

I've stated my views regarding government surveillance crimes in public on many occasions. My statements here are nothing new to those concerned and I am glad to report that there have been thus far no obvious repercussions. I wish and hope that every US citizen speaks up against illegal government surveillance of US citizens on US soil. If we don't, the obvious consequence is a totalitarian police state, as history has consistently proven. That would be a very bad and criminal thing.
--

Coming up: Coverage of Apple's security updates for March! I'm impressed.
--

Wednesday, March 4, 2015

Java Installs Adware With Plugin,
Part Of Growing Mac Adware Attacks

--

Sadly, like a lot of customer adverse companies, Oracle is now packing adware with its Java plugin installer. Beware!

My colleague Thomas Reed caught up with the situation and has done some testing to see what's going on. I recommend reading his 'The Safe Mac' article found here:

Java now installing adware
Despite the fragility of the adware install process, this is still going to be a problem for many people installing Java. Oracle should be ashamed of themselves! Since Java has repeatedly posed security problems in the past, and Oracle has now shown a willingness to infect their own users with adware, I strongly recommend avoiding Java if at all possible. For those who must have Java, Trouton has posted information in his Der Flounder article on how to run the Java installer only, found inside the adware-riddled Java 8 Update 40 application, which should install Java without the toolbar. 
For those affected by this Ask Toolbar, I have added detection of the Ask browser extensions and support files to my AdwareMedic app and my Adware Removal Guide. And thanks to Rich Trouton for bringing attention to this issue!
Rich Trouton's article on the Java adware problem can be found here:

Oracle’s Java 8 Update 40 – The Good, the Bad and the Ugly
You will be prompted to set Ask.com as your browser homepage, with the choice to do so checked off by default. If left checked, Safari’s homepage will be set with a search.ask.com URL and a Safari extension will be used to install an Ask.com toolbar.


Thomas Reed found that the Java installer will install a corresponding plugin depending upon which web browser you have set as your default. With regards to Safari, he found that it also had to be running at the time for the adware installer to work, if it worked at all.

Needless to say, DON'T fall for the adware installation! You don't want that crap on your Mac. If you do get skewered, grab a copy of Thomas' free/donationware Adware Medic and get rid of it.


ATTACK OF THE ADWARE!

The Windows community has been getting hammered with adware for many years. Now the adware rats have caught up with the Mac community and are infesting the stuff into everything possible. I wrote an article last year, over at MacSmarticles, about the ruination of VersionTracker after CNET/CBS made it just as bad as the rest of their Downloads.CNET.com website. It is now nearly impossible to download anything from the CNET site without having adware foisted at you by its installers. The same thing is going on at just about every other downloads website. I gladly point out that MacUpdate.com is an exception as well as MajorGeeks.com. These are the only two download websites I trust at this point in time.

Recently, the computer manufacturer Lenovo has been slammed by the computer community for infesting their computers with crapware that included a diabolical adware program called Superfish. The adware was built on a code foundation provided by the company Komodia. Their awful software features:

- Faked security certificates used to allow the software to spy on your SSL/TLS, HTTPS connections over the Internet.
- A private encryption key that is protected by the password "komodia". That password doesn't just work in Superfish, but in ALL Komodia software that makes use of spying on HTTPS web streams. The number of affected applications is expected to be near 100.

It has also been discovered that other programs pull the same security trickery:

EFF unearths evidence of possible Superfish-style attacks in the wild
Crypto-busting apps may have been exploited against visitors of Google and dozens more.
by Dan Goodin

One such program is PrivDog, provided by Internet security certificate provider Comodo Group, who have already suffered scandal by releasing nine fraudulent certificates faking themselves to be the likes of Google, Yahoo, Skype and Windows Live. This gives Comodo two black eyes.

Then add to this situation the fact that at least two anti-malware applications have been found to perform the same faked security certificate trick as a method for catching malware being downloaded to your computer. They are provided as 'deep inspection' features of their software, which I obviously suggest you TURN OFF. Those two anti-malware programs are Malwarebytes and Avast. I found out about Malwarebytes via word-of-mouth and am waiting for solid verification.

No doubt, other such questionable software, crapware and adware will be uncovered in the coming months and some of it will run on Macs.


The message: 
Be Careful What You Install.

--