Friday, March 21, 2014

Brian Krebs: The Movie!


This is so 'brill', I have to point it out for your fun and enjoyment:

Brian Krebs, of Krebs On Security, has reached such a level of fame for his coverage of the 'Black POS' malware Target et al. account robbery scandal that Sony Pictures Entertainment has taken notice:

Sony seeks to make a movie about the Target hack reporter
Krebs writes that he would be "delighted" to help pick the leading man.
by Casey Johnston - Mar 21 2014, 1:43pm EDT, @ArsTechnica
Sony Pictures has purchased the movie rights to the story of the reporter who brought the Target credit card hack to light. The Hollywood Reporter writes that the company bought the rights to the New York Times story "Reporting From the Web’s Underbelly," a profile of security reporter Brian Krebs.
Krebs broke the news of the hack back in December, when approximately 40 million [sic] credit card numbers were stolen, reportedly as a result of a malware-carrying phishing e-mail. The Times wrote about Krebs' coverage of the hack in February. . . .
Sony Pictures Plans Movie About Yours Truly
by Brian Krebs - March 21, 2014, @KrebsOnSecuity
Sony Pictures is reportedly planning to make a big screen movie based at least in part on my (mis)adventures over the past few years as an independent investigative reporter writing about cybercrime. Some gumshoe I am: This took me by complete surprise. . . .
Both articles are worth a read. Enjoy!

Click on Brian's picture below to learn more about him and his terrific work:

… Now, if only Sony would make a movie about their own music CD root kit malware scandal. That I'd love to see. It too affected millions of customers.


BTW Grumbling About ArsTechnica, Again (0_o)

ArsTechnica got the count of stolen Target accounts wrong. The most recent published number, direct from Target, is 110 million stolen accounts. NOT '40'. That includes the initial discovery of 40 million PLUS an additional 70 million EQUALS 110 million stolen Target accounts. I hope ArsTechnica correct their error.

The editorial verification of facts over at ArsTechnica is often dreadful and, dare I say, unprofessional. ArsTechnica already knows my opinion on the matter. Shame on you again ArsTechnica. You didn't do your homework. Lazy, lazy, lazy…


--> And no, I take no pleasure in outing ArsTechnica's failings. Instead, I wish ArsTechnica took pleasure in verifying their facts before publishing. If not for Dan Goodin's excellent reporting on computer security, I'd probably ignore the place. :-Q


Wednesday, March 19, 2014

The FAKE iOS "Tor Browser":
Delete Now


UPDATE! [2014-03-21 @~12:40 AM ET]: According to The Register, Apple has at last pulled the FAKE 'Tor Browser' from the App Store. Hurray. If you haven't deleted it from your iOS devices, please do so immediately.

Tor Project claims 'fake' Tor Browser sat in iOS App Store for months
Team Onion raises a stink over shady app which Apple ignored – until this afternoon
As of 1545 Pacific Time, the miscreant app is no longer available through a direct link and does not appear in search results. Earlier in the day, however, both direct links and search results brought up the Tor Browser application in question. 
As we have come to expect, Apple did not respond to a request for comment on the matter.
~ ~ ~ ~ ~ ~ ~

Original Article:

Dan Goodin @ArsTechnica today posted a revelational article about a FAKE "Tor Browser" that was snuck past Apple's App Store vetting system. If claims prove to be true, this is profoundly bad and discouraging.

Fake Tor browser for iOS laced with adware, spyware, members warn
Title available since November raises questions about App Store vetting process.
"Tor Browser in the Apple App Store is fake," a report ticket published two months ago on the Tor website by high-ranking volunteer Phobos stated. "It's full of adware and spyware. Two users have called to complain. We should have it removed."
The ticket went on to say that Tor officials notified Apple of the fake Tor Browser app app in December. In the intervening time, the app has remained available, touching off a series of exchanges among Tor members about how to respond. Ars was unable to confirm the claims of adware or spyware. Still, the incident highlights the lack of transparency in the way that Apple vets the reliability of security apps and responds to complaints of rogue titles.
. . . 
Early Wednesday [today], some two months later, yet another Tor member wrote: "I think naming and shaming is now in order. Apple has been putting users at risk for months now." 
. . . 
This article will be updated if Apple officials, who are routinely silent on such matters, respond to our request for comment. 
I'll be keeping track of the situation. Apple's stumbling and bumbling regarding security has been a real bummer this winter. Pestering Apple in public has proven to be the best method of getting them to shape up and get serious. Consider this my bit of naming and shaming.

Wake up Apple! Please.


Saturday, March 15, 2014

iOS 7 Random Number Generator
Not Random Enough


Seriously Apple? You have a device that is able to pull from a variety of sources of random data, and you didn't use that data in your random number generator? Why?

Researcher: iOS 7 security at risk from weak random number generator
Predictable and observable random number generator 
present in iOS 7
All mobile operating systems require what is called an "Early Random pseudorandom number generator (PRNG)" to give the operating system some security from kernel exploits. Researchers have revealed that the new one implemented in iOS 7 is vulnerable to brute force attacks, and can be relatively easy to predict, making security exploits somewhat easier to develop, if left unpatched.
. . .
While researching the matter, Mandt found that "we found that an unprivileged attacker, even when confined by the most restrictive sandbox, can recover arbitrary outputs from the generator and consequently bypass all the exploit mitigations that rely on the early random PRNG." 

Sources of actual random data on iOS devices:

- The compass
- The accelerometer
- The fingerprint of the user
- The white balance detected by the camera
- The number of files on the device
- The last phone number called
- The last website visited in Safari
- Audio noise detected by the microphone
- The current power level of the battery
- The proximity sensor
- The ambient light sensor
- The date and time

In other words: Get seriously random Apple!


Wednesday, March 5, 2014

Apple Falls Down Keeping XProtect Up-To-Date

UPDATE: Great news. Apple has caught up with the missing malware protection in XProtect. Check out Thomas Reed's follow-up article here:

Missing malware added to XProtect
Posted on March 14th, 2014 at 9:47 AM EDT

My conclusion: If pestering Apple in private does not succeed, pester Apple in public. Thank you to the folks at Apple who DO care. Thanks also to Thomas Reed for spearheading this issue and getting it done.


[Correction, recantation added 2014-03-06 2:00 am. Apple has indeed revoked all Trojanized developer security certificates. Thank you Apple.]

My Mac security colleague Thomas Reed has posted an important article today about some old and obvious holes in Apple's XProtect security system, built into OS X 10.6.8 through 10.9.x. Thomas is one of the most meticulous and patient people I know, terrific at software evaluation.

If you're a Mac professional, please read Thomas' article:

Time to re-evaluate safety of Mac OS X

What Thomas has discovered going on, or rather FAILing, with Apple's XProtect is alarming:

• XProtect is not protecting Mac users from a considerable number of malware currently in the wild, despite having been provided with samples of that malware.

That's a bad strike against Apple security.

Please note that neither Thomas nor I are into FUD and doom mongering. I'm exactly the opposite. But when Apple pulls a face plant on Mac security, it's time to get ticked off and active.

Folks here already know I consider Apple's web documentation team to be CRAP.

After reading Thomas' evaluation, I now I also consider Apple's security team to also be CRAP.

Please DO YOUR JOB keeping Macs secure.

Thomas ends his post wondering if it's time to suggest Mac users install anti-malware software. I use it, and occasionally find it useful. For example: It discovered a version of the CoinThief Trojan on one of my Macs. I had inadvertently downloaded it from MacUpdate before anyone knew what it was.

What I recommend:

Free anti-malware:
1) ClamXav - Donationware. OS X 10.6 - 10.9.
2) Sophos Anti-Virus 9 Home Edition - OS X 10.6 - 10.9.

Commercial anti-malware:
1) Intego VirusBarrier - Currently for $39.99 bundled with NetBarrier as 'Mac Internet Security 2013'. Yearly signature updates cost extra. Demo available.
2) Sophos Endpoint AntiVirus - Designed for Enterprise users. Versions available for OS X 10.4 - 10.9. Contact Sophos for pricing. Demo available.

Reverse firewalls:
1) Little Snitch - Currently $34.95.
2) Intego NetBarrier - Included with VirusBarrier in the 'Mac Internet Security 2013' package @$39.99.

I recommend all of the above because they are all great software. Also, their developers are terrific supporters of the Mac platform, to whom I am most grateful.

There are plenty of other reasonable solutions. Be sure to read both user and expert reviews before trying them, as there are abysmal solutions well worth avoiding. (Hint: Avoid MacKeeper and Symantec Norton AntiVirus, IMHO).

Note: I get paid nothing for recommending anything or anyone.