Latest iPhone & iPad Threats Exposed

[airdog07]

Bulletin

Internet Security Center | Online Safety Information | Kaspersky Lab

http://www.kaspersky.com/.../kaspersky-lab_ok-consumer-survey-report_eng_final.pdf 


How secure are Apple's iPhone and iPad from malware, really ?

by Joshua Long on June 29, 2012

Anti-virus veteran Mikko Hypponen made an interesting remark on Twitter yesterday:

"iPhone is 5 years old today. After 5 years, not a single serious malware case. It's not just luck; we need to congratulate Apple on this."

I'm not so sure I can agree.
Of course, there were the Ikee and Duh worms back in 2009, although one could dismiss them as not "serious" malware cases because they only infected iPhones that had been jailbroken without following the critical step of changing the default root password.
Speaking of jailbreaking, this brings up an interesting point about iOS device security.

Virtually every version of iOS has been quickly jailbroken (that is, modified to allow installation of apps and hacks not authorized by Apple or the mobile carrier).
Jailbreaking is accomplished by exploiting security vulnerabilities in iOS. The same exploits used to jailbreak (an arguably legitimate hack) could just as easily be used to infect an iOS device with malware.

And what happens if you get malware on your iPhone, iPad, or iPod touch? You wouldn't necessarily know it. Not all malware has big, flashy alerts like FakeAlert malware. Some is quiet and surreptitious like Flame.
And what's worse, you wouldn't be able to detect or remove iOS malware easily because Apple doesn't allow full-featured, real-time scanning anti-virus software in the iOS App Store.
Meanwhile, you can get free anti-virus software for Android from Sophos and other vendors.
In spite of the existence of Android anti-virus software, when you compare Android with iOS, there's certainly a big difference in terms of device security.
Android app stores (including Google's own) have a history of letting in malware apps, while Apple's more restrictive App Store policies and more careful application vetting tend to keep iOS users safer.
So perhaps Hypponen is right that we should be congratulating Apple, but not for the lack of iOS malware. Rather, Apple should be commended for keeping the App Store relatively safe.
I say "relatively safe" because security researcher Charlie Miller has previously figured out how to break the App Store anti-malware model using a flaw in the iOS code signing enforcement mechanism, and there have been reports of developers working around other App Store restrictions with clever tricks; see the Security Now! episode 330 transcript and search for "vetting."
And just earlier this month, a clearly bogus app purporting to be Microsoft Word 2012 was mistakenly approved by Apple, and appeared in the iOS App Store.

Apple still has a long way to go in making the iOS platform more secure, for example not making users wait months for security patches.
It took Apple four months after the release of iOS 5.0.1 for the next security update to become available, iOS 5.1, which patched a whopping 81 vulnerabilities. That's too long. I realize that 5.1 added a lot of features, but Apple could have easily patched the 81 vulnerabilities in a security-only update and called it "iOS 5.0.2" while working on adding new features to 5.1, but they didn't do that.
Meanwhile, the jailbreaking community are masters at exploiting undisclosed vulnerabilities, and ready to exploit them whenever Apple releases a new version of iOS. If these hobbyists can collect and take advantage of vulnerabilities, just imagine what others (a government perhaps?) could do.
And this isn't fantasy, defense contractors are already openly hiring for people with experience of exploiting vulnerabilities on mobile devices.

The history of jailbreaking iPhones and iPads has provided plenty of evidence that smartphone users are being made to wait too long to get security updates for their devices.
So yes; good job, Apple. But you can do a lot better.

[airdog07]

Apple developer site hacked, some info may have been exposed
By Cody Lee, Jul 21, 2013


dev center down

On Friday, we noted that Apple’s developer center—where it hosts downloads, documentation and other resources—had been down for a record 48 hours. Well here it is Sunday, and the dev portal appears to still be out of commission.

At first, the company was mum on the outage, saying only that it was sorry that “maintenance was taking longer than expected,” and that it would make up for the lost time. But today, it broke the silence, announcing it has been hacked…

Here’s the email Apple has been sending out to developers this afternoon (via AllThingsD):

“Apple Developer Website Update

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.”

Apple has confirmed with Macworld that the breached server was not associated with any customer info and that all personal information is encrypted. Additionally, it says the attackers did not have access to app code or servers with app data.

[airdog07]

Your MacBook May Spy on You
Added: Thursday, December 26th, 2013


Miss Teen USA has recently contacted the FBI, claiming that she received two nude photos of herself by e-mail that had been taken over a period of several months. The FBI revealed that the individual who took the snaps was a high school classmate. The latter had software on his PC which allowed him to spy remotely on this girl and others. The individual pleaded guilty to extortion in October.



Laptops that have built-in cameras normally have a privacy feature which turns on a light when that camera is being used. With personal computers, security specialists admit that the warning light can’t be deactivated. But it turned out that in the case of MacBooks someone has worked out a way how to do it.

Actually, the Federal Bureau of Investigations recently admitted that it has known how to do it for many years now – and it’s despite Apple’s assurance that the camera had a “hardware interlock” between it and the light in order to make sure it can’t be turned on without alerting its owner.

Security experts have come up with a way to use MacBook and iMac models older than 2008, which might also work on younger models as well. The matter is that a modern laptop has a number of different computers in one package: although Apple designed its MacBook to block software running on its CPU from activating the camera without turning on the light, you can still target the chip inside the camera (a micro-controller) and defeat this security feature.

Moreover, this also opens up a lot of security vulnerabilities in MacBooks nobody ever really thought of. According to the researchers, an attack can be mounted on Apple batteries to cause them to discharge rapidly – this could potentially lead to a fire or explosion. The researchers even managed to convert a built-in Apple keyboard into spyware using a similar method.

Apparently, it all depends on how much security the manufacturer puts on its hardware, and it appears Apple might not put on enough. The security experts confirmed that they had contacted the company, which got back to them several times. But Apple hasn’t done anything yet.

It looks like the only way to guarantee your privacy is to put a piece of tape on iSight camera and take it off only when you want to use it. This sounds and looks silly, but if you don’t want to receive a picture of yourself naked one day, it might want to consider this idea.