Why you should upgrade to iOS 9 sooner rather than later

Apple released iOS 9 this week. Hurray! But some (most) of you are thinking it might be wise to watch from the sidelines on this and let the bleeding edgers endure the initial onslaught of headaches that we all know can result from a software upgrade of this significance. There’s certainly a case to be made for this more circumspect approach.

However, if you are really concerned with caution, you might want to think again. The reason is that iOS 9 fixes over 100 security vulnerabilities that are lying around inside the bowels of its predecessor. That’s enough bugs to call in an exterminator, which is what iOS 9 could be.

One of the more interesting scenarios involves an exploit that abuses AirDrop to install malware on a mobile device. Here’s a video that demonstrates the attack.

Of course, with new mobile OS’s come the possibility of even newer bugs, but the point is that the cat is out of the bag on the old ones. The bad guys know about them and will be looking to take advantage. The new bugs are yet to be discovered.

That may not be the most comforting thought but look at it this way. If you knew there were copies of the keys to your house be circulated among the cat burglar community, would you want to sit tight and hope none of them figured out where you lived or change the locks? New locks still might be able to be picked but at least you make the job harder for the bad guys.

Advertisement

You might not like broccoli but it’s good for you. This next bit of news fits in that same category.

Android device manufacturers are going to move to monthly patch cycles according to a report from Computerworld.

Yay? Yes, yay! Sure, it will be a pain to apply software updates with each new moon, especially with so many mobile devices (e.g. phones, tablets, etc.) running the OS, but it really is a good thing.

The reasoning is as follows …

• all software has bugs (try as we might, this remains true for anything other than simple programs)
• some percentage of those bugs are security-related (call it the law of averages)
• therefore, all software needs security patches (the punch line)

Mobile phones don’t get a pass from these inexorable truths just because they fit in your pocket. For what it’s worth, neither to cars which I’ve written about here before as well. In fact, some of the higher end models these days have more lines of code than the Windows operating system so take a guess at how many security holes that translates into…

Apple has done a better job in this area because as both the hardware maker and OS supplier, they had 2/3’s of the equation under their control with only the carrier side to coordinate. The Android ecosystem has had 3 players that needed to sync up since the people that made the handsets (e.g. Samsung, LG, etc.) were different from those that supplied the OS (Google) which were different from the carriers (e.g. Verizon, AT&T, Sprint, etc.).

This dragon isn’t slayed yet as the precise details of how the Android army is going to amass against this issue have yet to be fully worked out but it’s a step in the right direction and one that is long overdue.

Creative Hacks

Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …

WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”

Didn’t see that one coming? Try this one on for size…

Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.

Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.

“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.

This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… 🙂

Goldilocks weighs in on security

For some, the mere fact that newer mobile phone models exist is reason enough to desire them. For others, the tried and true, trusty sidekick that has served them well (not to mention, that it took it 2 years to figure out how to use the thing) is more than adequate.

I confess to belonging to the first group because I love new technology. I also lean that direction because of my security roots.

As I mentioned in my previous post, old phones run old software and old software has old security bugs that haven’t been fixed.

In keeping with that theme, Graham Cluely recently wrote a thought provoking post entitled “If You Care About Security, Throw Away Your iPhone 4 Right Now.” OK, it’s a bit alarmist, but the underlying point is valid.

This isn’t picking on Apple because Android has the same issue. The point is that while newer doesn’t always mean better, when it comes to security you need to remember that …

old phone = unsupported = security bugs that won’t ever get fixed

Of course, the flip side of this is that …

new phone = not fully tested = new security bugs (that will, hopefully, one day get fixed)

Oh, and, by the way, the same holds true for operating systems, apps, etc.

So, what are you supposed to do? Balance is the key. Too old or too new is always going to be riskier than “just right.” I think Goldilocks said that in the sequel …

Rotten Software

Unlike fine wine or cheese, old software doesn’t get better with age, it just starts to smell bad. Certainly it can “mature” as upgrades and patches are applied but if you simply “install it and forget it” then you could be setting yourself up for a world of trouble.

Recently Microsoft withdrew support for an old standby, Windows XP, and, as a result, pushed many to upgrade or face the risk of exposure to an increasing list of unpatched security vulnerabilities. Many grumbled about having to make the change but it was not unexpected. It costs vendors lots of money to support any operating system so it behooves them to support the fewest number they can or risk draining precious resources that could be spent developing newer versions with even better features demanded by the marketplace.

Windows XP is old in OS terms — nearly 13 years old, in fact. So, the end of the ride was inevitable, even if not fully appreciated by everyone.

But what about, say, Windows 95? It would be hard to feel a lot of sympathy for a user still running that moldy oldie if their system got hacked. After all, that was essentially 8 generations ago as a desktop OS. There are tons of security bugs that have been discovered in it since its introduction and, while most of been fixed, there are plenty that never will be since it was withdrawn from support a long time ago. Therefore, anyone still running Win95 isn’t likely to get a lot of sympathy given the known risks of doing so, right?

What about someone doing essentially the same thing on their mobile phone? Smart phones have very complex operating systems and we are finding more and more security holes in them every day. What would you say to someone still running the Win95 equivalent of Android? Good luck!

Well, it turns out that about 20% of Android devices world wide are essentially doing just that. That’s roughly what Android 2.x matches up to if you compare its generations to those of Windows. How many bugs do you think are sitting around on those aging handsets just waiting to be exploited? A lot more than their owners are aware of, I suspect.

To be fair, mobile OS generations have been rolling out faster than desktop OSs lately so the time lines won’t match up perfectly, but the truth is that there are a scary number of mobile devices that are wide open to attack because they are running old software.

Why not simply update the OS on these devices? Because, in many cases you can’t. Unlike the PC world where a single vendor (i.e. Microsoft) can push out a new OS when they like and users can update whenever they choose (for the most part), the Android world involves a sometimes unholy trinity of handset makers, Google (who makes the Android OS) and the carriers. If you want to update your phone you have to get the sun, moon and stars to align so that all three parties allow it and that has proven much harder and slower than most people would like. Since change is happening so rapidly in the mobile space, it is hard for old handsets to keep up with the demands of new OS versions plus handset makers have a stronger incentive to get you to upgrade than they do to keep you on an old device.

What all this adds up to is a lot of handsets with OS levels that have long since passed from stale to downright rotten and since hackers are drawn to vulnerable systems like ants to a picnic, it would not at all be unreasonable to expect a buggy mess as a result.

The Apple/iOS ecosystem is a little less complicated because you have only a two-headed monster (Apple and the carrier) to deal with. This results is fewer options for users but considerably less software rot.

More freedom/choice or more security? I actually use both but hope that whichever one you choose, you at least do so with your eyes wide open…

The spy in your pocket

There’s a spy in your pocket (or pocketbook or backpack). It’s so well camouflaged that you could stare directly at it and still not realize it’s there. Hiding in plain sight, as it were. In fact, if you are like most people according to a recent study, you rarely let this spy get out of arm’s reach. Are you sufficiently paranoid yet?

Turns out this spy is your mobile phone. It knows pretty much everywhere you go, how long you stay there, who you associate with, who your closest friends are, what you say to them, what you like and what you don’t like, what you’re in the market for and so on. It knows all this because it is the center of your digital life. Your social media accounts, your emails, your text messages, your phone calls, your photographs, your location, your purchases — all that and more are being tracked to one degree or another by Facebook, Google, Apple, Twitter, Verizon, AT&T, Sprint and a host of others.

Maybe none of that bothers you — but maybe this would … what if all that info was available to your ex, your boss, a stalker or just some creep who figured out how to turn your phone into a video and audio surveillance device by planting software on it without your knowledge. With this, your voyeur can turn on the microphone on your phone and listen in to your conversations even when you aren’t on the phone and see you through the video camera and read your emails and texts and … you get the picture.

Pretty creepy, huh? Well, it’s not at all far-fetched. In fact, here’s commercially available tool that will do it for you (Note: I’ve redacted the name of the software because I’m not trying to advertise for it):

… and it’s far from the only option. Here’s an article from PC World that talks about malware that does the same:

http://www.techhive.com/article/2043321/malware-like-program-lets-your-android-phone-spy-on-you.html#tk.nl_today

This really isn’t a new concept as we’ve had malware on PCs that could do this for more than a decade. What has changed is that mobile phones contain so much more info about you and are so portable that they go everywhere with you — everywhere.

Mobile device anti-malware programs can help but that whole industry is still fairly immature so the capabilities haven’t really caught up with the threats just yet. Some of the best things you can do are:

• don’t download programs from places other than the authorized sources (Google Play, Apple App Store),
• don’t root your device (even though it’s awfully tempting to do so in order to get some extra goodies that the providers have been denying you) and,
• just as with PCs, don’t click on links unless you are expecting them and know where they are going to take you — regardless of who they appear to be coming from.

Sorry to be the bearer of bad news and paranoia, but I figure it’s better you know because the bad guys already do…

Digital Demise — don’t let this happen to you

Here’s a real world online nightmare told in detail by the victim as a cautionary tale:

How Apple and Amazon Security Flaws Led to My Epic Hacking

 

Absolutely nothing in here surprises me, unfortunately. Worse still is that the risks are only going to increase as we put more and more of our lives online and become dependent upon services provided by organizations we assume have already figured out all the hard technical stuff needed to keep it safe. Many of these services are free, yet we fail to think about the realities of the underlying business model and how that could ultimately affect us.

One of my favorite quotes along these lines is “if you’re not paying for it, you’re the product not the customer” and while we often like to say that “the customer is always right,” it’s pretty hard to make the case that the product is. You’re the product in that information about you is what they use to generate profits, typically through advertising. Nothing wrong with that as long as everyone remembers that products don’t typically get to call up and complain or renegotiate their terms of service.

Also, they don’t call this stuff “the cloud” for nothing. These remote services, like real clouds up in the sky, they can come and go as they please and you can’t really tell what’s in them from the outside.

Nevertheless, there are some things that we can do. This is why I sound like a broken record when it comes to the importance of backups. When Murphy’s Law kicks in, a good backup is your best friend. Also, you can help keep Murphy at bay (to at least some extent) by not using the same password for all your accounts. Single sign-on tools can automate that process so you don’t have to keep up with all of them.

The long term move here is ultimately toward stronger means of authenticating users through biometrics, cell phones or special security devices to make sure it’s really you on the other end of that browser. Unfortunately, none of these options are perfect as they add cost and complexity while reducing convenience. Still, it may be the only option in the end. “Secret” knowledge that isn’t (e.g. last 4 digits of your credit card, social security number, mother’s maiden name, high school mascot, etc.) is definitely not the answer.

Water is still wet

Here’s a good CNET article on the adjustment Apple made recently to their public statement regarding OS X and malware…

http://news.cnet.com/8301-13579_3-57460041-37/apple-adjusts-its-tune-on-security-in-os-x/

 

As I mentioned in a previous post, Apple has previously indicated that Mac users didn’t have to worry about viruses and implied that this was due to some basic invulnerability within the operating system. They have wisely started to back off of that position but may not have really gone far enough just yet.

Where they once used to say that:

“A Macisn’t susceptible to the thousands of viruses plaguing Windows-based computers”

a statement which is misleading since Macs are, in fact, vulnerable to other malware (albeit many fewer instances). Now the wording is:

“Built-in defenses in OS X keep you safe from unknowingly downloading malicious software.”

This is better but still leaves the impression that Macs are inherently safe, which they aren’t. In fact, no computer is.

As long as software contains bugs, a certain percentage of those bugs will be security-related and someone is bound to eventually discover these vulnerabilities and try to exploit them.

That was true then and it’s true now and it always will be regardless of which OS you choose to use.

And in other news, water is still wet …