Why you should upgrade to iOS 9 sooner rather than later

Apple released iOS 9 this week. Hurray! But some (most) of you are thinking it might be wise to watch from the sidelines on this and let the bleeding edgers endure the initial onslaught of headaches that we all know can result from a software upgrade of this significance. There’s certainly a case to be made for this more circumspect approach.

However, if you are really concerned with caution, you might want to think again. The reason is that iOS 9 fixes over 100 security vulnerabilities that are lying around inside the bowels of its predecessor. That’s enough bugs to call in an exterminator, which is what iOS 9 could be.

One of the more interesting scenarios involves an exploit that abuses AirDrop to install malware on a mobile device. Here’s a video that demonstrates the attack.

Of course, with new mobile OS’s come the possibility of even newer bugs, but the point is that the cat is out of the bag on the old ones. The bad guys know about them and will be looking to take advantage. The new bugs are yet to be discovered.

That may not be the most comforting thought but look at it this way. If you knew there were copies of the keys to your house be circulated among the cat burglar community, would you want to sit tight and hope none of them figured out where you lived or change the locks? New locks still might be able to be picked but at least you make the job harder for the bad guys.

Advertisement

Hotel hacking center

You’ve just checked into your hotel and gotten situated in your room. All that time on the plane has left you feeling a bit out of touch so you head down to the business center to do a quick check of your email. You’re in luck — there’s a free workstation just waiting there for you. You log in to your account, read a few, respond to some, delete some spam, log off and head for the gym feeling that everything is now in order. But is it?

Turns out that the person using that same PC a few hours ago opened an attachment that contained malware that installed itself on the system and has been recording every keystroke entered ever since. Making matters worse, all those email responses, web site addresses, credit card numbers and logins have also been surreptitiously forwarded to someone on the other side the world who now has everything they need to take over your email, raid your bank account and run up charges on your credit card.

Krebs on Security has a good post on this threat along with a discussion of  some preventative measures your hotel could have taken to protect you. The problem is, as the author points out, all of them can potentially be circumvented.

Of course, you could enable all your accounts to use 2-factor (a.k.a. two step) authentication where a seemingly random set of numbers are texted to your phone that you then have to enter after entering your account name and password (and you should!), but most people don’t want to be bothered with this extra step and they are precisely the ones that the bad guys are counting on.

The bottom line is, if you don’t control the system you’re using (and you never do with a public terminal), you really have no idea who else might be listening in so you should consider that anything you type (including your password) is now public information.

The best thing you can do to avoid this scenario is simply to not use public workstations. It may be a pain to lug along your own laptop but it beats the alternative.

Creative Hacks

Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …

WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”

Didn’t see that one coming? Try this one on for size…

Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.

Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.

“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.

This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… 🙂

Is your WiFi sick?

Windows users learned (the hard way) a long time ago that their PC could be infected with viruses, Trojan horses, worms and the like without their knowledge. Anti-virus vendors have made a mint off of capitalizing on the concerns that grew from that basic fact. Eventually, Microsoft decided it was in their best interest to make available free security tools that could help limit the threat and mitigate some of the PR hits their brand kept taking with each new outbreak of malware.

As discussed in this blog before, there is nothing about Linux, UNIX or OS X that makes those platforms inherently immune to virus attacks either, although, the sheer number of known malware instantiations is lower. Mobile devices, which are, after all, nothing more than miniaturized computers that also happen to have built-in cameras, MP3 players and telephony features are vulnerable as well. In fact, the first mobile malware was first spotted 10 years ago, if you can believe it. Clearly, none of this is a new problem.

Well, guess what? You know that WiFi access point you installed in your home a few years back or the ones you never see but freely use at the local coffee shop could be infected as well? How about the possibility that the wireless in your doctor’s office waiting area is as sick as the patients sitting next to you?

Yep, malware for WiFi is the latest unfortunate turn of the technological crank and, once again, we shouldn’t be surprised. Routers and access points are, after all, just special purpose computers and, in most cases, ones that have never been patched since the day they were installed.

One recent study found that:

Using the top 50 selling home routers for sale on Amazon, the firm detected software vulnerabilities in three quarters with a third of these having publically documented flaws open for any attacker to exploit. Common problems included vulnerable management interfaces and dodgy authentication.

So that’s 75% of the most popular devices are vulnerable. Great. But the hits just keep coming …

Researchers at the University of Liverpool have shown for the first time that WiFi networks can be infected with a virus that can move through densely populated areas as efficiently as the common cold spreads between humans. 

The team designed and simulated an attack by a virus, called “Chameleon”, and found that not only could it spread quickly between homes and businesses, but it was able to avoid detection and identify the points at which WiFi access is least protected by encryption and passwords.

So let’s review…

• WiFi access points can be attacked
• Most have never been patched
• Most are vulnerable to exploitation
• Some could be attacked by malware that spreads from access point to access point

I don’t know that WiFi access point anti-virus tools are waiting just around the corner.  However, I do know that it would be a good idea to take another look at the access points you can control and review the security settings and update the firmware. Don’t say I didn’t warn you …

What is the most secure OS?

Want to start an endless debate with a room full of techies? Assert that a particular operating system — pick any — is more secure than all the rest then sit back and watch the factions form. Some will argue that Mac OS X wins because of the relatively small number of known malware exploits as contrasted with Windows. Others will point to Linux’s built-in security model as superior to the competition. Windows fans will point to a vastly improved track record in the security area over the past decade. Still others will say that the mainframe’s z/OS and it’s related predecessors have proven their strength over the long haul running many of the world’s most critical transactions since the 1960’s.

Who’s right? Answer: I’ve used them all and I would say it’s none of them and all of them. Macs aren’t immune to malware as Apple’s own employees found out — the hard way.  Windows wears the largest bull eye by virtue of its pervasive presence in the market so it will always victimized by bad guys. Linux’s strong security features may be beyond the grasp of casual users. z/OS has benefitted from something of a “security by obscurity” position, which means latent vulnerabilities could be there for the taking.

Not a very satisfying answer is it? Maybe a better way to rephrase the question would be not “which is the most secure?” but rather “which is the most securable?”  The latter takes into account a larger understanding of the role of the user/administrator in the security ecosystem. In other words, it’s not just about technology but also people and process as well.

Yet another way to look at it is to say that the most secure OS is the one that you configure and use properly. The fact is that any of these options can be good or bad depending on how they are deployed and executed. That’s my answer. Now I’ll sit back and watch the various OS fanboys fight it out …

 

P.S. Here’s a nice write up on “Four easy ways to protect your Mac from malware,” which is a question I get from time to time.

Nowhere to run to…

If you thought your choice of operating system, hardware platform, middleware stack or applications would shield you from malware, think again. If it’s operational, it can be hacked. Period. Certainly some configurations are more vulnerable than others but there’s no such thing as a “secure” system — just varying degrees of INsecurity.

I remember a protracted email debate I had with a colleague many years ago on this subject. His claim, essentially, was that the security model of Linux made it immune to malware. As a security guy, I knew better.

At the time Windows was being ravaged by viruses and Linux was emerging as a more stable, secure alternative. Some were speculating that it would supplant Windows as the leading desktop OS within a few years. Of course, that didn’t happen — at least not yet. Linux has some very clear advantages. Some derive from a kernel for which secure design was not an afterthought and yet others from the collective talents and contributions of the open source community.

Still it isn’t perfect as this story from PCWorld shows. In what is just the latest development in the never ending malware saga, the “Hand of Thief” Trojan, which specifically targets Linux, is starting to pop up. As the article says…

Hand of Thief operates a lot like similar malware that targets Windows machines—once installed, it steals information from web forms, even if they’re using HTTPS, creates a backdoor access point into the infected machine, and attempts to block off access to antivirus update servers, virtual machines, and other potential methods of detection.

Clearly, there are far more instances of malware for Windows than Linux — far more — but equally clearly, Linux is not immune. Neither is Mac OX nor Android nor iOS nor any other OS you’d like to name. In fact, the first malware I personally ran across infected the VM operating system on mainframes back in 1987. Yes, 1987. Years before the press would start reporting on the latest virus scare and long before commercial anti-virus tools even existed and all of this on a platform that was considered quite secure and unlikely to be compromised easily.

The article goes on to say…

Historically, desktop Linux users have been more or less isolated from the constant malware scares that plague Windows, which is at least partially a function of the fact that their numbers represent a tiny fraction of the Windows installed base.

That last phrase is important. It basically is saying that part of the reason Linux hasn’t had a lot of malware really has nothing to do with the merits of it’s innate security capabilities, but rather, due to the fact that it simply hasn’t had as big of a bull’s eye painted on it. Mac OS has historically benefitted from the same “security by obscurity” model but it’s not one you want to bank on. Not surprisingly as Mac’s have become more popular in the marketplace, they have also become more popular in the malware threatspace. Ditto for Linux. Ditto for iOS and Android.

Call it the price of success. If a platform becomes popular it can’t hide from hackers as easily. So, the best thing to do is to take prudent precautions regardless of what OS you’re running on because, as Motown figured out a long time ago,  there really is “nowhere to run to, nowhere to hide…”

The sandbox is leaking …

Sandboxing is a great security technique. In theory it isolates programs running in it from the rest of the system it is running on, therefore, preventing the spread of malware, escalation of privileges, data compromise and all sorts of other problematic interference. In the browser context, a Java applet is intended to be downloaded automatically when a user visits the server it is stored on and run inside the protected walls of a secure sandbox. It’s a good model… when it works.

Sometimes it doesn’t, as demonstrated in the latest in a growing line of Java exploits as described in an article by the Institution of Engineering and Technology where theory and practice fail to converge:

By using a vulnerability in a Java reflection API, which has been the target of recent attacks, Forshaw was able to disable the Java sandbox and perform actions under the privileges of the logged in user, including reading and writing files and executing new programs.

In general, Java’s security model is much more robust than some of its alternatives but it never hurts to remind ourselves that it isn’t perfect. No software of any real complexity is. This is why you have assume that any security defense can and will be breached and architect a solution that is resilient in the face of such a failure.

Another aspect of Java that is working against the good guys stems from one of its greatest strengths, and that is that it is cross-platform in nature. In other words, a developer can write it once and have it run on Windows, Linux, Mac OS and so on. Generally speaking, that’s a good thing. However, it also means that bad guys can write exploits that are able to cut across a wide range of platforms as well. Previously, such a feat would have been far more difficult due to the uniqueness of each OS.

Yet another area of concern is that while we continue to learn of more and more vulnerabilities in Java, we are also becoming keenly (and painfully) aware of just how many people are running old versions of it on their systems, leaving them open to an increasing number of threats.

A recent report from Websense asserts that only 1 out of 20 systems is running the latest version of Java and that 94% of systems were vulnerable to a recently discovered flaw. 

Ouch! And in this case, the sandbox is leaking a lot more than just sand …

Which is safer – Android or iOS?

The conventional answer to this question is that Apple’s “walled garden,” which places restrictions on app developers, creates a more secure environment for iOS whereas Google’s more permissive model puts Android users at greater risk.

As I have posted here before, there is plenty of ammo to bolster that position:

• Android Zombie Uprising?
• 115 and counting … (a reference to the number of unique Android malware families)

But the story is more complicated than that. For instance, take this recent report from Appthority which finds that “iOS apps leak more personal data than do Android apps”.

The differences are not huge but they do add fuel to the fire regarding which platform is safer. Apple Insider sums it up well:

A number of questionable policies and security concerns have painted Google’s Android platform as inherently less secure than Apple’s iOS. Android does appear to be more vulnerable to malware than iOS, but mobile malware affects only one percent of apps. The larger concern, the study concludes, should be over how mobile apps handle personal information and company data.

In the end, the unsatisfying answer as to which is more secure is, you guessed it, — it depends — so pick your poison … 🙂

 

PC Security Toolbox

It seems there are about a million things people are telling you that must be done in order to keep your PC secure and about ten times that many different tools that you might use to get the job done. That’s why I particularly liked Eric Geier’s PCWorld.com article entitled “PC security: Your essential software toolbox.”

In the piece he gives a brief overview of the basics — anti-malware tools, firewalls, wireless security and more. It’s far from comprehensive but, then again, who would want to have to pore through the tome that would result from  a treatment of this topic that was?

If you’re pretty security savvy you probably won’t find anything new here but the real value to you is that it’s something that you can easily share with your not-so-security-savvy friends who rely on you as their free tech support. So, just file this under the category of “enlightened self-interest” and make life a little tougher for the bad guys by passing this along …

115 and counting…

If my last post regarding Android devices being marshaled into zombie armies sounded a little over the top maybe this one will resonate a little better.

According to forensic blog, which focuses on mobile phone forensics and malware, as of December 26, 2012, there are 115 unique Android malware families known to exist. That number would be significantly higher if you counted all the variations on these that might be circulating.

115 doesn’t sound like a lot compared to the tens of thousands of Windows viruses in existence but its a far cry from zero and should serve as a wake up call regarding the need for malware protection on mobile devices. If that still doesn’t convince you then maybe the analysis regarding the threat that these present might:

Families that steal personal information	51,3 %
Families that send premium rated SMS messages	30,1 %
Families with characteristics of a Botnet	23,5 %
Families that contain Root-Exploits	18,3 %
Families downloaded from the Google-Play Market	11,3 %
Families that install additional applications	10,4 %
Families that steal location related data	8,7 %
Potentially unwanted applications	7,8 %
Online-Banking Trojans	3,5 %

Source: forensic blog, http://forensics.spreitzenbarth.de/

And don’t get too smug because your phone or tablet runs iOS. We had this debate years ago when people claimed that Mac OS was immune and then again with UNIX/Linux. Granted, the relative risk might be lower over the entire population of these install bases but the fact remains that any functional OS can be exploited because none are perfect.

Put more succinctly, all software (of any significant complexity) has bugs and some percentage of those bugs will be security-related, therefore, all software carries with it a set of security risks.