Creative Hacks

Just when you think you’ve got all the windows closed and doors locked on your IT security, a new and unexpected hole is revealed to get you started on that next ulcer — or at least that’s how it seems at times. Here are a couple of interesting hacks that take advantages of weaknesses you may have never thought of but hackers have …

WireLurker: Most iPhone and iPad users never get a second thought to malware on their devices. After all, Apple scrubs all the apps that go into their app store, right? And, if you’ve been good and haven’t jailbroken your device, that “walled garden” of security should protect you since there’s no way to instal apps, malicious or otherwise, from other sources, right? Not exactly. What if you download an infected program to your Mac that then passes malware to your iPhone when you connect it via USB? Meet WireLurker. Here’s a description from MacRumors.com:

Once installed, WireLurker can collect information from iOS devices like contacts and iMessages, and it’s able to request updates from attackers. It’s said to be under “active development” with an unclear “ultimate goal.”

Didn’t see that one coming? Try this one on for size…

Gyrophone: I’ve posted here before about the possibility of malware surreptitiously turning on the microphone (or camera, yikes!) on a mobile phone turning your trusty sidekick into an always on surveillance device. One of the protections against this sort of attack is that apps, even bad ones, typically need to ask for your permission in order to access the mic (or camera). Of course, if the malware is disguised as a benign program you might be willing to grant access but it turns out that you may not have to. Researchers at Stanford found that the gyroscopes in modern phones that help them know how the device is oriented in your hand. so that the screen can rotate accordingly, are so sensitive that they can pick up the vibrations of ambient sound. In other words, you talk, your phone vibrates, the built-in gyro registers the movement (ever so slight as it may be) and then a program could pick up on this and transmit what you are saying without your knowledge. But wouldn’t you have to grant access to the gyroscope to the malicious program? No, because designers apparently never anticipated this sort of use (abuse?) of that feature. Read more about it and watch a video here.

Hacked Hotel: I’ll leave you with one more bit of grist for the mill from an article in the South China Morning Post:

A San Francisco-based cybersecurity expert claims he has hacked and taken control of hundreds of highly automated rooms at a five-star Shenzhen hotel.

Jesus Molina was staying at the St Regis Shenzhen, which provides guests with an iPad and digital “butler” app to control features of the room including the thermostat, lights, and television.

Realising how vulnerable the system was, Molina wrote a piece of code spoofing the guest iPad so he could control the room from his laptop.

After some investigation, and three room changes, he discovered that the network addresses of each room and the devices within them were sequential, allowing him to write a script to potentially control every one of the hotel’s more than 250 rooms.

“Hotels are particularly bad when it comes to security,” Molina said. “[They’re] using all this new technology, which I think is great, but the problem is that the security architecture and security problems are way different than for residential buildings”.

This sort of Internet of Things technology is great. Unfortunately, so are the opportunities for abuse. Clearly, we in the IT Security industry have some work to do. In the meantime, break out the tin foil hats… 🙂

Advertisement

What is the most secure OS?

Want to start an endless debate with a room full of techies? Assert that a particular operating system — pick any — is more secure than all the rest then sit back and watch the factions form. Some will argue that Mac OS X wins because of the relatively small number of known malware exploits as contrasted with Windows. Others will point to Linux’s built-in security model as superior to the competition. Windows fans will point to a vastly improved track record in the security area over the past decade. Still others will say that the mainframe’s z/OS and it’s related predecessors have proven their strength over the long haul running many of the world’s most critical transactions since the 1960’s.

Who’s right? Answer: I’ve used them all and I would say it’s none of them and all of them. Macs aren’t immune to malware as Apple’s own employees found out — the hard way.  Windows wears the largest bull eye by virtue of its pervasive presence in the market so it will always victimized by bad guys. Linux’s strong security features may be beyond the grasp of casual users. z/OS has benefitted from something of a “security by obscurity” position, which means latent vulnerabilities could be there for the taking.

Not a very satisfying answer is it? Maybe a better way to rephrase the question would be not “which is the most secure?” but rather “which is the most securable?”  The latter takes into account a larger understanding of the role of the user/administrator in the security ecosystem. In other words, it’s not just about technology but also people and process as well.

Yet another way to look at it is to say that the most secure OS is the one that you configure and use properly. The fact is that any of these options can be good or bad depending on how they are deployed and executed. That’s my answer. Now I’ll sit back and watch the various OS fanboys fight it out …

 

P.S. Here’s a nice write up on “Four easy ways to protect your Mac from malware,” which is a question I get from time to time.

Water is still wet

Here’s a good CNET article on the adjustment Apple made recently to their public statement regarding OS X and malware…

http://news.cnet.com/8301-13579_3-57460041-37/apple-adjusts-its-tune-on-security-in-os-x/

 

As I mentioned in a previous post, Apple has previously indicated that Mac users didn’t have to worry about viruses and implied that this was due to some basic invulnerability within the operating system. They have wisely started to back off of that position but may not have really gone far enough just yet.

Where they once used to say that:

“A Macisn’t susceptible to the thousands of viruses plaguing Windows-based computers”

a statement which is misleading since Macs are, in fact, vulnerable to other malware (albeit many fewer instances). Now the wording is:

“Built-in defenses in OS X keep you safe from unknowingly downloading malicious software.”

This is better but still leaves the impression that Macs are inherently safe, which they aren’t. In fact, no computer is.

As long as software contains bugs, a certain percentage of those bugs will be security-related and someone is bound to eventually discover these vulnerabilities and try to exploit them.

That was true then and it’s true now and it always will be regardless of which OS you choose to use.

And in other news, water is still wet …