Connect with us

Security

Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users

Published

on

Apple is having a bad month. To date, the company’s “user-hostile” iPhone battery practices were exposed, Face ID hacked, iOS code exploited (twice) and the iPhone 11’s final secrets revealed. And now things just got a lot worse. 

Every iPhone ever made faces a Catch-22 security problem, including Apple’s headlines iPhone XS, XS Max and iPhone XR APPLE

Today researchers have publicized the ‘KNOB Attack’ which impacts billions of iOS and Android devices around the world. But while Google has already patched the problem and started the rollout out to devices, iPhone and iPad users are not so lucky because a bizarre mistake by Apple has left them with nowhere to go. 

KNOB stands for ‘Key Negotiation of Bluetooth’ (terrible acronym, I know) and what it amounts to is a clever, “brute force” attack on “any standard-compliant Bluetooth device”. It works remotely by exploiting a flaw in the Bluetooth encryption key protocol to force through small packets of data which give the hacker access to your device. And because its a flaw inherent to Bluetooth, everyone is vulnerable.

“We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices),” explained the researchers. “At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.”

But here’s why it’s so much worse for iPhone and iPad users: in its security notes Apple confirmed the “iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later” (aka every iOS 11 and iOS 12 compatible device dating back to 2013) are vulnerable to it and a patch was issued in iOS 12.4 (bug code CVE-2019-9506). But, in case you have been living under a rock, iOS 12.4 contains a staggering exploit which allows hackers to remotely jailbreak your iPhones and install malicious code. 

Major publicly known exploits mean iPhone and iPad users are not currently safe on any version of Apple iOS 12 APPLE

Consequently, every supported iPhone or iPad is vulnerable to the KNOB Attack if they are not running iOS 12.4 and every device which has upgraded to it is vulnerable to a remote attack which is just as bad. 

Are you running a very old iPhone or iPad and feeling smug? Don’t. Not only is every iOS device ever made running standard-compliant Bluetooth, making them all vulnerable to KNOB, old devices are no longer supported meaning they are unlikely to be patched. So when, in January, Tim Cook statedthere are 1.4BN active iOS devices around the world, that’s how many are vulnerable to this Catch-22 situation right now. 

For Apple, releasing iOS 12.4.1 must now be their top priority to give users an escape route, as well as emergency upgrades for iOS 9 and 10 (it has happened before). That said, so far Apple has remained silent about the iOS 12.4 exploit and iOS 12.4.1 has not been seen in beta testing so there is currently no timeframe for a fix. Meanwhile, iOS 13 will arrive next month and it drops support for multiple generations of devices, which means it’s time for the company to step up. 

Your move, Apple. 

Source: https://www.forbes.com/sites/gordonkelly/2019/08/20/apple-iphone-ipad-security-warning-ios-12-ios13-knob-jailbreak-iphone-xs-max-xr/#45c094204407

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Security

GitHub launches ‘Security Lab’ to help secure open source ecosystem

Published

on

By

Today, at the GitHub Universe developer conference, GitHub announced the launch of a new community program called Security Lab that brings together security researchers from different organizations to hunt and help fix bugs in popular open source projects.

“GitHub Security Lab’s mission is to inspire and enable the global security research community to secure the world’s code,” the company said in a press release.

“Our team will lead by example, dedicating full-time resources to finding and reporting vulnerabilities in critical open source projects,” it said.

Founding members include security researchers from organizations like Microsoft, Google, Intel, Mozilla, Oracle, Uber, VMWare, LinkedIn, J.P. Morgan, NCC Group, IOActive, F5, Trail of Bits, and HackerOne.

GitHub says Security Lab founding members have found, reported, and helped fix more than 100 security flaws already.

Other organizations, as well as individual security researchers, can also join. A bug bounty program with rewards of up to $3,000 is also available, to compensate bug hunters for the time they put into searching for vulnerabilities in open source projects.

Bug reports must contain a CodeQL query. CodeQL is a new open source tool that GitHub released today; a semantic code analysis engine that was designed to find different versions of the same vulnerability across vasts swaths of code. Besides GitHub, CodeQL is already being rolled out in other places to help with vulnerability code scans, such as Mozilla.

SolarWinds® Network Insight for Cisco ASA goes beyond basic up/down status. It can help provide comprehensive firewall performance, and also offers access control list monitoring.Downloads provided by SolarWinds

GitHub’s new Security Lab project did not come out of the blue. Efforts have been going on at the company to improve the overall security state of the GitHub ecosystem for some time. Security Lab merges all these together.

For example, GitHub has been working for the past two years on rolling out security notifications that warn project maintainers about dependencies that contain security flaws.

Earlier this year, GitHub started testing a feature that would enable project authors to create “automated security updates.” When GitHub would detect a security flaw inside a project’s dependency, GitHub would automatically update the dependency and release a new project version on behalf of the project maintainer.

The feature has been in beta testing for all 2019, but starting today automated security updates are generally available and have been rolled out to every active repository with security alerts enabled. [Also see official announcement.]

github-automated-fixes.png
Image: GitHub

Furthermore, GitHub also recently became an authorized CVE Numbering Authority (CNA), which means it can issue CVE identifiers for vulnerabilities. GitHub didn’t apply to become a CNA for nothing.

Its CNA capability has been added to a new service feature called “security advisories.” These are special entries in a project’s Issues Tracker where security flaws are handled in private.

Once a security flaw is fixed, the project owner can publish the security, and GitHub will warn all upstream project owners who are using vulnerable versions of the original maintainer’s code.

But before publishing a security advisory, project owners can also request and receive a CVE number for their project’s vulnerability directly from GitHub.

Previously, many open source project owners who hosted their projects on GitHub didn’t bother requesting a CVE number due to the arduous process.

However, getting CVE identifiers is crucial, as these IDs and additional details can be integrated into many other security tools that scan source code and projects for vulnerabilities, helping companies detect vulnerabilities in open sourcec tools that they would have normally missed.[Also see official announcement.]

github-cve-advisory.png
Image: GitHub

And in addition to the new GitHub Security Lab, the code-sharing platform is also launching the GitHub Advisory Database, where it will collect all security advisories found on the platform, to make it easier for everyone to keep track of security flaws found in GitHub-hosted projects. [Also see official announcement.]

And last, but not least, GitHub also updated Token Scanning, its in-house service that can scan users’ projects for API keys and tokens that have been accidentally left inside their source code.

Starting today, the service, which previously could detect API tokens from 20 services, can identify four more formats, from GoCardless, HashiCorp, Postman, and Tencent. [Also see official announcement.]

Source: https://www.zdnet.com/article/github-launches-security-lab-to-help-secure-open-source-ecosystem/

Continue Reading

Security

iPhone owners should delete these 17 apps now, security experts warn

Published

on

By

APPLE has confirmed that 17 applications have been removed from the App Store after they were found to be secretly committing fraud behind users’ backs to quietly collect advertising revenue from their smartphones. Here’s which apps were called out, so you can immediately delete any that are still sitting pretty on your iOS home screen.

iPhone App Delete

If you’ve got any of these apps on your iPhone, you really need to do something about it (Image: GETTY)

If you’ve got any of these 17 apps saved on your iPhone, you’d best delete them as soon as possible.

Apple has confirmed the applications have now been wiped from its App Store, but you’ll still need to manually delete them from your smartphone if you’d already downloaded and run the software. The apps, which were all created by a single developer, were maliciously collecting advertising revenue behind iPhone owners’ backs.

The warning comes just hours after Android users were cautioned to delete a number of malicious apps from Google’s rival Play Store.

Mobile security firm Wandera sniffed-out the malicious software made available for iPhone owners worldwide. For users, it would be almost impossible to tell that anything was wrong, since the apps did exactly what they promised on the tin… except that they were secretly fraud in the background on your iPhone too.

“The objective of most clicker trojans is to generate revenue for the attacker on a pay-per-click basis by inflating website traffic. They can also be used to drain the budget of a competitor by artificially inflating the balance owed to the ad network,” the security firm explains.

Although the apps weren’t designed to cause any direct harm to users or their smartphones themselves, the nefarious behind-the-scenes activity would drain mobile data faster than usual, so if you’re not on an unlimited 4G plan – it would cost you each month. Secondly, the activity from the apps could also cost you precious battery life, as well as slowing down your phone, since it’s having to process all the extra ad requests.

So, deleting the software could see a drop in any additional monthly charges from your network provider, faster performance, as well as a few more hours battery life, which are all pretty substantial benefits.

Wandera claims these iPhone apps were able to Apple’s stringent review process since the malicious code was never inside the apps themselves – therefore there was nothing for Apple to detect when scanning them before allowing them onto the App Store. Instead, the apps would receive instructions to begin their activities from a remote server hosted by the developers.

Apple says it’s now improving the app review process to stop this happening in future.

iPhone Apps Delete

The malicious apps in question – check your iPhone for these (Image: WANDERA)

The same server was also designed to control a similar set of Android apps. Unfortunately, the weaker security on the Android operating system meant that the developer was able to go even further with these malicious apps – causing direct harm to the user.

According to the Wandera security team, “Android apps communicating with the same server were gathering private information from the user’s device, such as the make and model of the device, the user’s country of residence and various configuration details.

“One example involved users who had been fraudulently subscribed to expensive content services following the installation of an infected app.”

The full list of infected apps:

  • RTO Vehicle Information
  • EMI Calculator & Loan Planner
  • File Manager – Documents
  • Smart GPS Speedometer
  • CrickOne – Live Cricket Scores
  • Daily Fitness – Yoga Poses
  • FM Radio – Internet Radio
  • My Train Info – IRCTC & PNR (not listed under developer profile)
  • Around Me Place Finder
  • Easy Contacts Backup Manager
  • Ramadan Times 2019
  • Restaurant Finder – Find Food
  • BMI Calculator – BMR Calc
  • Dual Accounts
  • Video Editor – Mute Video
  • Islamic World – Qibla
  • Smart Video Compressor

All 17 infected apps are published on the App Stores in various countries by the same developer, India-based AppAspect Technologies Pvt. Ltd. So, if you spot the name on a listing of an app that looks good… don’t download it.

Source: https://www.express.co.uk/life-style/science-technology/1196281/iPhone-Delete-These-Apps

Continue Reading

Security

Top Linux developer on Intel chip security problems: ‘They’re not going away.’

Published

on

By

Greg Kroah-Hartman, the stable Linux kernel maintainer, could have prefaced his Open Source Summit Europe keynote speech, MDS, Fallout, Zombieland, and Linux, by paraphrasing Winston Churchill: I have nothing to offer but blood sweat and tears for dealing with Intel CPU’s security problems. 

Or as a Chinese developer told him recently about these problems: “This is a sad talk.” The sadness is that the same Intel CPU speculative execution problems, which led to Meltdown and Spectre security issues, are alive and well and causing more trouble.

The problem with how Intel designed speculative execution is that, while anticipating the next action for the CPU to take does indeed speed things up, it also exposes data along the way. That’s bad enough on your own server, but when it breaks down the barriers between virtual machines (VM)s in cloud computing environments, it’s a security nightmare.

Kroah-Hartman said, “These problems are going to be with us for a very long time, they’re not going away. They’re all CPU bugs, in some ways they’re all the same problem,” but each has to be solved in its own way. “MDS, RDDL, Fallout, Zombieland: They’re all variants of the same basic problem.”

And they’re all potentially deadly for your security: “RIDL and Zombieload, for example, can steal data across applications, virtual machines, even secure enclaves. The last is really funny, because [Intel Software Guard Extensions (SGX)] is what supposed to be secure inside Intel ships” [but, it turns out it’s] really porous. You can see right through this thing.”
 
To fix each problem as it pops up, you must patch both your Linux kernel and your CPU’s BIOS and microcode. This is not a Linux problem; any operating system faces the same problem. 

OpenBSD, a BSD Unix devoted to security first and foremost, Kroah-Hartman freely admits was the first to come up with what’s currently the best answer for this class of security holes: Turn Intel’s simultaneous multithreading (SMT) off and deal with the performance hit. Linux has adopted this method. 

But it’s not enough. You must secure the operating system as each new way to exploit hyper-threading appears. For Linux, that means flushing the CPU buffers every time there’s a context switch (e.g. when the CPU stops running one VM and starts another).

You can probably guess what the trouble is. Each buffer flush takes a lot of time, and the more VMs, containers, whatever, you’re running, the more time you lose.

How bad are these delays? It depends on the job. Kroah-Hartman said he spends his days writing and answering emails. That activity only takes a 2% performance hit. That’s not bad at all. He also is always building Linux kernels. That takes a much more painful 20% performance hit. Just how bad will it be for you? The only way to know is to benchmark your workloads. 

Of course, it’s up to you, but as Kroah-Hartman said, “The bad part of this is that you now must choose: Performance or security. And that is not a good option.” It’s also, he reminded the developer-heavy crowd, which choice your cloud provider has made for you.

But wait! The bad news keeps coming. You must update your Linux kernel and patch your microcode as each Intel-related security update comes down the pike. The only way to be safe is to run the latest CanonicalDebianRed Hat, or SUSE distros, or the newest long-term support Linux kernel. Kroah-Hartman added, “If you are not using a supported Linux distribution kernel or a stable/long term kernel, you have an insecure system.”

So, on that note, you can look forward to constantly updating your operating system and hardware until the current generation of Intel processors are in antique shops. And you’ll be stuck with poor performance if you elect to put security ahead of speed. Fun, fun, fun!

Source: https://www.zdnet.com/article/top-linux-developer-on-intel-chip-security-problems-theyre-not-going-away/

Continue Reading
Advertisement

Trending

%d bloggers like this: