Lorenzo Franceschi-Bicchierai, writing for Motherboard:
This is the first time that anyone has uncovered such an attack in the wild. Until this month, no one had seen an attempted spyware infection leveraging three unknown bugs, or zero-days, in the iPhone. The tools and technology needed for such an attack, which is essentially a remote jailbreak of the iPhone, can be worth as much as one million dollars. After the researchers alerted Apple, the company worked quickly to fix them in an update released on Thursday.
The question is, who was behind the attack and what did they use to pull it off?
It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
A great story from Motherboard that is equal parts fascinating and absolutely terrifying. The malware from NSO is able to effectively steal all the information on your phone, intercept every message and add backdoors to every method of communication on your phone. Evidence suggests that NSO has likely been able to hack iPhones since the iPhone 5.
The security researchers who first became aware of the security bugs notified Apple about 10 days ago, and Apple today released iOS 9.3.5 which fixes the bugs. Suffice to say, you should immediately install the update onto your iOS devices.
Ivan Krstić, Apple's Head of Security Engineering and Architecture, gave a presentation at the Black Hat conference a few weeks ago, and it is now available to view in full on YouTube.
With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10.
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
It was at this presentation that Apple announced that it would launch a bug bounty program for those who discover vulnerabilities in its key products. Also discussed by Krstić during his presentation is how the Secure Enclave Processor enabled Apple to adopt a new approach to data protection, as well as a new security feature in iOS 10 that makes iOS Safari JIT "a more difficult target".
Joonas Kiminki got his iPhone stolen in Italy last month. After a couple of weeks, he received an email saying that the device had been found. The email turned out to be a well-designed, meticulous phishing attempt:
What strikes me the most is that everything seemed very “right” and professional. The email and the website content looked great, my phone really was an iPhone 6 and they even got the timezone right in the email.
The email raised no alerts on any email client I use, including Google Inbox, mail.google.com and Apple Mail. No web browser, mobile or desktop, show any alarms on the fake site. Google.com knows virtually nothing about the site, the email address or the (probably fake) US phone number the SMS was from. Very well done.
This is exactly what happened to my mother last week. Her iPhone was stolen in Italy in June, and after a month she received an email and SMS (in Italian) telling her that the iPhone had been located. Fortunately, she called me before entering her Apple ID credentials (she was about to).
Clearly, a criminal organization in Italy has set up an entire system to scam owners of stolen iPhones. I'm surprised that both Apple and Google are failing to recognize these email messages as spam.
Glenn Fleishman, writing for Macworld on a recent change to Touch ID authentication in iOS 9:
When iOS 9 was released, Apple updated its list of cases in which iOS asks for a passcode even when Touch ID is enabled. A previously undocumented requirement asks for a passcode in a very particular set of circumstances: When the iPhone or iPad hasn’t been unlocked with its passcode in the previous six days, and Touch ID hasn’t been used to unlock it within the last eight hours. It’s a rolling timeout, so each time Touch ID unlocks a device, a new eight-hour timer starts to tick down until the passcode is required. If you wondered why you were being seemingly randomly prompted for your passcode (or more complicated password), this is likely the reason.
This explains why I've been seeing the passcode prompt during the weekends (when I stay up late and occasionally sleep more than 8 hours).
Craig Federighi, Senior Vice President of Software Engineering at Apple, writing for The Washington Post:
That's why it’s so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. They have suggested that the safeguards of iOS 7 were good enough and that we should simply go back to the security standards of 2013. But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers. What’s worse, some of their methods have been productized and are now available for sale to attackers who are less skilled but often more malicious.
A cogent argument from Federighi. It follows on from Tim Cook's open letter and interview with ABC News, as well as Bruce Sewell's testimony to a congressional committee.
It was discovered this weekend that popular BitTorrent client Transmission was infected with what is believed to be the first fully functional ransomware on OS X. Palo Alto Networks discovered the infection and report that attackers infected two installers of version 2.90 of Transmission's Mac app with the ransomware, dubbed KeRanger, on March 4. The ransomware works by encrypting all files in the "/Users" and "/Volumes" directories and then demands payment of 1 Bitcoin (~US$400) from victims in order to decrypt and retrieve their files.
It is not yet known how the Transmission installers were infected. Palo Alto Networks promptly disclosed the ransomware to the Transmission Project and Apple, and both have taken swift action. Transmission has since been updated to 2.9.1 (removing the ransomware from the installer) and 2.9.2 (automatically removing KeRanger if it had been installed on a user's system). Whilst Apple has revoked the certificate used to install KeRanger, updated Gatekeeper to block the malicious installer, and updated its XProtect (Apple's built-in anti-malware software) signatures.
How to Protect Yourself
The following is excerpted from Palo Alto Networks' report on KeRanger. We recommend you read their full report if you would like further, and more detailed, information.
Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.
[via MacRumors, Palo Alto Networks]
If you have been using Google Authenticator or Authy for two-step verification (“2FA” for short), you may have wondered whether you should switch to 1Password, now that it offers the same functionality. You may have wondered how much of a hassle it would be to change from one app to another, and if it would be worth it.
If that describes you, well, then you’re in luck, because I just completed the switch and I’m here to report my results. (Spoiler Alert: it was easier than I expected, and I already like it more than Authy, despite having really liked Authy.) There are a few “tips and tricks” which can makes the transition a little easier.
Two days after their initial announcement and on the heels of F-Secure's removal tool, checking Software Update on your Mac should prompt you for Apple's latest Java update for OS X. The 2012-003 update removes common variants of the Flashback trojan, as well as disabling automatic execution of Java applets. While you will be able to turn the ability to run Java applets back on through the Java Preferences app, it will automatically be disabled if you don't consistently access or run applets after a period of time.
For more information, you can read the support article or the supplementary information provided through Software Update.
[Apple Support via The Loop]
Apple Increasing Security of Apple ID Accounts on iOS
The Next Web reports Apple has begun enhancing the security of Apple ID accounts on iOS devices and iTunes by asking users to pick three security questions.
In the past 24 hours, Apple appears to have started prompting iOS devices owners and those with Apple IDs within iTunes to make their accounts more secure, requiring them to pick three security questions and enter their answers when they download a new app.
The company is also asking users to enter a backup email address, in order to better protect their device but also their account (which is tied to Apple’s Retail website and all of its media services).
Apple's motivation to educate users on security by urging them to enable security questions is laudable, especially considering the many cases of phishing and hacked App Store accounts reported in the past years. However, it is worth noting how, on the other hand, several users have been asking Apple to be more flexible with entering an account's password on the iOS App Store, letting users download free apps and updates without asking for a password after periods of inactivity.