This Week's Sponsor:

Collections Database

A Powerful Database with iCloud Sync

Posts tagged with "security"

New Touch ID Rules

Glenn Fleishman, writing for Macworld on a recent change to Touch ID authentication in iOS 9:

When iOS 9 was released, Apple updated its list of cases in which iOS asks for a passcode even when Touch ID is enabled. A previously undocumented requirement asks for a passcode in a very particular set of circumstances: When the iPhone or iPad hasn’t been unlocked with its passcode in the previous six days, and Touch ID hasn’t been used to unlock it within the last eight hours. It’s a rolling timeout, so each time Touch ID unlocks a device, a new eight-hour timer starts to tick down until the passcode is required. If you wondered why you were being seemingly randomly prompted for your passcode (or more complicated password), this is likely the reason.

This explains why I’ve been seeing the passcode prompt during the weekends (when I stay up late and occasionally sleep more than 8 hours).

Permalink

Craig Federighi on Encryption and the FBI’s Demands

Craig Federighi, Senior Vice President of Software Engineering at Apple, writing for The Washington Post:

That’s why it’s so disappointing that the FBI, Justice Department and others in law enforcement are pressing us to turn back the clock to a less-secure time and less-secure technologies. They have suggested that the safeguards of iOS 7 were good enough and that we should simply go back to the security standards of 2013. But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers. What’s worse, some of their methods have been productized and are now available for sale to attackers who are less skilled but often more malicious.

A cogent argument from Federighi. It follows on from Tim Cook’s open letter and interview with ABC News, as well as Bruce Sewell’s testimony to a congressional committee.

Permalink

Transmission Infected with KeRanger Ransomware

It was discovered this weekend that popular BitTorrent client Transmission was infected with what is believed to be the first fully functional ransomware on OS X. Palo Alto Networks discovered the infection and report that attackers infected two installers of version 2.90 of Transmission’s Mac app with the ransomware, dubbed KeRanger, on March 4. The ransomware works by encrypting all files in the “/Users” and “/Volumes” directories and then demands payment of 1 Bitcoin (~US$400) from victims in order to decrypt and retrieve their files.

It is not yet known how the Transmission installers were infected. Palo Alto Networks promptly disclosed the ransomware to the Transmission Project and Apple, and both have taken swift action. Transmission has since been updated to 2.9.1 (removing the ransomware from the installer) and 2.9.2 (automatically removing KeRanger if it had been installed on a user’s system). Whilst Apple has revoked the certificate used to install KeRanger, updated Gatekeeper to block the malicious installer, and updated its XProtect (Apple’s built-in anti-malware software) signatures.

How to Protect Yourself

The following is excerpted from Palo Alto Networks’ report on KeRanger. We recommend you read their full report if you would like further, and more detailed, information.

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

[via MacRumors, Palo Alto Networks]

Switching from Google Authenticator or Authy to 1Password

Editorial Preview

If you have been using Google Authenticator or Authy for two-step verification (“2FA” for short), you may have wondered whether you should switch to 1Password, now that it offers the same functionality. You may have wondered how much of a hassle it would be to change from one app to another, and if it would be worth it.

If that describes you, well, then you’re in luck, because I just completed the switch and I’m here to report my results. (Spoiler Alert: it was easier than I expected, and I already like it more than Authy, despite having really liked Authy.) There are a few “tips and tricks” which can makes the transition a little easier.

Read more

Apple’s Java for OS X 2012-003 Update Removes Common Flashback Variants

Two days after their initial announcement and on the heels of F-Secure’s removal tool, checking Software Update on your Mac should prompt you for Apple’s latest Java update for OS X. The 2012-003 update removes common variants of the Flashback trojan, as well as disabling automatic execution of Java applets. While you will be able to turn the ability to run Java applets back on through the Java Preferences app, it will automatically be disabled if you don’t consistently access or run applets after a period of time.

For more information, you can read the support article or the supplementary information provided through Software Update.

[Apple Support via The Loop]

Apple Increasing Security of Apple ID Accounts on iOS

Apple Increasing Security of Apple ID Accounts on iOS

The Next Web reports Apple has begun enhancing the security of Apple ID accounts on iOS devices and iTunes by asking users to pick three security questions.

In the past 24 hours, Apple appears to have started prompting iOS devices owners and those with Apple IDs within iTunes to make their accounts more secure, requiring them to pick three security questions and enter their answers when they download a new app.

The company is also asking users to enter a backup email address, in order to better protect their device but also their account (which is tied to Apple’s Retail website and all of its media services).

Apple’s motivation to educate users on security by urging them to enable security questions is laudable, especially considering the many cases of phishing and hacked App Store accounts reported in the past years. However, it is worth noting how, on the other hand, several users have been asking Apple to be more flexible with entering an account’s password on the iOS App Store, letting users download free apps and updates without asking for a password after periods of inactivity.

Permalink

Security Researcher Demoes Bug To Execute Unsigned Code on iOS Devices

Security researcher Charlie Miller, former NSA analyst now working for consultancy firm Accuvant, plans to publicly demonstrate a new security hole that could allow regular App Store apps to download and execute unsigned code on any iOS device. As Forbes reports, Miller, who isn’t new to the Mac and iOS hacking and security scene, plans to detail his discoveries at the SysCan conference in Taiwan next week.

Full details of the security hole aren’t available – Miller is apparently saving the presentation for next week to give Apple time to fix the issue, and the company is indeed already working on an iOS 5.0.1 update – but Miller had a “stealth app” approved by Apple in the App Store to record a video of the hidden “functionality”. The app was called Instastock, and it behaved as a regular stock monitoring app until Miller recorded a video of his iPhone being subject to malicious attacks through the app, which has since been pulled. Apparently, since Apple found out about Miller’s app and YouTube video, he’s also been removed from the iOS Developer Program.

As you can see in the video, the app gets downloaded from the App Store as any other free or paid app. The first time Miller runs it on his iPhone, nothing happens and the app performs as advertised. But as soon as Miller activates the hidden functionalities on his web server, somehow connected to the iOS app, the app “phones home” and starts downloading and executing unsigned code. As per Apple’s technical rules and guidelines, App Store apps can only execute code approved by Apple. Yet with Instastock, Miller managed to make the iPhone vibrate remotely, open a YouTube video, and even download the device’s entire Address Book remotely. The app is seen exposing parts of the iOS filesystem, listing installed apps, and presumably giving access to a user’s documents, photos and more. In the video – which we’ve embedded below – you can also watch Miller execute commands remotely (from his computer to iPhone) using a command line interface.

Apparently, the hack has been made possible by a flaw in Apple’s JavaScript engine Nitro, introduced with iOS 4.3, that makes a series of system exceptions for Mobile Safari to render web pages faster. Forbes quotes Miller as saying “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Instastock has already been pulled from the App Store, and it’s unlikely that anyone else will figure out the exact bug that Miller has discovered before Apple releases iOS 5.0.1, which has reached beta 2 status and has been reported to introduce security fixes for iOS devices. Apple will likely include a fix for Miller’s discovery in iOS 5.0.1, but  in the meantime you can check out the interesting demo after the break.
Read more

Security Update 2011-005 Released, Addresses DigiNotar Certificates

Earlier this afternoon Apple released two security updates for OS X Lion and 10.6.8 Snow Leopard to address an issue with compromised digital certificates issued by DigiNotar weeks ago.

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

The updates are available on Software Update, or directly on Apple’s Downloads website. DigiNotar’s servers were hacked last month, and began issuing false certificates, leading to security concerns among several companies. As Apple also notes, it was possible to remove the certificates manually by deleting the root entries in Keychain Access.

Direct links:

Security Update 2011-005 (Lion)

Security Update 2011-005 (Snow Leopard)

Firm Behind MacDefender Malware Likely Busted in Russian Raid

If you run an organization that runs a rogue pharmacy business and provides malicious support for fake anti-virus programs, then it’s likely you’re going to get caught. Such is the case with ChronoPay, whose offices were raided by Russian authorities at the end of July after the co-founder was arressted for allegedly launching denial-of-service attacks against payment processing firms in an attempt to undercut his competitors. The firm under inspection, ChronoPay, has been found with “mountains of evidence” that show the company running illegal anti-virus scams including MacDefender, which plauged Mac users earlier this year with fake pop-ups that scared users into thinking they had viruses, and even tricked users into supplying their credit card information via registration through the fake virus-removal app. MacDefender was crticized by Ed Bott as the start of something big, although security and malware news has been quiet last month, and the MacDefender threat itself could be diminished after this recent raid.

MacRumors writes,

The last release of MacDefender occurred on June 18. ChronoPay’s offices are raided June 23. A coincidence perhaps, or Russian law enforcement saving Mac users from fake antivirus software.

Companies in the business of writing and supporting malware such as MacDefender can rake in a lot of money in a short period of time. It’s an incredibly profitable business, feeding off the fear of individuals whom become victims to the scare tactics malware and phishing scams employ. While the takedown of ChronoPay will have a significant negative impact in revenues against cyber criminals in the black market, these raids are only short-term wins.

Given fake AV’s status as a reliable cash cow, the industry is likely to bounce back rapidly. Fake AV is extremely profitable, in large part because it is easily franchised.

Individual affiliates can quickly make a lot of money. Fake AV distribution networks pay affiliates between $25 and $35 each time a victim provides a credit card to pay for the junk software.

To spread malware, companies like ChronoPay can hire affiliates who can deploy malware and get paid based on how many systems are infected (how many programs are installed). The end result is that business is profitable for all the parties involved: fake anti-virus programs can offer “malware-removal” at the same market prices as legitimate anti-malware programs (the victim doesn’t know the difference), the distributors of malware are also paid wealthy amounts based on how successful that malware is, and you can begin to see how and why these types of businesses function in black markets. MacDefender was efficient since it preyed on Windows-to-Mac converts who are unfamiliar with legitimate solutions available, and thus fell for its tricks. MacDefender, while it garnered a lot of attention, has seemingly died down and is hopefully squashed for good with ChronoPay out of the picture.

MacDefender wasn’t some malware written by a couple young adults in their basement as we’d expect — this was a rare case of serious malware backed by a company (with a lot of money and mal-intent) and its affiliates. Hopefully, if evidence against ChronoPay turns out to be the real-deal, it’ll lead to more arrests and a safer Internet. The battle is far from won when it comes ot malware, but its always comforting knowing that there’s one less threat to deal with.

[Krebs on Security via MacRumors, (Image via ZDNet)]