Information Security all in one place!

Posts tagged “Apple

Mobile Devices and the Growing Concern


A pile of mobile devices including smart phone...

If you use any type of mobile device in your day to day life….keep reading. Ignorance can only bring you so far!

Two separate studies of mobile devices have found serious privacy and security issues. One of the studies found that smartphones and tablet PCs can be eavesdropped on when they are being used to make purchases, conduct online banking transactions, or access VPNs (virtual private networks). Another study uncovered a number of ways to break into Apple’s iOS, its operating system for mobile devices. It is likely that cyber criminals will increasingly turn to mobile devices in their attacks as the devices become more and more commonplace in business transactions.

Related Information: http://www.usatoday.com/tech/news/story/2012-04-08/smartphone-security-flaw/54122468/1

Proof of Concept Video: http://bcove.me/44ip4sgw


iOS Safari: Address spoofing vulnerability


Through a vulnerability in WebKit in the mobile version of Safari, an attacker could manipulate the address bar in the browser and lead the user to a malicious site with a fake URL showing above it. The security researcher David Vieira-Kurz has published an advisory which explains the problem. Incorrect handling of the URL when the JavaScript method “window.open()” is used allows an attacker to “own” HTMLand JavaScript code in the new window and, in turn, change the address bar of the window.

Apple Safari icon

The research demonstrated the vulnerability at majorsecurity.net/html5/ios51-demo.html – a “Demo” button opens a new page that loads in apple.com borderless iframe and also displays apple.com in the addressbar, but the page itself has originated from majorsecurity.net. Fraudsters could use the vulnerability for phishing attacks by sending users to pages which appear to be their bank and asking for account data.

More on this story here: http://www.h-online.com/security/news/item/Address-spoofing-vulnerability-in-iOS-s-Safari-1476314.html


Safari: Closes Security Holes with version 5.1.4


Safari: Closes 80 Security Holes with version 5.1.4

Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs.

A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution.

The recent issue, where Google were accused of bypassing Safari’s privacy controls on cookies, also appears to have been addressed. Details of how Apple have fixed this though are not given. A bug in Safari’s Private Browsing mode that allowed page visits to be recorded in the browser history when the mode was active has been fixed.

On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site – Mac OS X systems were not affected by this issue.

More can be found here: http://www.h-online.com/security/news/item/Safari-update-closes-security-holes-1470595.html


Apple: New iOS Release Addresses Multiple Vulnerabilities


Apple closes security holes with iOS 5.1 and iTunes update

Alongside the launch of the “new iPad“, Apple released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd generation iPod touch, and iPad and iPad 2. The update includes fixes for 91 issues with CVE identifiers. The majority, 66 of the issues, are described as “unexpected application termination or arbitrary code execution” in WebKit due to memory corruption. These flaws were mostly found by Apple or members of the Google Chrome Security Team, while a number were found by Chrome special rewardwinner miaubiz.

Two screen lock bypass issues are fixed, including one, a race condition with slide to dial gestures that could bypass the passcode lock, discovered by Roland Kohler of the German Federal Ministry of Economics and Technology, and an uncredited discovery that Siri’s lock screen could be used to forward messages to an arbitrary user.

iPhone, iPhone 3G and 3GS

Another error, which allowed a malicious program to bypass the sandbox by exploiting an error in the handling of debug calls, has been fixed, with the error’s discovery credited to the “2012 iOS Jailbreak Dream Team”. A flaw in Private Browsing in Safari that recorded JavaScript pushState and replaceState methods in browser history has also been fixed. Other flaws fixed include information disclosure in CFNetwork with maliciously crafted URLs, an integer underflow when mounting disk images, an integer underflow when processing DNS records, and cross-origin issues with cookies and content which could enable cross-site scripting attacks.

iOS 5 devices have automatic update support, and the update should be available “over-the-air” or via iTunes. Users who wish to force the update can use the Settings app, select General and then Software Update, ensuring the device is fully charged or on charge. Full details of all the issues fixed are given in About the security content of iOS 5.1 Software Update.

Many of the same WebKit issues are fixed in the iTunes 10.6 update to mitigate the possibility that a man-in-the middle attack could be used while browsing Apple’s iTunes Store to compromise a system. The iTunes 10.6 update is for Mac OS X and Windows systems and details of the fixes are available in About the security content of iTunes 10.6.

More available here: http://www.h-online.com/security/news/item/Apple-closes-security-holes-with-iOS-5-1-and-iTunes-update-1466786.html


Data, Laws, Cyber-Weapons Biggest Threats to Information Security


This is one of the best articles coming out of the RSA Conference 2012 that I have read online so far. Take the time to read through the article, coming to a head in the article what some are calling “Cyber-Warfare” and “Big Data“. Simply put, the article explains the three biggest threats in Information Security for 2012 and what to expect in the news in the near future.

  1. Data – Big Data, Big Companies
  2. Laws – Government Regulations and Internet Monitoring
  3. Cyber-Weapons – Cyber Warfare

This article pushes my beliefs on what Anonymous is doing is wrong – (let’s be honest we all teeter on the fence). Reading through the article,  you will gather that governments are scared and want to take control of the internet. Anonymous in my opinion is fueling this fear and they are setting themselves up for failure of their own beliefs. The governments from around the world are going to regulate the internet, then we will see a change and they not going to be able to push back as easily. And Information Security is going to boom!

Data, Laws, Cyber-Weapons Biggest Threats to Information Security

Posted on Sunday Mar 4th 2012 by Fahmida Y. Rashid.

The three biggest information security risks in 2012 are the rise of big data, ill-conceived regulations and the prospect of cyber-war, a prominent security expert told attendees at the 2012 RSA Conference.

The people who are taking advantage of technology to further their own business models threaten the Internet, Bruce Schneier, a renowned security expert and CTO of British Telecomm, said in a presentation at the RSA Conference in San Francisco Feb. 28. His talk was in stark contrast to the majority of the speakers at this year’s conference, who focused on cyber-criminals, terrorists and hacktivists.

Just as the tobacco industry is called Big Tobacco and energy giants are called Big Oil, Schneier sees some of the larger Web companies becoming part of Big Data.

“I think the rise of Big Data is as important a threat in the coming years, one we should really look at start taking seriously,” Schneier told his audience.

The shift toward looking at user data as a commodity is inevitable as storing cheap becomes less and less expensive, said Schneier. Companies such as Apple, Amazon and Google are basing their businesses on the prospect of monetizing user data, such as photos, documents, video, search history, shopping behavior and other online activity.

“It’s easy and cheaper to search than sort,” said Schneier.

Data is no longer being kept separate, but aggregated so that users can be shown targeted ads or directed to customized services, said Schneier. Advertising is only just one way data can be collected, aggregated and monetized. Organizations can assess credit-worthiness, evaluate employees or even take the step toward linking with government or other legal data.

The risks to security arise because users have to relinquish control over their data. “Feudal security” refers to what happens when users have to depend on a company to safeguard their private data. Big Data cares about making money from advertisers. IT or user privacy are not priorities.

Users aren’t just relinquishing control over their data, Schneier said, noting that smartphones and portable devices are also restricted in what the user could do with them.

For example, Apple doesn’t give users the same access control on the iPhone that it does on its computer. “I can’t do things as a security professional on my iPhone,” said Schneier.

“Ill-conceived regulations from law enforcement” is the second biggest risk, according to Schneier. While law enforcement and legislators are operating with an “honest desire” to make the Internet safer to use, the laws they create introduce a host of new problems. Legislators are listening to law enforcement requests to pass laws that allow eavesdropping to catch cyber-criminals. These kinds of laws do not make the Internet more secure for the vast majority of users.

“Mostly, what they propose is dumb,” said Schneier.

Read More Here: http://mobile.eweek.com/c/a/Security/Data-Laws-CyberWeapons-Biggest-Threats-to-Information-Security-378868/


Apple: Aims to Flick the Privacy Flea


Apple Will Require Apps to Obtain User Permission Before Accessing Contact Data

US legislators sent a letter to Apple CEO Tim Cook asking why the company does not require iOS developers to obtain permission from users before apps download users’ contacts. The inquiry follows close behind news that the Path app downloaded users’ address books without their permission. Apple has responded to the question with a promise to change that policy so apps requiring use of address book data request that information explicitly.

apps

*More on this story here:

*More on this story here:

[Editor’s Comment  (SANs.org):

“I wonder if they will be in time to avoid a major disaster. I was surprised to read on slashdot that your data was safer on unapproved apps for jailbroken iPhones than on approved apps from Apple’s store”:

http://apple.slashdot.org/story/12/02/15/0036242/unauthorized-ios-apps-leak-private-data-less-than-approved-ones]

 

***Back story on NetsecurityIT.com:

  1. https://netsecurityit.wordpress.com/2012/02/09/path-ios-app-stores-address-books-on-its-servers/
  2. https://netsecurityit.wordpress.com/2012/02/09/update-path-apologizes-for-storing-address-books-on-its-servers/

Update – Path apologises for storing address books on its servers


Path apologises for iPhone address book uploading

Path app iconDave Morin, co-founder and CEO of Path, has apologised for the company’s uploading of iPhone address book data to its servers saying “We are sorry. We made a mistake”. The uploading of the address book by Path’s iPhone app was discovered by a user who had been examining traffic sent by iPhone applications. Morin also said that the company was deleting all address book data that it had previously received through the application.

Path had been using the data as part of an “Add Friends” feature, but did not tell users of their iPhone application that their entire address book was being uploaded to Path’s servers over an HTTPS connection. Path has now released version 2.0.6 of the iPhone app which allows a user to opt-in or opt-out of sharing address book information. This option has existed for several weeks in the Android version of Path’s application.

Image representing Dave Morin as depicted in C...

Image via CrunchBase

But concerns about the security of address book information held on the iPhone are being raised. Already, another application, Hipster, has been found to besending email addresses from the address book, unencrypted and over HTTP, to its servers. The Hipster CEO has also apologised and called for app developers to hold a summit to discuss the issue of address book privacy.

At issue is the lack of protection within iOS of address book data. Although a user’s own contact information is well protected, the rest of the address book is easily accessible and needs no authorisation or permissions. Critics are suggesting that it is Apple’s responsibility to have an appropriate mechanism in place to restrict address book access as it already restricts access to other information on the iPhone. It is reported that one app developer has created an application which can, on jailbroken iPhones, prompt the user when the address book is being accessed. Apple has yet to comment on the matter.

Source: http://www.h-online.com/security/news/item/Path-apologises-for-iPhone-address-book-uploading-1431197.html

Original Post  Path iOS app Stores address books on its servers

Mobile social networking app Path is under fire for uploading user address books to its servers without explicit consent.

Developer Arun Thampi first discovered the issue while observing various API calls made to Path’s servers from its iPhone app. “Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path,” Thampi writes on his blog. “Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new ‘Path’ and repeated the experiment and I got the same result–my address book was in Path’s hands… I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service.”

Español: Este es un logo para IOS (Apple). Más...

Image via Wikipedia

Path co-founder and CEO Dave Morin soon responded to Thampi’s blog post, writing “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.” Morin goes on to state that Path rolled out friend finding and matching as an opt-in feature of its new client for Google’s (NASDAQ:GOOG) Android, released a few weeks back, and will also include the opt-in as part of Path for iOS 2.0.6, presently awaiting Apple’s (NASDAQ:AAPL) approval.

Developer Matt Gemmell followed Morin’s post to ask why Path is uploading actual address books instead of generating hashes of user email addresses and uploading the hashed data. Gemmell also asks why Path did not include the opt-in feature from the outset.

Morin responded by saying Path will look into data hashing options. As for why the startup did not include the opt-in feature from the get-go, he writes “This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information.” But iOS developer David Smith suggests Path could be in violation of App Store guideline 17.1, which states “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used,” as well as 17.2, which reads “Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected.”

Path

Path on iPhone

Launched as an alternative to Facebook (where Morin helped developed Facebook Platform and Facebook Connect), Path limits social networks to 150 contacts, a move to guarantee users are interacting solely with the people closest to them. “Path should be private by default. Forever,” Path’s website states. “You should always be in control of your information and experience.”

Last month, Rep. Edward Markey (D-Mass.) released a discussion draft of the proposed Mobile Device Privacy Act. The act would require disclosure of mobile phone monitoring software when a consumer buys a new device; if the carrier, manufacturer or operating system later installs monitoring tools; and if a consumer downloads an app containing monitoring software. The act also calls for disclosure on the type of subscriber data that is collected, the identity of the third party to which the information is transmitted and how the info will be used.
Sourcehttp://www.pcworld.com/article/249513/mobile_social_network_caught_uploading_users_address_books.html