Hasta La Gadget!

Apple users have less protection from viruses and malicious software than Windows users do. But they’re still safer, security experts agree, because so few malware programs target the Mac.

Apple’s new Snow Leopard operating system, which landed in stores Friday, adds a few security enhancements to protect Mac users from malware. But like previous versions of the Mac OS, Snow Leopard lacks security features that are built in to Windows XP, Windows Vista and Windows 7, such as full Address Space Layout Randomization to thwart attacks from malicious code.

That makes Macs more vulnerable to attack, explained Charlie Miller, a security researcher and author of the book The Mac Hacker’s Handbook. But despite its weaknesses, Mac users have no reason to panic — yet. Apple’s PC market share is still roughly only about 10 percent, giving hackers and malicious software coders very little economic incentive to target the Mac.

In short, Mac users are ducking behind a short wall — but as long as the enemy is firing in another direction, they’re not in grave danger.

“If you’re a bad guy and you’re doing this to make money … you don’t want to spend 90 percent of your time on Windows and 10 percent on Mac,” Miller said in a phone interview. “You’re going to want to spend 100 percent of your time on Windows.”

The security debate has long raged between Mac and Windows fans. Apple has actively fostered this feud, marketing its Mac software as superior with security. In a memorable TV ad, actor Justin Long, who personifies the Mac, teases “PC” actor John Hodgman for being more vulnerable to catching viruses.

Mac owners’ smugness may not last forever. As Apple slowly expands its market share, it is gradually becoming a bigger target for attack. Two years ago there were zero pieces of malware targeting the Mac platform, and in the past year, there were a few hundred, according to John Viega, a security researcher and author of the book The Myths of Security.

Those hundreds of pieces of malware are small compared to the 1.8 million total pieces of malware discovered last year, but it would be unfair to compare these numbers directly, Viega said. He noted that because so few Mac users are running anti-virus software, there’s far less need for malicious coders to create hundreds of different variants of the same attack, as they do for Windows.

In Snow Leopard, Apple has added security enhancements including Executive Disable, which prevents memory-corruption attacks, and some virus detection. Apple also added hardware-enforced Data Execution Prevention, which defends against buffer-overflow attacks — a major security feature that Windows has had for years, Miller said.

However, the anti-virus function in Snow Leopard only blacklists the most common pieces of malware, so it’s not a complete anti-virus system, Viega said.

Also, Apple has only just started implementing the Address Space Layout Randomization anti-exploitation technique by moving to 64-bit addressing in Snow Leopard, Miller said.

“I think that Apple is pointed in the right direction,” Viega said. “They care about getting security right. It’s just that they are much farther behind the rest of the industry because they got a late start, and they have a little bit of a disconnect in their marketing department, who wants to brag about their great security.”

“Their good track record is more a matter of luck in small market share,” Viega added. “As their market share continues to grow, they’re only going to become a bigger and bigger target.”

When discussing security, another issue to consider is that the landscape of internet threats has evolved over the years to be less platform-centric, said Leander Kahney, owner of the Cult of Mac blog and former news editor of Wired.com. Phishing, for example, is a security threat that involves tricking the user into handing over personal information.

“It’s a different kind of criminal activity,” Kahney said in a phone interview. “There’s going to be exploits where they try to steal people’s passwords, identities or credit card numbers. The kinds of attacks you can get through a website or an e-mail are not platform specific.”

What will make the Mac OS just as secure and safer than Windows? Miller said all Apple has to do is finish adding Address Space Layout Randomization. He expects Apple will soon.

“I’m going to keep saying Snow Leopard is less secure than Windows 7,” Miller said. “Fix that one thing and I would stop saying it.”

See Also:

• Another Mac Virus Alert. Real This Time?
• Mac Attack: Another Trojan Hidden Inside Photoshop Crack
• Virus Infects Space Station Laptops (Again)
• Apple on the Need for Anti-Virus Software: Now You Do, Now You Don’t

Photo: ShannonKringen/Flickr

To think it was just a few months ago that we thought taking 15 minutes to crack WPA encryption was a feat. Researchers from Kobe University in Japan are claiming they can best that by a wide margin by cracking any WPA-protected connection using the TKIP algorithm within just one minute flat. The details will be revealed at a tech conference on September 25th. Feeling paranoid? Bump up your encryption to the still-secure AES algorithm or WPA2… and if you’re just wanting to live life on the edge, consider downgrading to WEP — it’s as good as open at this point anyway.

Filed under: Wireless

WPA networks cracked in just under a minute, researchers claim originally appeared on Engadget on Thu, 27 Aug 2009 21:42:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

As far as Apple is concerned, the Black Hat 2009 hackers conference didn’t end soon enough. Having promptly patched the iPhone vulnerability, Cupertino is facing another security hole, this time in its keyboards. A hacker going by the pseudonym of K. Chen has come up with a way, using HIDFirmwareUpdaterTool, to inject malicious code into the keyboard’s firmware. While it’s not yet possible to perform this hack remotely, the fact it occurs at the firmware level means no amount of OS cleanser or anti-virals will remedy it — which might be a bit of a bother to MacBook owners who can’t simply swap to an uninfected keyboard. Panic is hardly advisable, as Chen is collaborating with Apple on a fix, but if you want to be freaked out by his simple keylogger in action, hit up the video after the break.

[Via OS News]

Continue reading Apple keyboard gets hacked like a ripe papaya, perp caught on video

Filed under: Peripherals

Apple keyboard gets hacked like a ripe papaya, perp caught on video originally appeared on Engadget on Tue, 04 Aug 2009 21:34:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

With its easy-to-use interface and wealth of applications available for download, the iPhone may be the most attractive smartphone yet for business use. Many companies seem to agree: In Apple’s quarterly earnings conference call Tuesday, Apple chief operating officer Tim Cook said almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece; multiple corporations and government organizations have purchased 25,000 iPhones each; and the iPhone has been approved in more than 300 higher education institutions.

But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly, the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said.

Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

Wondering where the encryption comes into play? It doesn’t. Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own, he said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

To demonstrate the technique, Zdziarski established a screenshare with Wired.com, and he was able to tap into an iPhone 3GS’ data with a few easy steps. The encryption did not pose any hindrance.

Nonetheless, professionals using the iPhone for business don’t seem to care, or know, about the device’s encryption weakness.

“We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies,” Cook said during Apple’s earnings call. “The phone is particularly doing well with small businesses and large organizations.”

Clearly, the gigantic offering of iPhone applications is luring these business groups. Quickoffice Mobile, for example, enables users to access and edit Microsoft Word or Excel files on their iPhone. For handling transactions, merchants can use apps such as Accept Credit Cards to process a credit card on an iPhone anywhere with a Wi-Fi or cellular connection.

Several employees of Halton Company, an industrial equipment provider, are using iPhones for work, according to Lance Kidd, chief information officer of the company. He said the large number of applications available for the iPhone make it worthy of risk-taking.

“Your organization has to be culturally ready to accept a certain degree of risk,” Kidd said. “I can say we’ve secured everything as tight as a button, but that won’t be true…. Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications.’”

Kidd noted that Halton employees are not using iPhones for holding confidential customer information, but rather for basic tasks such as e-mailing and engaging with clients via social networking sites such as Facebook and Twitter. Halton also plans to code apps strictly for use at the company, Kidd said.

According to Kidd, a security expert performed an evaluation of Halton, and he said it was possible for any hacker to find an infiltration no matter the level of security. Therefore, Halton has measures in place to respond to an information security threat rather than attempt to avoid it.

“It’s like business continuity,” Kidd said. “You prepare for disasters. You prepare for if there’s an earthquake and the building breaks down, and you prepare for if there’s a crack in [information] security.”

But Zdziarski stands firm that the iPhone’s software versatility isn’t worth the risk for use in the workforce. He said sensitive information is bound to appear in e-mails or anything that can be contained on the iPhone’s disk, which can be easily extracted by thieves thanks to the new handset’s shoddy encryption.

Zdziarski said it’s up to the app developers to add an extra level of security to their apps because Apple’s encryption feature is so poor.

“If they’re relying on Apple’s security, then their application is going to be terribly insecure,” he said. “Apple may be technically correct that [the iPhone 3GS] has an encryption piece in it, but it’s entirely useless toward security.”

He added that the ability for the iPhone to self-erase itself remotely using Apple’s MobileMe service isn’t very helpful, either: Any reasonably intelligent criminal would remove the SIM card to prevent the remote-wipe command from coming through. (In a past Wired.com report, Zdziarski said the iPhone’s remote-wiping ability pales in comparison to Research In Motion’s BlackBerry, which can self-delete automatically after the phone has been inactive on the network for a preset amount of time.)

On top of that, the iPhone isn’t well protected in general usability, said John Casasanta, founder of iPhone development company Tap Tap Tap. He said though Apple’s approval process scans for malicious code, a developer could easily tweak the app to send a user’s personal data, such as his contacts list, over the network without his knowing.

“Apple can see if something is blatantly doing something malicious in the approval process, but it wouldn’t be very hard to do something behind the scenes,” Casasanta said.

Evidently, it isn’t difficult to sneak unauthorized content into the App Store. In May, Wired.com reported on an exploit demonstrated by the iPhone app Lyrics. Apple initially rejected the app because it contained profane words, and then Lyrics’ developer snuck the profanity into the app with a hidden Easter egg. Apple then approved the application.

Zdziarski added that there are other weaknesses with the iPhone: Pressing the Home button, and even zooming in on a screen, automatically creates a screenshot temporarily stored in the iPhone’s memory, which can be accessed later. And then there’s the keyboard cache: key strokes logged in a file on the phone, which can contain information such as credit card numbers or confidential messages typed in Safari. Cached keyboard text can be recovered from a device dating back a year or more, Zdziarski said.

Though Apple has declined to comment on iPhone security issues, the company has more or less admitted iPhones are vulnerable to security threats, because an emergency measure exists. In August 2008, Apple CEO Steve Jobs acknowledged the existence of a remote kill switch for iPhone apps, meaning if a malicious app made its way onto iPhones, Apple could trigger a command to delete the app from users’ devices. There is no evidence that the kill switch has ever been used.

So, what kind of business should you do with an iPhone if the device is not very secure? Zdziarski said there are some business-savvy apps that have managed to integrate better security (such as secure data fields to prevent key-stroke logging of credit card numbers, for example), but he warned companies to be cautious about investing too much trust in the iPhone and the apps available for it.

“We’re going to have to go with the old imperative of ‘Trust no one,’” he said. “And unfortunately part of that is, don’t trust Apple.”

See Also:

• Apple’s iPhone Security Gets Better, But Still Not BlackBerry …
• Massive iPhone Security Flaw Exposes Your Private Data – Here’s …
• Hacker Will Break iPhone Security on Video
• Apple Admits iPhone Security Flaw, Says Fix Coming in September …
• IPhone Can Take Screenshots of Anything You Do
• Help Wanted: iPhone Hacker for Apple

Photo: Jon Snyder/Wired.com

That iPhone OS 3.0 jailbreak we saw the iPhone Dev-Team pull off earlier this week? It’s out now, or at least, part of it is. Pwnage Tool is now flooding torrents, but there’s lots of caveats here. Most importantly, this isn’t Ultrasn0w, which means if you’re wanting to use your toy on T-Mobile or another unofficial carrier, be patient — it’s also worth noting that the jailbreak doesn’t jibe with yellowsn0w, so those who rely on it should stay away for the time being. No compatibility with the 3G S, or at least, it probably hasn’t been tested… we wouldn’t recommend anyone setting the precedent here. You’ll need Mac OS X to run it, with QuickPwn for Mac and Windows coming further down the line. Ultrasn0w is also due out at some indeterminate future, so that all said, if you’re just needing right now a jailbroken device with spotlight functionality, hit up the read link for all the pertinent details. It should goes without saying, but they’re might a few negative side effects to it, and one of the big ones we heard is that YouTube might be fubar’d at the moment.

Read – trois, drei, три, három! (Pwnage Tool released)
Read – No YouTube On Jailbroken iPhone 3.0?

Filed under: Cellphones

Pwnage Tool for iPhone OS 3.0 now live, ultrasn0w still on standby originally appeared on Engadget on Sat, 20 Jun 2009 08:36:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments