About these ads

Archive

Posts Tagged ‘Apple’

September 2011 Cyber Attacks Timeline (Part I)

September 15, 2011 5 comments

So here it is, also for this month, the first part of My Cyber Attacks Timeline covering the first half of September.

Apparently It looks like the wave of the Anonymous attacks that characterized August has stopped. Even if several isolated episodes occurred, their impact was slightly lower than the previous months.

Probably the most important security incident for this month was the Diginotar Hack, not only because the Dutch Certification Authority has been banned forever by the main browsers and OSes but also because all the authentication model based on CAs is under discussion. Moreover once again a cyber attack has been used as a mean of repression. This incident is a turnkey point for information security but in my opinion also the DNS hacks by Anonymous Sri Lanka and Turkguvenligi are noticeable since they reinforce the need for a quick adoption of DNSSEC.

For the first time not even the Linux Operating System (an open world) was immune from hackers: both the Linux Kernel and the Linux Foundation Web Sites were hacked during this month, two episodes that Penguin Lovers will remember for a long time.

Easily predictable an attack recalling 9/11 carried on against the Twitter Account of NBC News was also reported.

Other noticeable events: three huge data breaches were reported, four attacks with political motivations targeting India, Nigeria, Colombia, and the Russia Embassy in London were perpetrated and another security vendor (Panda Security) was indirectly targeted.

The remainder of the month was characterized by many smaller attacks (mostly defacements and data leaks) and an actress (Scarlett Johansson) was also victim of data leaks.

Useful Resources for compiling the table include:

And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.

Date Author Description Organization Attack
Sep 1

?

Kernel.org

The site of Kernel.org suffered a security breach leading which caused the server to be rooted and 448 credential compromised. Although it is believed that the initial infection started on August the 12th, it was not detected for another 12 days.


rootkit (Phalanx)
Sep 1
Apple, Symantec, Facebook, Microsoft, etc.

The Sri Lankan branch of Anonymous claims to have hacked into the DNS servers of Symantec, Apple, Facebook, Microsoft, and several other large organizations over the past few days,  posting the news and records of its exploits on Pastebin.


DNS Cache Snoop Poisoning
Sep 1 ?
Birdville Independent School District

Two students hack into their school district’s server and accessed a file with 14,500 student names, ID numbers, and social security numbers. Estimated cost of the breach is around $3,000,000.

?
Sep 2 Texas Police Chiefs Association

As usual happens on Fridady, Texas Police Chiefs Association Website is hacked by Anonymous for Antisec Operation. Hacker defaced their website and posted 3GB of data in retaliation for the arrests of dozens of alleged Anonymous suspects. According to Hackers the site has been owned for nearly one month.

SQLi?
Sep 2
EA Game Battlefield Heroes

One of the most famous games over the world Battlefield Heroes developed by EA Games is hacked by a hacker named “Why So Serious?” who leaks the User Login passwords on pastebin

SQLi?
Sep 2
vBTEAM Underground

Vbteam.info, the underground vBulletin Hacking website is hacked by “Why So Serious?“, who leaks 1400+ accounts of the Vbteam.info forum in pastebin.

SQLi?
Sep 3 Nomcat
Indian Government

An Indian Hacker named “nomcat” claims to have been able to hack into the Indian Prime Ministers Office Computers and install a Remote Administration Tool) in them. He also Exposes the Vulnerability in Income Tax website and Database Information.

SQLi?
Sep 4

Popular Websites: : Daily Telegraph, The Register, UPS, Vodafone

Popular websites including The Register, The Daily Telegraph, UPS, and others fall victim to a DNS hack that has resulted in visitors being redirected to third-party webpages. The authors of the hack, a Turkish group called Turkguvenligi, are not new to similar actions and leave a message declaring this day as World Hackers’ Day.


DNS Hijacking
Sep 5
Mobile App Network Forum

Mobile APP Network Forum is Hacked by “Why So Serious?”. He leaks over 15.000 accounts of the community (Forum) on Pastebin in two parts (Part 1 and Part 2).

SQLi?
Sep 5

European Union Institute For Energy and Transport

One of the Sub domain of European Union (Institute for Energy) is hacked and Defaced by Inj3ct0r. Hackers deface the web page, release some internal details and leave a message against Violence in Lybia and Russian influence in Ukraine.

http://ie.jrc.ec.europa.eu
Defacement
Sep 5  Cocain Team Hackers United Nations Sub Domain of Swaziland

United Nations Sub-Domain of Swaziland is hacked and defaced by Cocain Team Hackers. 

UN Logo
Defacement
Sep 5
Uronimo Mobile Platform

The Uronimo Mobile platform is hacked by Team Inj3ct0r. They leak the web site database and release on Pastebin internal data including Username, Hash Password, emails and Phone Numbers of 1000 users. Estimated Cost of the Breach is $214,000.


SQLi?
Sep 6 Comodo Hacker
Diginotar

The real extent of the Diginotar breach becomes clear: 531 bogus certificates issued including Google, CIA, Mossad, Tor. Meanwhile in a pastebin message Comodo Hacker states he own four more CAs, among which GlobalSign which precautionally suspends issuance of certificates.


Several Vulnerabilities
Sep 7 ?
Beaumont Independent School District

The superintendent of schools for Beaumont Independent School District announces that letters are being mailed to parents of nearly 15,000 of its 19,848 students to inform them of a potential breach of data that occurred recently. Inadvertently, private information including the name, date of birth, gender, social security number, grade and scores on the Texas Assessment of Knowledge and Skills (TAKS) exam of students who were in the third through 11th grades during the 2009-2010 school year–were potentially exposed.  Estimated cost of the breach is $3,210,000.


Human Mistake
Sep 7 ?
Stanford Hospital, Palo Alto, Calif.

A medical privacy breach leads to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes. The information stayed online for nearly a year from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork. Estimated Cost of The Breach is $4,280,000.

Human Mistake
  Sep 9 Comodo Hacker
GlobalSign

After suspending issuing certificates, GlobalSign finds evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the http://www.globalsign.com website.


?
Sep 9
 Comodo Hacker
Google

As consequence of the infamous Diginotar Breach Google advises its users in Iran to change their Gmail passwords, and check that their Google accounts have not been compromised. Google also indicates that it is  directly contacting users in Iran who may have been hit by a man-in-the-middle attack.


Man In The Middle
Sep 9
NBC News

The NBC News Twitter account is hacked and starts to tweet false reports of a plane attack on ground zero. The account is suspended and restored after few minutes.


Trojan Keylogger  via Email
Sep 9 ?
Samsung Card

Data of up to 800,000 Samsung Card clients may have been compromised after an employee allegedly extracted their personal information. The Breach was discovered on Aug. 25 and reported to police on Aug. 30. It is not clear what kind of information has been leaked, maybe the first two digits of residence numbers, the names, companies and mobile phone numbers were exposed. Estimated cost of the breach is $171,200.000.


Unauthorized Access
Sep 10 ?
BuyVIP (Amazon Owned)

Although not officially confirmed, BuyVIP users received an e-mail informing that their database had been hacked. Apparently, the website had been offline for a couple days and it looks like that not only names and email addresses were retrieved, but also birth dates, real shipping addresses as well as phone numbers.


SQLi
Sep 11 ?
Linux Foundation

Few weeks after the kernel.org Linux archive site suffered a hacker attack, the Linux Foundation has pulled its websites from the web to clean up from a security breach. A notice posted on the Linux Foundation said the entire infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011.

Linux Foundation
SQLi?
Sep 11
AryansBook.com

Anonymous leaks the complete database from a well known nazi website AryansBook.com and posts the content on The Pirate Bay. This is a fight towards racism of any kind.

AryansBook
SQLi?
Sep 12 ?
Bitconitalk Forum

An unknown hacker uses a zero day flaw to steal email addresses, hashed passwords and read personal messages from the bitcointalk.org forum. Forum administrators said the attacker gained root access on 3 September and was able to run arbitrary PHP code not detected until the attacker injected “annoying JavaScript” into the forum pages a week later: the Javascript splashed actor Bill Cosby across the forums and replaced all references to BitCoin with CosbyCoin.

Bitcoin
0-day exploit in SMF
Sep 12 ?
Nigerian Government Website

Nigerian Government Website is hacked and defaced by Brazilian Hackers that leave a message in the main page.


Defacement
Sep 12 ?
Vacationland Vendors

A hacker gains unauthorized access to the card processing systems at Wilderness Waterpark Resort  and improperly acquires 40,000 credit card and debit card information. Estimated Cost of the Breach is $8,560,000.


N/A
Sep 12 X-Nerd Panda Security

Another Security Company Hacked: a hacker going by the name of X-Nerd hacks and defaces the Pakistan Server of a very well known security software website:  Panda Security.


SQLi?
Sep 12 ?
Russian UK Embassy

Just before Prime Minister David Cameron’s first visit to Moscow, the website belonging to the Embassy Of The Russian Federation in London was taken down by hackers. It seems as the attack was launched in sign of protest to the upcoming visit after a 5-year break in which no British leader went to Moscow.

DDoS
Sep 13 Cyb3rSec
thetvdb.com

Cyb3rSec dumps a list of 3500+ Accounts from the forum thetvdb.com.

SQLi?
Sep 13
top100arena.com

Albanian hackers belonging to Albanian Cyber Army exploit one of the biggest Game Arena site “Top100″ database using SQL injection attack. They leak the database on mediafire.

SQLi
Sep 14
President of Bolivia (presidencia.gob.bo)

SwichSmoke crew hacks the site belonging to President of Bolivia and dumps the leaked data on pastebin.

Various Exploits
Sep 14 ?
uTorrent.com

The uTorrent.com Web servers has been compromised and consequently the standard Windows software download was replaced with a type of fake antivirus “scareware” program.

  SQLi
Sep 14 ?
Bright House Networks

Bright House Networks, the sixth largest owner and operator of cable systems in the U.S., has sent a letter to customers warning that they may have been exposed after servers used to process Video on Demand (VOD) were breached.

  ?
Sep 14 ?
Scarlett Johansson

Also an actress may be victim of hackers: The FBI investigate reports that nude photos of a famous celebrity (allegedely Scarlett Johansson) have been leaked onto the web. The day before Twitter was flooded with messages claiming to link to naked pictures of her, which were allegedly stolen from her iPhone by a hacker earlier this year.

  ?
Sep 15 Stohanko
Various Sites

More than 101 sites, with huge amount of data and personal information which ranges from emails, phone numbers, to full names and addresses, have been hacked by an hacker dubbed Stohanko. At this link a list of the hacked sites and the links to dumped data.

?
About these ads

The Dangerous Liaisons (Updated)

August 22, 2011 1 comment

Did you know that a smartphone might involve as many as 250,000 patent claims? You may easily understand why the $ 4.5 billion auction to buy 6,000 Nortel patents by the consortium formed by Apple, Microsoft, Research in Motion, Sony Ericsson and EMC was so cruel. You may also easily understand why Google, the loser of the Nortel auction, decided to react immediately acquiring Motorola and its patent portfolio made of more than 17,000 approved patents (and another 7,500 patents filed and pending approval) for the large sum of $ 12.5 billion.

Said in few words, the mobile arena is getting more and more agressive and cruel. For this reason, a litte bit for curosity, a little bit for fun, I decided to draw a chart (and a table) showing all the moves of the giant players in this mobile chessboard. Although deliberately incomplete (I did not show in the table the patent saga of NTP Inc. against the rest of the world and the settlement of Motorola vs RIM), it gives a good idea of the dangerous intersections involving partnership, fees, alliances and, most of all, lawsuits… With the strange paradox that some companies (read Apple and Samsung) are enemies before the court, but in the same time business partners.

While visualizing the idea I stumbled upon this similar graph showing the status of the mobile arena on 8 Oct 2010. I decided to use the same layout, omitting some informations, but updating it to the current date. The graph is a little bit confusing, but the confusion of the arrows reflects betten than a thousand words the real situation.

Anyway the war will not stop here: the next targets? Interdigital Inc. with its 8,800 patents  which are attracting several bidders such as Apple, Nokia and Qualcomm; and, most of all, Kodak, whose survival depends on the auction of the 10% of its patent portfolio (1,100 patents), valued as high as $3 billion which are vital to compensate the losses estimated in $2.5 billion.

As far as the table is concerned, in order to avoid repetitions, it only shows the status of the lawsuits and alliances from the perspective of Google, Apple and Microsoft. Enjoy your read and the 250,000 patent claims on your smartphone!

Company Filed Suit Against Has technological alliance with Filed Suite From:
  No one (at least so far!)

Of course Google licensees his Mobile OS to HTC and Samsung (in rigorous alphabetical order), and it is the driver for the impressive market share growthof Samsung and HTC.

In an effort to defend Android’s Intellettual Property “to supercharge the Android ecosystem and will enhance competition in mobile computing”, on Aug 15 2011, Google announced the intention to acquire Motorola Mobility with a $12.5 billion deal. Motorola has nearly 17,000 patents.

Aug 12 2010: Oracle has filed suit against Google for infringing on copyrights and patents related to Java,. Oracle claimed Google “knowingly, directly and repeatedly infringed Oracle’s Java-related intellectual property”. Android uses a light proprietary Java Virtual Machine, Dalvik VM, which, according to Oracle infringes one or more claims of each of United States Patents Nos. 6,125,447; 6,192,476; 5,966,702; 7,426,720; RE38,104; 6,910,205; and 6,061,520.

The case is in U.S. District Court, Northern District of California, is Oracle America, Inc v. Google Inc, 10-3561.

The lawsuit is still pending and will likely take several months. The trial between Oracle and Google is expected to begin by November and Oracle is seeking damages “in the billions of dollars” from Google.

On Aug 1 2011, the judge overseeing the lawsuit Oracle filed over the Android mobile OS has denied Google’s attempt to get a potentially damaging e-mail redacted.

Mar 2 2010: Apple sued HTC for infringing on ten patents, nine of which involve technologies which apply to the iPhone, while one involves the use of gestures, but only in a specific use case.

The suit has been filed in the U.S. District Court in Delaware , alleging twenty instances of patent infringement. The company also petitioned the US  ITC to block the import of twelve phones designed and manufactured by HTC.

On Jul 15 2011 Apple won a preliminary patent ruling in an early judgment before the US ITC, in which HTC was found to have breached two of 10 patents held by Apple.

On Aug 8 2011 ITC  announced to have dediced to review Apple’s patent infringement complaint against HTC.

Oct 31 2010: In response to Motorola lawsuit against Apple, Apple sued Motorola and Motorola Mobility for Infringment on several Multi-Touch patents infringments in the Wisconsin Western District Court with two distinct lawsuits. A total of six patents are involved in the two lawsuits.

On Nov 23, 2010: US International Trading Commission announced to review Apple patent case against Motorola.

Apr 18 2011: Apple filed suit against Samsung for copying the design of its iPad and iPhone with its smartphones and tablets.

Aug 10 2011: European customs officers have been ordered to seize shipments of Samsung’s Galaxy Tab computers after the ruling late on Tuesday by a German patents court.

In the last days Apple has been accused of presenting inaccurate evidence against Samsung.

Aug 24 2011: Samsung has been banned from selling some galaxy phones in the Netherlands. The ban is set to begin on October 13, but Samsung doesn’t seem to be taking it too hard.

On Jul 1 2011 the intellectual property of the Canada giant Nortel (in Bankrupt), involving 6,000 patents, was sold for $4.5 billion, in a dramatic auction, to a consortium formed by Apple, Microsoft, RIM, Sony, EMC and Ericsson. Google was the other competitor (and the big looser) for the deal. This event acted as a trigger for the acquisition of Motorola Mobility by Google.

On Aug 3 2011, In a post to the Official Google Blog, Google Senior Vice President and Chief Legal Officer David Drummond said that Apple, Microsoft, Oracle, and others have waged “a hostile, organized campaign against Android” by snapping up patents from Novell and Nortel and asking Google for high licensing fees for every Android device”, accusing them of Patent Bulying.

Curiously, Apple is one of the main technological partners of Samsung for displays and semi-conductors. Samsung produces Apple’s A4 systems-on-a-chip (SoC) and also the two companies collaborate for iPad displays (Apple is moving from LG to Samsung because oof quality issues of the former). Nevertheless the lawsuits between the two companies are compromising their relationships so that Apple is evaluating a new supplier (TSMC) for its A6 nexy generation chipset.

Oct 22 2009: Nokia sued Apple in Delaware court for infringing on  ten patents related to GSM, UMTS, and WLAN standards that Nokia states they established after investing more than EUR 40 billion in R&D over the last 20 years.

On Jun 14 2011 Apple agreed to pay between $300m and $600m to cover the 111m iPhones sold since its launch in 2007. Although the exact number was not specified, additional yearly fees could be part of the agreement.

On Jan 2010 Kodak sued Apple and RIM claiming Apple is infringing its 2001 patent covering technology that enables a camera to preview low-resolution versions of a moving image while recording still images at higher resolutions. The cases were filed in U.S. District Court in Rochester, N.Y., as well as the U.S. ITC.

On Apr 2010 Apple argues that some Kodak still and video camera products violate two of its patents

On Jul 2011: While Kodak’s claim is pending, the commission rules on Apple’s complaint and says Kodak’s digital-camera technology doesn’t violate Apple’s patents.

Oct 6 2010: Motorola sued Apple for patent infringement in three separate complaints; in district courts in Illinois and Florida and a separate complaint filed with the U.S. International Trade Commission. The suits covered 18 different patents, infiringed by Apple’s iPhone, iPad, iPod touch, and certain Mac computers.

The Motorola patents include wireless communication technologies, such as WCDMA (3G), GPRS, 802.11 and antenna design, and key smartphone technologies including wireless e-mail, proximity sensing, software application management, location-based services and multi-device synchronization.

Jan 12 2011: Microsoft has motioned for a summary judgment to block Apple from trademarking the phrase “app store,” as it filed with the U.S. Patent and Trademark Office (USPTO) on July 17, 2008.

Mar 30 2011: Microsoft filed a second objection to Apple’s enduring pursuit to trademark the phrase “app store hiring a linguist, Dr. Ronald Butters, to go head-to-head against Apple’s own hired linguist, Robert A. Leonard.

On Jul 1 2011 US ITC said Apple has violated two S3 Graphics Co. patents in its Mac OS X operating system, but not in the iOS platform. Although not directly related to Mobile, this ruling is meaningful since S3 has been acquired by HTC on Jul 6 2011 for $300 million in order to use their patents in the fight against Apple.

HTC expects final ruling on Apple-S3 graphics case in November.

On Aug 16 2011 HTC filed a new lawsuit against Apple in Delaware’s US District Court, in an escalation of the legal battle between the two smartphone giants. HTC accused Apple to have infringed three of HTC’s patents through its sale of devices including iPads, iPods, iPhones and Macintosh computers.

Oct 1 2010: Microsoft sued Motorola for patent infringement relating to the company’s Android-based smartphones. Microsoft filed its complaint with the International Trade Commission and in a Washington state district court. At issue are nine patents that deal with, among others, sending and receiving e-mail, managing and syncing calendars and contacts, and managing a phone’s memory.

Patent dispute will begin from Aug 21 2011, the hearing procedure can take up to 10 days, the judgment procedure is expected to reach the final verdict point only in March 2012.

Nov 9 2010: Microsoft sued again Motorola for charging excessive royalties on network technology used in Microsoft’s Xbox game system.

Feb 11 2011: a deal with the Devil, Microsoft and Nokia announce their plansto form a broad strategic partnership that would use their complementary strengths and expertise to create a new global mobile ecosystem.

Besides the alliances with Apple and RIM (see the corresponding cell), on May 12 2011 Microsoft has teamed up with HTC, Nokia and Sony Ericsson in Europe, filing a challenge seeking to invalidate Apple’s trademarks on the phrases “App Store” and “Appstore.”

Nov 11 2010: Motorola Mobility sued Microsoft with the U.S. District Courts for the Southern District of Florida and the Western District of Wisconsin alleging infringement of sixteen patents by Microsoft’s PC and Server software, Windows mobile software and Xbox products.

Motorola Mobility asked for the infringing devices to be barred from importation into the United States.

On Dec 21 2010, ITC has agreed to hear the complaint.


Looking Inside a Year of Android Malware

August 14, 2011 2 comments

As you will probably know my Birthday post for Android Malware has deserved a mention from Engadget and Wired. Easily predictable but not for me, the Engadget link has been flooded by comments posted by Android supporters and adversaries, with possible trolls’ infiltrations, up to the point that the editorial staff has decided to disable comments from the article. The effect has been so surprising that someone has also insinuated, among other things, that I have been paid to talk s**t on the Android.

Now let me get some rest from this August Italian Sun and let me try to explain why I decided to celebrate this strange malware birthday for the Android.

First of all I want to make a thing clear: I currently do own an Android Device, and convinced, where possible, all my relatives and friends to jump on the Android. Moreover I do consider the Google platform an inseparable companion for my professional and personal life.

So what’s wrong? If you scroll the malware list you may easily notice that the malware always require an explicit consent from the user, so at first glance the real risk is the extreme trust that users put in their mobile devices which are not considered “simple” phones (even if smart), but real extensions of their personal and professional life.

You might say that this happens also for traditional devices (such as laptops), but in case of mobile devices there is a huge social and cultural difference: users are not aware to bring on their pocket dual (very soon four) cores mini-PCs and are not used to apply the same attention deserved for their old world traditional devices. Their small display size also make these devices particularly vulnerable to phishing (consider for instance the malware Android.GGTracker).

If we focus on technology instead of culture (not limiting the landscape to mobile) it easy to verify that the activity of developing malware (which nowadays is essentially a cybercrime activity) is a trade off between different factors affecting the potential target which include, at least its level of diffusion and its value for the attacker (in a mobile scenario the value corresponds to the value of the information stored on the device). The intrinsic security model of the target is, at least in my opinion, a secondary factor since the effort to overtake it, is simply commensurate with the value of the potential plunder.

What does this mean in simple words? It means that Android devices are growing exponentially in terms of market shares and are increasingly being used also for business. As a consequence there is a greater audience for the attackers, a greater value for the information stored (belonging to the owner’s personal and professional sphere) and consequently the sum of these factors is inevitably attracting Cybercrooks towards this platform.

Have a look to the chart drawing Google OS Market share in the U.S. (ComScore Data) compared with the number of malware samples in this last year (Data pertaining Market Share for June and July are currently not available):

So far the impact of the threats is low, but what makes the Google Platform so prone to malware? For sure not vulnerabilities: everything with a line of code is vulnerable, and, at least for the moment, a recent study from Symantec has found only 18 vulnerabilities for Google OS against 300 found for iOS (please do no question on the different age of the two OSes I only want to show that vulnerabilities are common and in this context Android is comparable with its main competitor).

Going back to the initial question there are at least three factors which make Android different:

  1. The application permission model relies too heavily on the user,
  2. The security policy for the market has proven to be weak,
  3. The platform too easily allows to install applications from untrusted sources with the sideloading feature.

As far as the first point is concerned: some commenters correctly noticed that apps do not install themselves on their own, but need, at least for the first installation, the explicit user consent. Well I wonder: how many “casual users” in your opinion regularly check permissions during application installation? And, even worse, as far as business users are concerned, the likely targets of cybercrime who consider the device as a mere work tool: do you really think that business users check app permission during installation? Of course a serious organization should avoid the associated risks with a firm device management policy before considering a wide deployment of similar devices, most of all among CxOs; but unfortunately we live in an imperfect world and too much often fashion and trends are faster (and stronger) than Security Policies and also make the device to be used principally for other things than its business primary role, hugely increasing risks.

This point is a serious security concern, as a matter of fact many security vendors (in my opinion the security industry is in delay in this context) offer Device Management Solution aimed to complete the native Application Access Control model. Besides it is not a coincidence that some rumors claim that Google is going to modify (enhance) the app permission security process.

As far as the second point is concerned (Android Market security policy), after the DroidDream affair, (and the following fake security update), it is clear that the Android Market Publishing (and Security) model needs to be modified, making it more similar to the App Store. There are several proposals in this context, of course in this place is not my intention to question on them but only to stress that the issue is real.

Last but not least Sideloading is something that makes Android very different from other platforms (read Apple), Apple devices do not allow to install untrusted apps unless you do not Jailbreak the devices. Android simply needs the user to flag an option (By The Way many vendors are opening their Android devices to root or alternate ROMs, consider for instance LG which in Italy does not invalidate the Warranty for rooted devices) or HTC which, on May 27, stated they will no longer have been locking the bootloaders on their devices.

So definitively the three above factors (together with the growing market shares) make Android more appealing for malware developers and this is not due to an intrinsic weakness of the platform rather than a security platform model which is mainly driven by the user and not locked by Manufacturer as it happens in case of Cupertino.

July 2011 Cyber Attacks Timeline

August 2, 2011 5 comments

This awful infosec July is over, and finally we can sum up the Cyber Attacks reported during this month. I collected all the available information and inserted it inside the following chart. Where possible (that is enough information available) I tried to estimate the cost of the attacks using the indications from the Ponemon’s insitute according to which the average cost of a Data Breach is US $214 for each compromised record. The total sum (for the known attacks) is around $7.6 billion, mainly due to the “National Data Breach” of the South Korean Social Network Cyworld.

Approximately 16 attacks were directly or indirectly related to Antisec or Anonymous, they promised an hot summer and unfortunately are keeping their word…

Useful resources for compiling the (very long) chart were taken from:


1 http://www.zeropaid.com/news/94099/abhaxas-dumps-details-of-the-internal-florida-voting-database-online/
2 http://www.pcworld.com/article/235016/hackers_claim_apple_online_data_was_compromised.html
3 http://www.thehackernews.com/2011/07/fox-news-twitter-account-hacked-by.html
4 http://nakedsecurity.sophos.com/2011/07/05/sony-music-ireland-hackers/
5 http://news.cnet.com/8301-27080_3-20077268-245/sophisticated-attack-targets-two-energy-dept-labs
6 http://paulsparrows.wordpress.com/2011/07/08/dump-up-the-kids/
7 http://www.zeropaid.com/news/94250/abhaxas-hacks-floridas-voting-system-again/
8 http://www.v3.co.uk/v3-uk/news/2086749/anonymous-boasts-takedown-turkish-sites
9 http://www.theregister.co.uk/2011/07/08/patriotic_portuguese_hackers_hit_moody/
10 http://paulsparrows.wordpress.com/2011/07/09/another-fbi-contractor-hacked/5
11 http://www.h-online.com/security/news/item/German-Federal-Police-servers-compromised-1276115.html
12 http://www.hackersbay.in/2011/07/anonymous-shuts-down-ministry-of.html
13 http://www.kiplinger.com/securityfaq/
14 http://paulsparrows.wordpress.com/2011/07/12/another-one-bytes-the-dump/
15 http://paulsparrows.wordpress.com/2011/07/12/monsanto-hack-info-of-2500-employees-leaked/
16 http://www.thehackernews.com/2011/07/toshiba-database-hacked-and-user.html
17 http://paulsparrows.wordpress.com/2011/07/15/the-mother-of-all-breaches/
18 http://www.mirror.co.uk/celebs/news/2011/07/16/lady-gaga-website-hacked-and-fans-details-stolen-115875-23274356/
19 http://paulsparrows.wordpress.com/2011/07/19/the-lulzsec-boat-is-back-and-sails-under-the-sun/
20 http://news.cnet.com/8301-1009_3-20081405-83/anonymous-claims-to-have-breached-nato-security
21 http://www.cyberwarnews.info/2011/07/24/philippians-congress-hacked-by-bashcrew/
22 http://nakedsecurity.sophos.com/2011/07/22/anonplus-anonymouss-social-network-is-hacked/
23 http://paulsparrows.wordpress.com/2011/07/24/anonplus-hacked-again-by-syrian-group/
24 http://paulsparrows.wordpress.com/2011/07/25/italian-cyber-police-hacked/
25 http://austrianindependent.com/news/Business/2011-07-26/8537/ORF_hack_attack_worse_than_feared
26 http://www.koreaherald.com/national/Detail.jsp?newsMLId=20110728000881
27 http://paulsparrows.wordpress.com/2011/07/29/anonymous-claims-another-fbi-contractor-hacked/
28 http://paulsparrows.wordpress.com/2011/07/29/italian-anonymous-owned/
29 http://paulsparrows.wordpress.com/2011/07/31/its-a-cruel-summer/
30 http://www.thehackernews.com/2011/07/italys-police-it-network-vitrocisetit.html

Phonarchy in the U.K.

July 15, 2011 1 comment

It looks like that the Perfidious Albion is not what one should exactly define a Paradise for Mobile Security. Not only the echoes of the Scandal concerning “voicemail hacking” led the infamous tabloid News Of the World to close on Sunday, the 10th of July 2011, and Rebekah Brooks to resign as CEO of News International today; but also the flow of events has unexpectedly brought mobile security issues to the attention of a wider audience, no more confined to the sole and exclusive attention of information security professionals.

This is partially due to the relative easiness in implementing similar hacking techniques in mobile communications, which is raising doubts and misgivings in many other countries. As a matter of fact, as actually happened, voicemail hacking is relatively easy to implement and is based, as usual, on two factors:

  • From the user perspective, on the poor attention for default (in)security settings;
  • From the operator perspective, on the necessary trade-off between security, user experience, and convenience, (almost) always favoring the latter, which turns out not to be an optimal choice from a security perspective.

A lethal mix wich may be quite easily exploited by a balanced blend made of (little) hacking and (a lot of) social engineering. At this link a really complete and interesting description very helpful to understand how relatively easy is to perform voicemail hacking with some U.K. operators (but keep in mind that procedures vary from Operator to Operator). Accorrding to the above quoted article, in theory, it is possible to elude the meshes of the security procedures of the operators, simply calling the voicemail of the victim impersonating the legitimate user, claiming to have forgotten the PIN and voila, that’s it!

Voicemail hacking does not need further components, but unfortunately is not the only issue that may happen: in theory entire conversations may be hijacked (and unfortunately it is something we are quite familiar to, here in Italy). The Security Process of a phone conversations is an end-to-end chain, inside which technology is only a component, and the human factor is the weakest link. In this context weak means leak so that often it happens that some information that should not be disclosed are delivered to media (even if irrelevant to any ongoing investigations) with devastating aftermaths for investigations themselves and for victims’ privacy.

The scenario is further complicated with the new generation of smartphones, where technology (and the ongoing process of Consumerization of Information Technology) leaves virtually no limits to the imagination of attackers: not only voicemail hacking, but also mobile malware (a threat which does not need the unintended cooperation of the Operator) capable of extracting any information from devices. The dramatic events in U.K. involved using stolen data for squalid journalistic purposes, but, since mobile devices are nowadays indispensable companions of our everyday lives, nothing prevents, in theory, to use the same or different methods to steal other kinds of information such as confidential data, banking transaction identifiers, etc… Do you really need a confirm? For instance the recent evolution of the Infamous ZiTMo mobile malware that has just landed on Android (the continuing metamorphosis of this malware is really meaningful: born on the Windows platform, it has rapidly spread on Windows CE, Symbian, and now, last but not least, Android). Since it is expected that 5.6% of iPhones/Android handsets is going to be infected in the next 12 months, there is much to worry. In this context what happened in U.K. may constitute a dangerous precedent and a dramatic source of inspiration for organized cybercrime.

Fears that similar occurrences could happen in other countries are rapidly spreading. As a consequence some countries are moving fast to prevent them.

In the U.S., in wake of U.K. Hacking, Representative Mary Bono Mack, a California Republican who chairs the House subcommittee on commerce, manufacturing and trade, is contacting handset manufacturer companies including Apple, Google, Research in Motion, and wireless companies as well, such as AT&T, Verizon Wireless and Sprint Nextel, to determine if there are any vulnerabilities in cell phones or mobile devices which can be exploited by criminals and other unscrupulous individuals. Clearly the final target is to prevent similar events from ever happening in the United States.

For the Chronicle, on June 13 Bono Mack released draft legislation which aims to tighten data security for companies victims of data breaches. Under the proposal, companies that experience a breach that exposes consumer data would have 48 hours to contact law enforcement agencies and begin assessing the potential damage.

Immediately after U.S. Attorney General Eric Holder is considering investigation into News Corp. for the same reson.

Anyway U.S. is not the only country worried about, as similar concerns are raising in Canada, and I may easily imagine that other countries will soon deal the same stuff.

A final curious notice: a further confirm that U.K. is not the paradise for mobile security came this morning when I stumbled upon this wiki which happily shows how to hack a Vodafone femto cell (just released to public) in order to, among the other things, intercept traffic, perform call frauds (place calls or send SMS on on behalf of somebody else SIM card).

The best (or the worst, it depends on the points of view) is yet to come…

Switch Off The Revolution (With An Infrared Sensor)

Just a couple of months ago, in writing the first post about Mobile Warfare (which should have later become Consumerization of Warfare) I expressed some considerations about the growing need for illiberal government to prevent the use of mobile devices as preferred media for the rioters to capture live images of the events, and to spread the information all around the Globe by mean of Social Networks.

Cutting off the Internet has been the first clumsy countermeasure applied by Egypt and Syria, but it is really unlikely that this kind of massive preventive block will be applied again by other countries because of the huge dependence of Internet, which characterizes our epoch, and consequently, as a collateral damage, would stop other vital activities.

As a consequence, I hypothesized that possible future countermeasures will aim to make unusable directly the source of information (read mobile devices), and the media for sharing them (read social networks), relying upon a new generation of Cyber-warfare among which:

A massive Denial of Service for mobile devices through massive exploit of vulnerabilities (more and more common and pervasive on this kind of devices), through massive mobile malware deployment or also by mean of massive execution of mobile malware (as, for instance, Google did in order to remotely swipe the DroidDream malware). Honestly speaking I consider the latter option the less likely since I can easily imagine that no manufacturer will provide cooperation on this (but this does not prevent the fact that a single country could consider to leverage this channel).

No manufacturer will provide cooperation on this? Maybe… Too many times reality surpasses imagination, and when it comes to reality that surpasses the imagination, then surely it comes from Apple. This time, unfortunately, not in the sense that we’re used to (admiring products years ahead of the competition, which previously did not exist not even in our imagination), but in the sense that a patent recently filled by Apple could implicitly provide cooperation for illiberal governments to prevent smartphones to take live images of protests.

It looks like that Apple is Apple is developing software that will sense when a smartphone user is trying to record a live event, and then switch off the device’s camera (only the camera, the other functions will not be affected) by mean of infrared sensors directly installed on the device. The real reason is probably the need to prevent concertgoers to post footage of events on YouTube or other similar sites (at the expense of the organizers which sometimes sell sell their own recordings of the events), which could potentially allow Apple to negotiate better conditions with labels when dealing for placing music on sale on iTunes (and could also potentially provide another source of revenue by charging people to film live events).

But besides commercial considerations, there is another important aspect (a collateral damage I would say). The events of recent months have shown us that the concerts were not the only places where the phones have been used to capture live images. In North Africa and Middle East they have been used to document repression and illiberality. But what would have happened if this technology had really been developed? Probably it would have limited the effect of the winds of change in Tunisia, Egypt, Syria and Libya, since Mobile Devices (and their cameras) played (and are playing) an important role to witness the real entity of the events.

Imagine if Apple’s device had been available to the Mubarak regime earlier this year, and Egyptian security forces had deployed it around Tahrir Square to disable cameras just before they sent in their thugs to disperse the crowd.

Would the global outcry that helped drive Mubarak from office have occurred if a blackout of protest videos had prevented us from viewing the crackdown?

This is more than speculation. since thousands of cellphone cameras in the Middle East and North Africa have been used to document human rights abuses and to share them with millions via social media. I went in Libya approximately a month before the beginning of the revolution and I was astonished by the number of iPhones noticed over there.

This is more than speculation also because the role of mobile technologies for the above mentioned events has been recognized also by Mr. Obama during his speech on Middle East.

As correctly stated, Smartphones like the iPhone and Droid are becoming extensions of ourselves. They are not simply tools to connect with friends and family, but a means to document the world around us, engage in political issues and organize with others. They literally put the power of the media in our own hands.

Apple’s proposed technology would take that power away, that is the reason why the community is moving in order to urge Steve Jobs to pull the plug on this technology.

Some Random Thoughts On Location Tracking

April 27, 2011 1 comment

The Apple and the Android (almost) never agree in anything, but the issue of the Location Tracking has done the miracle and if there is one only point that Cupertino and Mountain View have in common, it is just the bad habit to track user’s position without his/her knowledge.

After the well known issue of iPhone hidden (so to say) location tracking, Wired was able to discover why Apple devices collect these kind od data, unleashing 13-page letter sent by Apple’s general counsel Bruce Sewell in July 2010, explaining its location-data-collection techniques. The letter was written in response to a request from Congressmen Joe Barton and Edward Markey asking for Apple to disclose such practices (Incidentally, Markey authored the “Do Not Track” bill to stop online companies from tracking children).

Although no comment so far has arrived from Apple, I was disappointed in discovering, from a Cisco Blog Post, dealing with the same argument, that a similar bad habit collection has been detected for Google’s Android (at least the Android needs the root permission to grab the data).

In both cases the alleged main purpose of this data collection is to provide better location services. Instead my feeling is that the main benefit in this situation is not for the user, but for the marketing and/or advertising agencies which could come in possession of the data.

Interesting to notice the iPhone 3GS Software License Agreement states that:

By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ licensees’ transmission, collection, maintenance, processing and use of your location data to provide such products and services.

Moreover I did a similar research in the Android Privacy Policy and discovered that:

Location data – Google offers location-enabled services, such as Google Maps and Latitude. If you use those services, Google may receive information about your actual location (such as GPS signals sent by a mobile device) or information that can be used to approximate a location (such as a cell ID).

Until now, nothing special, except the fact that Latitude asks for the user’s consent to share the data with the other, which, if I am not wrong, does not occurr for Google Maps. But the interesting point come a some lines below:

In addition to the above, we may use the information we collect to:

  • Provide, maintain, protect, and improve our services (including advertising services) and develop new services; and
  • Protect the rights or property of Google or our users.

And in this case no explicit consent is provided (even if it is indicated in the privacy policy that one user should read. For sure who loses is the user’s privacy (but we should be used to this), and most of all user’s security, since in both cases it is not so hard to dig the data from a stolen devices, giving the impression that main concern of engineers was more to make the data available “to improve services” rather then to store them in a secure manner.

Meanwhile Minnesota Senator Al Franken and the attorney general of Illinois are separately pressing Apple and Google to provide more information about the location data they collect about their end users…

Grab Your Data? There’s An App For That!

April 20, 2011 1 comment

The news of the day is undoubtedly the discovery that Apple devices are a bit ‘too nosy’ and regularly record the position of the device into a hidden (!!) unencrypted and unprotected file.

The unwelcome and serendipitous discovery, which was announced today at Where 2.0, has been performed by two researchers, Alasdair Allan and Pete Warden, while they were working on a project concerning visualization of Mobile Data. It looks like this unrequested feature has been introduced since the arrival of iOS 4.0 and allows the locations and their relative time stamps to be written on an easily accessible file on the device and, even worse, backed up on every PC the device has been synchronized with.

Even if the purpose of the file is unknown (at least so far), and would be appropriate to wait a reply from Apple (if any) before coming to any conclusion, this event, once again, brings to the fore privacy issues for mobile devices, strictly related to the security model for these devices, and, more in general, to the cultural approach and revolution users must face (and get used to) when dealing with mobile technologies.

For sure the main issue here is the lack of respect by Cupertino towards the users (customers?). We know that this is not the first time that a mobile applications attracts criticism for the use of private data (think for instance to the affair of Google Latitude). In the case of Apple Equipment (differently from the creature of Google) the user may not explicitly approve the sharing (would be better to say the tracking since there is no evidence of sharing so far) of his data. But even if we do not consider the ethic point of view, from a security perspective the event has a devastating impact: if the file containing the data may be easily accessed, this means that, in case of theft, could be quite easy, for a malicious user, to grab the data and reconstruct the habits of the users. If we think, for instance, to industrial espionage, this occurence has a dramatic consequence enhanced by the evidence that this kind of devices are often used by CxOs. (Who are the most targeted by the risks of consumerization of IT, of which this is yet another example).

Moreover, in most circumstances I discussed the risks of geolocation (and its correlation with users’ habits) and the importance that this data could have if massively stolen (for instance by mean of a Mobile Botnet) by Cybercrooks and conveyed to a C&C Server. In a similar scenario bad guys capable of stealing such a similar amount of data would have no difficulty at all to organize an auction “to the death” between hungry marketing agencies, which would pay gold to put their hand on them. I must admit that the thought that these “bad boys” could be just the manufacturers of my iPhone (luckily I own an Android) does not make me feel very comfortable. This situation is also paradoxical: many security vendors offer privacy advisors for (other) mobile platforms, but the evidence that one user should defend his privacy from the manufacturer itself sounds absurd and frustrating. Of course I continue to repeat that it is better to wait for an Apple official reply, but, honestly speaking the fact that these data are only available for devices provided with a cellular plan, sounds very strange.

Meanwhile, if you want to know more and enjoy (I hope so) to verify where have you been since you bought your brand new iToy, you may have a really interesting look at this link where the authors of the discovery posted an app to unleash the file and graphically map the positions.

Last but not least, there is no evidece (so far), of a similar “Feature” on the Droids.

On the other hand, these are tough times for the privacy of smartphones owners. As a matter of fact, quite curiously, today another, apparently unrelated, piece of news coming from the opposite site of the Ocean caught my attention. It concerns Michigan State Police, which has been using data extraction tools to collect information from the cell phones of motorists detained for minor traffic infractions. This has been possible by mean of Cellebrite, a mobile Forensics Tool capable to perform:

“Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags. The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps,”

Even if the latter issue raises the question concerning to what extent the law can go when facing privacy of the citizens, the two news have in common the (mis)use of mobile data and I could not help but thinking that mobile data are continuously under attack and users should consequently consider carefully the usage of their devices (this is the reason why I used the term of cultural revolution).

Who knows, maybe Michigan State Police hoped to make further fines for speeding after detaining the motorists by tracking GPS position and timestamps. Probably if they had known the existence of the above mentioned feature of iOS, they would have avoided to buy the software and grab directly the data… At least for iOS 4 users…

What if Android Reassembles The Puzzle?

ComScore has just published its Press Release related to February 2011 U.S. Mobile Subscriber Market Share. 69.5 million people in the U.S. owned smartphones during the three months ending in February 2011, up 13 % from the preceding period. As we have become accustomed to a few months, the Android is still on the top, earning 7 percentage points since November 2010, achieving a 33% market share. RIM ranked second with 28.9 percent market share, followed by Apple with 25.2 percent. Microsoft (7.7 %) and Palm (2.8 %) rounded out the top five.

Top Smartphone Platforms:
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Smartphone Subscribers Ages 13+
Source: comScore MobiLens
Share (%) of Smartphone Subscribers
Nov-10 Feb-11 Point Change
Total Smartphone Subscribers 100.0% 100.0% N/A
Google 26.0% 33.0% 7.0
RIM 33.5% 28.9% -4.6
Apple 25.0% 25.2% 0.2
Microsoft 9.0% 7.7% -1.3
Palm 3.9% 2.8% -1.1

Considering the market share on a per-vendor base, provides a different interpretation, and explains some strategic mobile choices of the Mountain View giant. Among the OEM,  Samsung ranked at the #1 with 24.8% of U.S. mobile subscribers, up 0.3 percentage points from the previous three month period. LG ranked #2 with 20.9 percent share, followed by Motorola (16.1 %) and RIM (8.6 percent). Apple saw the strongest gain, up 0.9 percentage points to account for 7.5 percent of subscribers.

Top Mobile OEMs
3 Month Avg. Ending Feb. 2011 vs. 3 Month Avg. Ending Nov. 2010
Total U.S. Mobile Subscribers Ages 13+
Source: comScore MobiLens
Share (%) of Mobile Subscribers
Nov-10 Feb-11 Point Change
Total Mobile Subscribers 100.0% 100.0% N/A
Samsung 24.5% 24.8% 0.3
LG 20.9% 20.9% 0.0
Motorola 17.0% 16.1% -0.9
RIM 8.8% 8.6% -0.2
Apple 6.6% 7.5% 0.9

I am not new to this kind of considerations (already faced in a previous post in Italian), but it is clear that the Android Landscape is becoming a little bit too much fragmented, and this risks to be a serious issue for the Android, both in terms of consumers’ perception, both in terms of security. As far as the consumer perception is concerned: many vendors are pushing more and more customizations not only on their own Android ROMs, but even on the services provided to consumer (read vendor-dedicated markets and services). This sounds confusing for the consumer who will inevitably ask why should he consider, inside the same platform, different parameters of choice external to the mere features of the devices (and how they map to consumer’s need). Not to mention also the tragedy of software updates: a new major release of the Android may take also one year to be ported in some devices, because of the wide customizations made by the manufacturers on their smartphones.

As far as security considerations are concerned, customization affects platform (in)stability and, inevitably security, if it is true that the same code must be adapted to run on different architectures, and security bugs are always behind the door.

These factors are probably behind the rumors claiming that Google has been demanding that Android licensees abide by “non-fragmentation clauses” that give Google the final say on how they can tweak the Android code, to make new interfaces and add services, and also behind the (not confirmed) rumors of standardizing the ARM Chip for Android 3.0. If we sum up these rumors with the fact the Mountain View will not (at least initially) release the Honeycomb Source Code, it looks clear that Google is running for cover in order to stem the excessive number of fragments in which OEM vendors are reducing its precious Android.

The Android is winning the market share battle against Apple and RIM, and forecasts for the next years show a bright future for the Android, destined to achieve nearly the half of the market in 2015. So far the Mountain View Strategy has shown to be winning, but the only obstacle, in this triumphant ride, could by represented by fragmentation, which might drive consumers to the monolithic models of Cupertino and Waterloo.

Frutta Fuori Stagione

Si è da poco conclusa la Cansecwest, che ha ospitato al suo interno l’annuale contest Pwn2Own 2011, la sfida sponsorizzata da Tipping Point (ormai entrata nell’orbita del Titano HP) rivolta a trovare exploit nei browser e sistemi operativi mobili più diffusi.

La Mela e la Mora ne escono con le ossa rotte (anzi sarebbe meglio dire sbucciate ben bene), visto che entrambe sono state vittima di un exploit che ha consentito di sottrarre illecitamente la rubrica sia dal Melafonino che dal Morafonino (in realtà in questo secondo caso gli autori dell’exploit sono riusciti anche a scrivere un file a dimostrazione della possibilità di poter eseguire codice arbitrario).

Alla radice dell’exploit, la stessa vulnerabilità, basata sul medesimo motore di rendering utilizzato, quel Webkit che costituisce anche il cuore di Chrome, Browser di casa Google, e per il quale la casa di Mountain View, illibata al Pwn2Own (grazie agli ultimi aggiornamenti pre-contest) ha già furbescamente rilasciato una pezza patch che rende vano il tentativo di exploit nei suoi confronti. Per inciso la stessa vulnerabilità ha causato il crollo di Safari durante la stessa manifestazione.

Nel caso della Mela, l’exploit è stato realizzato da un veterano del settore, quel Charlie Miller, già protagonista delle edizioni 2008 e 2009 rispettivamente per aver scovato il primo exploit sul MacBook Air e su Safari. Quest’anno, in collaborazione con Dion Blazakis, il ricercatore si è portato a casa i 15.000 dollari del premio grazie alla sottrazione illecita della rubrica dell’iPhone ottenuta guidando il browser del Melafonino verso un sito creato allo scopo. L’exploit funziona sulla versione 4.2.1 dell’iOS che è stata messa sotto torchio durante il Pwn2Own ma non funziona sulla neonata versione 4.3. Non fatevi tuttavia troppe illusioni: il bug è ancora presente, ma l’utilizzo dell’ASLR (Address Space Layout Randomization) rende la vita complicata agli hacker ed in questo caso invalida l’exploit.

Apparentemente più serio il caso del Lampone di RIM: in questo caso l’exploit è stato (è proprio il caso di dire) messo a frutto da Vincenzo Iozzo, Willem Pinckaers e Ralf Philipp Weinmann che si sono portati a casa il premio messo in palio da Tipping Point HP. In particolare il primo e il terzo non sono nuovi a imprese del genere, in quanto si aggiudicarono il premio nell’edizione del 2010 riuscendo ad effettuare l’hack dell’iPhone.

Vulnerabilità simile, tipologia di attacco simile: anche in questo caso il team di ricercatori ha realizzato il trappolone mediante una pagina web costruita allo scopo che ha iniettato l’exploit nel Browser interno. Oltre a copiare la lista dei contatti ed alcune immagini dal dispositivo, i ricercatori hanni anno anche scritto un file sul dispositivo per dimostrare la possibilità di eseguire codice.

L’attacco ha una rilevanza particolare poiché, sebbene il Blackberry non disponga di funzioni di sicurezza quali il DEP (Data Execution Prevention) e il già citato ASLR, non esiste documentazione pubblica sugli internal del sistema operativo di RIM e questo aspetto ha costretto i ricercatori ad agire mediante approssimazioni successive, concatenando una serie di bachi. Per ammissione degli stessi ricercatori in questo caso il modello di Security Through Obscurity di RIM ha complicato, e anche non poco, la creazione dell’exploit.

L’attacco ha avuto successo con la versione software 6.0.0.246 (interessa quindi tutti gli ultimi dispositivi), e sembra che l’ultima patch rilasciata non sia stata risolutiva. All’infausto evento ha assistito in diretta il security response team di RIM. Immediatamente dopo il responsabile, Adrian Stone ha indicato che la compagnia lavorerà fianco a fianco con gli organizzatori del contest per verificare che le vulnerabilità siano presenti anche nelle ultime versioni del firmware.

“It happens.  It’s not what you want but there’s no such thing as zero code defects,”

E’ stato il laconico commento di Stone.

La questione tuttavia sembra piuttosto seria. Nel frattempo RIM ha difatti diramato ai propri clienti un avviso di sicurezza in cui notifica la vulnerabilità e le versioni che ne sono affette (tutte le versioni superiori alla 6) e due improbabili workaround: disabilitare il javascript dal browser o, addirittura, disabilitare totalmente il browser.

Per una volta quindi il protagonista in negativo non è l’Androide che esce inviolato dal Contest. Anche se in realtà deve essere considerato il fatto, già discusso in queste pagine, che la stessa vulnerabilità era già stata riscontrata per l’Androide (ed utilizzata per costruire una vulnerabilità nel market) e subito patchata grazie all’ammissione del suo scopritore Jon Oberheide che ha così rinunciato a 15.000 bucks.

Follow

Get every new post delivered to your Inbox.

Join 2,705 other followers