About these ads


Posts Tagged ‘iOS’

Antisec Steals 12M Apple Device IDs from FBI (Exploiting a Java Vulnerability) UPDATED

September 4, 2012 Leave a comment

Update 4 Sep 23:38 GMT+2: The FBI issued a tweet denying that it ever had the 12 million Apple IDs in question:

Here the complete Statement from the FBI Press Office.

Original Post: Few hours ago, the @AnonymousIRC Twitter account has announced yet another resounding cyber attack carried on in name of the #Antisec movement:

In a special edition of their #FFF refrain (literally quoting the authors of the attack: “so special that’s even not on friday”), the Hacktivists claim to have obtained from FBI 12,000,000 Apple Devices UDIDs (UDID is the short form for Unique Device Identifier, the unique string of numbers that univocally identifies each iOS device), and have consequently published 1,000,001 of them in pastebin post.

In the same post they explain how they were able to obtain them:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

Did you notice the misplaced detail? Actually I could not help but notice that the UDIDs were obtained exploiting a Java vulnerability, the AtomicReferenceArray vulnerability (CVE-2012-0507). A detail is not so important in other circumstances, if it had not disclosed only few days after the controversies following the discovery of a potentially devastating 0-day for Java, and the subsequent issues deriving from the release of a vulnerable patch.

There could be no worse moment for this event to happen, and I am afraid it will contribute to add fuel to the raising concerns regarding Java security… Hard days for Java… And for the FBI

About these ads

Breaking: First Known Detection of Carrier IQ in Italy

December 12, 2011 2 comments

Update December 13: Carrier IQ issued an updated statement, new concerns for an endless saga…

I am proud to post here the first known detection in Italy of the infamous Carrier IQ software!

As you will probably know, everything started on Nov. 28, on the other side of the Atlantic, when Trevor Eckhart, an Android developer posted a video on YouTube showing the hidden software Carrier IQ interacting oddly with his mobile phone activity. Eckhart subsequently alleged his keystrokes and data were being collected without his permission.

Easily Predictable, speculation and accusations have immediately begun, concerning the kind of data collected by Carrier IQ and presumably transmitted to Wireless Mobile Operators: as a matter of fact subsequent investigations have shown that the Carrier IQ software is embedded on nearly every mobile phone and operator, at least in the U.S where concerns of consumer privacy led Massachusetts congressman Rep. Edward Markey to ask the Federal Trade Commission to investigate the company over concerns of consumer privacy.

But although many believed the software was logging keystrokes and collecting sensitive data, a subsequent more reasonable analysis carried on reversing the code, has shown a different scenario: the software “only” collects anonymized metrics data, although there are hooks inside the code to events such as keystrokes, possibly suggesting the implementation of this kind of functionality for future versions. Essentially the analysis confirmed the content of a statement by the company which attempted to clarify how information was being collected:

We measure and summarize performance of the device to assist Operators in delivering better service.
While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen.

Nevertheless, since the clarifications did not mitigate the fact that Carrier IQ is s a potential risk to user privacy, and users may not choose to to disable it, As a consequence a bunch of Class Actions lawsuits have been filed against the main handset manufacturers and carriers including, besides the obvious Carrier IQ, AT&T, Sprint Nextel, T-Mobile USA, HTC, Apple, Samsung, and Motorola Mobility.

Of course European regulators could not remain indifferent, and started immediately to  investigate Carrier IQ. Germany’s Bavarian State Authority for Data Protection was the first to contact Apple, which publicly declared to have included Carrier IQ in earlier version of iOS, with support ceased with iOS 5 and completely removed for previous versions in future software updates. The German Example has immediately been followed not only by other  regulators in the U.K., France, Ireland and Italy, but also from organizations like BEUC, the European Consumers’ Organisation that defend the users’ right to be told how their data is used.

I was wondering if Europe’s concerns were exaggerated (since so far the scandal seemed to be contained in the U.S.) until a friend of mine decided to test one of the available Carrier IQ detection tools on his Samsung Galaxy Tab, which was purchased from 3, an Italian Mobile Operator belonging to the H3G Giant.

Of course the results are shown above: the tool detected the Carrier IQ software in an inactive state. The bad thing is that, although apparently inactive, my friend told me he was not able to remove the software following the different procedures available on the web even if he did not spend so much time in its removal. So far I can only show the screenshot but he told me he will give me his device for a deep analaysis (with caution since it is his work device).

Thinking at this strange encounter, I admit I could not help but think to Samsung’s official statement concerning Carrier IQ (and reported by Engadget):

Some Samsung mobile phones do include Carrier IQ, but it’s very important to note that it’s up to the carrier to request that Samsung include that software on devices. One other important point is that Samsung does not receive any consumer user information from the phones that are equipped with Carrier IQ.

Since it is up to the carrier to request the software to be included on Samsung devices, I presume that 3 could have decided to install it on all the devices for the Italian Market. I tested the tool on My HTC Desire and Sensation XE (both belonging to Telecom Italia Mobile) with no result.

Francesco Pizzetti, Italy’s Protection of Personal Data Guarantor will have a lot to do… meanwhile he opened an investigation into how Carrier IQ works and is checking Italian mobile phones to verify where the software is in use.

Mobile devices are more and more becoming inseparable companions for our personal and professional life, and deadly enemies for our privacy…

Mobile Antiviruses: Malware Scanners or Malware Scammers?

November 23, 2011 2 comments

Few days ago Juniper Networks has released a report on the status of Android Malware. The results are not encouraging for the Android Addicted since they show a 472% increase in malware samples since July 2011 (see the infographic for details).

This does not surprising: already in May in its annual Malicious Mobile Threats Report, report, Juniper had found a 400% increase in Android malware from 2009 to the summer of 2010. This trend is destined to further grow since the Juniper Global Threat Center found that October and November registered the fastest growth in Android malware discovery in the history of the platform. The number of malware samples identified in September increased by 28%. whilst October showed a 110% increase in malware sample collection over the previous month and a noticeable 171% increase from July 2011.

As far as the nature of malware is concerned, Juniper data show that the malware is getting more and more sophisticated, with the majority of malicious applications targeting communications, location, or other personal information. Of the known Android malware samples, 55%, acts as spyware, 44%, are SMS Trojans, which send SMS messages to premium rate numbers without the user’s consent.

The reason for this malware proliferation? A weak policy control on the Android market which makes easier for malicious developers to publish malware applications in disguise. From this point of view, at least according to Juniper, the model of Cupertino is much more efficient and secure.

Easily predictable Google’s answer came from the mouth of Chris DiBona, open source and public sector engineering manager at Google. According to DiBona, Open Source, which is widely present in all the major mobile phone operating systems, is software, and software can be insecure. But Open Source becomes stronger if it pays attention to security, otherwise it is destined to disappear. In support of this statement he quotes the cases of Sendmail and Apache, whose modules which were not considered enough secure disappeared or came back stronger (and more secure) than ever.

But DiBona’s does not stop here (probably he had read this AV-test report which demonstrates that free Android Antimalware applications are useless): “Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself.”

From this point of view Google hopes that Ice Cream Sandwich will lead Android Security at the next level even if some features are raising security concerns among Infosec professionals.

First Security Breach In The App Store

November 8, 2011 Leave a comment

It looks like the Judgment Day for iOS has finally arrived. Until today the robustness of the AppStore has always been considered one of the strengths of the Apple Model: unlike the Android Market, which is constantly under attack for its weak security model that allowed too many malicious users to upload malicious applications, a strict control policy had prevented, at least so far, the same destiny for the mobile Apple Application.

Unfortunately Charlie Miller, an old acquaintance of the Apple Supporters, thought that winning three Pwn2Owns in the last four years (2008, 2009 and 2011) exploiting practically every Apple Vulnerability was not enough. So he decided consequently to attack Cupertino directly inside its AppStore security model.

The story begins early last year, after the release of iOS 4.3 when the researcher became suspicious of a possible flaw in the code signing of Apple’s mobile devices.

As stated in the original article by Forbes:

To increase the speed of the phone’s browser, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.)

The next step was to discover a bug that allowed to expand that code-running exception to any application, and that is exactly what he did, but still this was not enough.

After discovering the bug, he submitted an App to the App Store exploiting the vulnerability. The App was approved and behaved as expected (actually a behaviour to which the victims of Android malware are quite familiar): the app was able to phone home to a remote computer downloading new unapproved commands onto the device and executing them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

This method will be presented at the SysCan Conference in Taiwan next week even if a video demonstrations of the exploit is already available.

Last but not least: as a reward for discovering the bug, Apple has decided to revoke to Miller the Developer’s License.

Probably Android users will be the happiest to learn that, as stated by Miller:

Android has been like the Wild West. And this bug basically reduces the security of iOS to that of Android.

At least for one thing (security), iOS and Android are identical.

The Dangerous Liaisons (Updated)

August 22, 2011 1 comment

Did you know that a smartphone might involve as many as 250,000 patent claims? You may easily understand why the $ 4.5 billion auction to buy 6,000 Nortel patents by the consortium formed by Apple, Microsoft, Research in Motion, Sony Ericsson and EMC was so cruel. You may also easily understand why Google, the loser of the Nortel auction, decided to react immediately acquiring Motorola and its patent portfolio made of more than 17,000 approved patents (and another 7,500 patents filed and pending approval) for the large sum of $ 12.5 billion.

Said in few words, the mobile arena is getting more and more agressive and cruel. For this reason, a litte bit for curosity, a little bit for fun, I decided to draw a chart (and a table) showing all the moves of the giant players in this mobile chessboard. Although deliberately incomplete (I did not show in the table the patent saga of NTP Inc. against the rest of the world and the settlement of Motorola vs RIM), it gives a good idea of the dangerous intersections involving partnership, fees, alliances and, most of all, lawsuits… With the strange paradox that some companies (read Apple and Samsung) are enemies before the court, but in the same time business partners.

While visualizing the idea I stumbled upon this similar graph showing the status of the mobile arena on 8 Oct 2010. I decided to use the same layout, omitting some informations, but updating it to the current date. The graph is a little bit confusing, but the confusion of the arrows reflects betten than a thousand words the real situation.

Anyway the war will not stop here: the next targets? Interdigital Inc. with its 8,800 patents  which are attracting several bidders such as Apple, Nokia and Qualcomm; and, most of all, Kodak, whose survival depends on the auction of the 10% of its patent portfolio (1,100 patents), valued as high as $3 billion which are vital to compensate the losses estimated in $2.5 billion.

As far as the table is concerned, in order to avoid repetitions, it only shows the status of the lawsuits and alliances from the perspective of Google, Apple and Microsoft. Enjoy your read and the 250,000 patent claims on your smartphone!

Company Filed Suit Against Has technological alliance with Filed Suite From:
  No one (at least so far!)

Of course Google licensees his Mobile OS to HTC and Samsung (in rigorous alphabetical order), and it is the driver for the impressive market share growthof Samsung and HTC.

In an effort to defend Android’s Intellettual Property “to supercharge the Android ecosystem and will enhance competition in mobile computing”, on Aug 15 2011, Google announced the intention to acquire Motorola Mobility with a $12.5 billion deal. Motorola has nearly 17,000 patents.

Aug 12 2010: Oracle has filed suit against Google for infringing on copyrights and patents related to Java,. Oracle claimed Google “knowingly, directly and repeatedly infringed Oracle’s Java-related intellectual property”. Android uses a light proprietary Java Virtual Machine, Dalvik VM, which, according to Oracle infringes one or more claims of each of United States Patents Nos. 6,125,447; 6,192,476; 5,966,702; 7,426,720; RE38,104; 6,910,205; and 6,061,520.

The case is in U.S. District Court, Northern District of California, is Oracle America, Inc v. Google Inc, 10-3561.

The lawsuit is still pending and will likely take several months. The trial between Oracle and Google is expected to begin by November and Oracle is seeking damages “in the billions of dollars” from Google.

On Aug 1 2011, the judge overseeing the lawsuit Oracle filed over the Android mobile OS has denied Google’s attempt to get a potentially damaging e-mail redacted.

Mar 2 2010: Apple sued HTC for infringing on ten patents, nine of which involve technologies which apply to the iPhone, while one involves the use of gestures, but only in a specific use case.

The suit has been filed in the U.S. District Court in Delaware , alleging twenty instances of patent infringement. The company also petitioned the US  ITC to block the import of twelve phones designed and manufactured by HTC.

On Jul 15 2011 Apple won a preliminary patent ruling in an early judgment before the US ITC, in which HTC was found to have breached two of 10 patents held by Apple.

On Aug 8 2011 ITC  announced to have dediced to review Apple’s patent infringement complaint against HTC.

Oct 31 2010: In response to Motorola lawsuit against Apple, Apple sued Motorola and Motorola Mobility for Infringment on several Multi-Touch patents infringments in the Wisconsin Western District Court with two distinct lawsuits. A total of six patents are involved in the two lawsuits.

On Nov 23, 2010: US International Trading Commission announced to review Apple patent case against Motorola.

Apr 18 2011: Apple filed suit against Samsung for copying the design of its iPad and iPhone with its smartphones and tablets.

Aug 10 2011: European customs officers have been ordered to seize shipments of Samsung’s Galaxy Tab computers after the ruling late on Tuesday by a German patents court.

In the last days Apple has been accused of presenting inaccurate evidence against Samsung.

Aug 24 2011: Samsung has been banned from selling some galaxy phones in the Netherlands. The ban is set to begin on October 13, but Samsung doesn’t seem to be taking it too hard.

On Jul 1 2011 the intellectual property of the Canada giant Nortel (in Bankrupt), involving 6,000 patents, was sold for $4.5 billion, in a dramatic auction, to a consortium formed by Apple, Microsoft, RIM, Sony, EMC and Ericsson. Google was the other competitor (and the big looser) for the deal. This event acted as a trigger for the acquisition of Motorola Mobility by Google.

On Aug 3 2011, In a post to the Official Google Blog, Google Senior Vice President and Chief Legal Officer David Drummond said that Apple, Microsoft, Oracle, and others have waged “a hostile, organized campaign against Android” by snapping up patents from Novell and Nortel and asking Google for high licensing fees for every Android device”, accusing them of Patent Bulying.

Curiously, Apple is one of the main technological partners of Samsung for displays and semi-conductors. Samsung produces Apple’s A4 systems-on-a-chip (SoC) and also the two companies collaborate for iPad displays (Apple is moving from LG to Samsung because oof quality issues of the former). Nevertheless the lawsuits between the two companies are compromising their relationships so that Apple is evaluating a new supplier (TSMC) for its A6 nexy generation chipset.

Oct 22 2009: Nokia sued Apple in Delaware court for infringing on  ten patents related to GSM, UMTS, and WLAN standards that Nokia states they established after investing more than EUR 40 billion in R&D over the last 20 years.

On Jun 14 2011 Apple agreed to pay between $300m and $600m to cover the 111m iPhones sold since its launch in 2007. Although the exact number was not specified, additional yearly fees could be part of the agreement.

On Jan 2010 Kodak sued Apple and RIM claiming Apple is infringing its 2001 patent covering technology that enables a camera to preview low-resolution versions of a moving image while recording still images at higher resolutions. The cases were filed in U.S. District Court in Rochester, N.Y., as well as the U.S. ITC.

On Apr 2010 Apple argues that some Kodak still and video camera products violate two of its patents

On Jul 2011: While Kodak’s claim is pending, the commission rules on Apple’s complaint and says Kodak’s digital-camera technology doesn’t violate Apple’s patents.

Oct 6 2010: Motorola sued Apple for patent infringement in three separate complaints; in district courts in Illinois and Florida and a separate complaint filed with the U.S. International Trade Commission. The suits covered 18 different patents, infiringed by Apple’s iPhone, iPad, iPod touch, and certain Mac computers.

The Motorola patents include wireless communication technologies, such as WCDMA (3G), GPRS, 802.11 and antenna design, and key smartphone technologies including wireless e-mail, proximity sensing, software application management, location-based services and multi-device synchronization.

Jan 12 2011: Microsoft has motioned for a summary judgment to block Apple from trademarking the phrase “app store,” as it filed with the U.S. Patent and Trademark Office (USPTO) on July 17, 2008.

Mar 30 2011: Microsoft filed a second objection to Apple’s enduring pursuit to trademark the phrase “app store hiring a linguist, Dr. Ronald Butters, to go head-to-head against Apple’s own hired linguist, Robert A. Leonard.

On Jul 1 2011 US ITC said Apple has violated two S3 Graphics Co. patents in its Mac OS X operating system, but not in the iOS platform. Although not directly related to Mobile, this ruling is meaningful since S3 has been acquired by HTC on Jul 6 2011 for $300 million in order to use their patents in the fight against Apple.

HTC expects final ruling on Apple-S3 graphics case in November.

On Aug 16 2011 HTC filed a new lawsuit against Apple in Delaware’s US District Court, in an escalation of the legal battle between the two smartphone giants. HTC accused Apple to have infringed three of HTC’s patents through its sale of devices including iPads, iPods, iPhones and Macintosh computers.

Oct 1 2010: Microsoft sued Motorola for patent infringement relating to the company’s Android-based smartphones. Microsoft filed its complaint with the International Trade Commission and in a Washington state district court. At issue are nine patents that deal with, among others, sending and receiving e-mail, managing and syncing calendars and contacts, and managing a phone’s memory.

Patent dispute will begin from Aug 21 2011, the hearing procedure can take up to 10 days, the judgment procedure is expected to reach the final verdict point only in March 2012.

Nov 9 2010: Microsoft sued again Motorola for charging excessive royalties on network technology used in Microsoft’s Xbox game system.

Feb 11 2011: a deal with the Devil, Microsoft and Nokia announce their plansto form a broad strategic partnership that would use their complementary strengths and expertise to create a new global mobile ecosystem.

Besides the alliances with Apple and RIM (see the corresponding cell), on May 12 2011 Microsoft has teamed up with HTC, Nokia and Sony Ericsson in Europe, filing a challenge seeking to invalidate Apple’s trademarks on the phrases “App Store” and “Appstore.”

Nov 11 2010: Motorola Mobility sued Microsoft with the U.S. District Courts for the Southern District of Florida and the Western District of Wisconsin alleging infringement of sixteen patents by Microsoft’s PC and Server software, Windows mobile software and Xbox products.

Motorola Mobility asked for the infringing devices to be barred from importation into the United States.

On Dec 21 2010, ITC has agreed to hear the complaint.

Grab Your Data? There’s An App For That!

April 20, 2011 1 comment

The news of the day is undoubtedly the discovery that Apple devices are a bit ‘too nosy’ and regularly record the position of the device into a hidden (!!) unencrypted and unprotected file.

The unwelcome and serendipitous discovery, which was announced today at Where 2.0, has been performed by two researchers, Alasdair Allan and Pete Warden, while they were working on a project concerning visualization of Mobile Data. It looks like this unrequested feature has been introduced since the arrival of iOS 4.0 and allows the locations and their relative time stamps to be written on an easily accessible file on the device and, even worse, backed up on every PC the device has been synchronized with.

Even if the purpose of the file is unknown (at least so far), and would be appropriate to wait a reply from Apple (if any) before coming to any conclusion, this event, once again, brings to the fore privacy issues for mobile devices, strictly related to the security model for these devices, and, more in general, to the cultural approach and revolution users must face (and get used to) when dealing with mobile technologies.

For sure the main issue here is the lack of respect by Cupertino towards the users (customers?). We know that this is not the first time that a mobile applications attracts criticism for the use of private data (think for instance to the affair of Google Latitude). In the case of Apple Equipment (differently from the creature of Google) the user may not explicitly approve the sharing (would be better to say the tracking since there is no evidence of sharing so far) of his data. But even if we do not consider the ethic point of view, from a security perspective the event has a devastating impact: if the file containing the data may be easily accessed, this means that, in case of theft, could be quite easy, for a malicious user, to grab the data and reconstruct the habits of the users. If we think, for instance, to industrial espionage, this occurence has a dramatic consequence enhanced by the evidence that this kind of devices are often used by CxOs. (Who are the most targeted by the risks of consumerization of IT, of which this is yet another example).

Moreover, in most circumstances I discussed the risks of geolocation (and its correlation with users’ habits) and the importance that this data could have if massively stolen (for instance by mean of a Mobile Botnet) by Cybercrooks and conveyed to a C&C Server. In a similar scenario bad guys capable of stealing such a similar amount of data would have no difficulty at all to organize an auction “to the death” between hungry marketing agencies, which would pay gold to put their hand on them. I must admit that the thought that these “bad boys” could be just the manufacturers of my iPhone (luckily I own an Android) does not make me feel very comfortable. This situation is also paradoxical: many security vendors offer privacy advisors for (other) mobile platforms, but the evidence that one user should defend his privacy from the manufacturer itself sounds absurd and frustrating. Of course I continue to repeat that it is better to wait for an Apple official reply, but, honestly speaking the fact that these data are only available for devices provided with a cellular plan, sounds very strange.

Meanwhile, if you want to know more and enjoy (I hope so) to verify where have you been since you bought your brand new iToy, you may have a really interesting look at this link where the authors of the discovery posted an app to unleash the file and graphically map the positions.

Last but not least, there is no evidece (so far), of a similar “Feature” on the Droids.

On the other hand, these are tough times for the privacy of smartphones owners. As a matter of fact, quite curiously, today another, apparently unrelated, piece of news coming from the opposite site of the Ocean caught my attention. It concerns Michigan State Police, which has been using data extraction tools to collect information from the cell phones of motorists detained for minor traffic infractions. This has been possible by mean of Cellebrite, a mobile Forensics Tool capable to perform:

“Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags. The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps,”

Even if the latter issue raises the question concerning to what extent the law can go when facing privacy of the citizens, the two news have in common the (mis)use of mobile data and I could not help but thinking that mobile data are continuously under attack and users should consequently consider carefully the usage of their devices (this is the reason why I used the term of cultural revolution).

Who knows, maybe Michigan State Police hoped to make further fines for speeding after detaining the motorists by tracking GPS position and timestamps. Probably if they had known the existence of the above mentioned feature of iOS, they would have avoided to buy the software and grab directly the data… At least for iOS 4 users…

(Other) Chronicles Of The Android

I know it is late and I am quite tired after a day of work. Still few seconds (and energies) to comment a new Gartner Report confirming what previously indicated by ABI Research and IDC, according to which, the Google Creature will command Nearly Half of Worldwide Smartphone Operating System Market by Year-End 2012.

Worldwide Mobile Communications Device Sales to End Users by OS (Thousands of Units)

OS 2010 2011 2012 2015
Symbian 111,577 89,930 32,666 661
Market Share (%) 37.6 19.2 5.2 0.1
Android 67,225 179,873 310,088 539,318
Market Share (%) 22.7 38.5 49.2 48.8
Research In Motion 47,452 62,600 79,335 122,864
Market Share (%) 16.0 13.4 12.6 11.1
iOS 46,598 90,560 118,848 189,924
Market Share (%) 15.7 19.4 18.9 17.2
Microsoft 12,378 26,346 68,156 215,998
Market Share (%) 4.2 5.6 10.8 19.5
Other Operating Systems 11,417.4 18,392.3 21,383.7 36,133.9
Market Share (%) 3.8 3.9 3.4 3.3

Source: Gartner (April 2011)

In my opinion it worths noticing the inevitable fall of Symbian, the slow but inexorable descent of RIM, and the equally slow growth of Microsoft wich will be able to nearly touch the 20% only in 2015.

The android has every reason to celebrate and nothing better do it properly than this video in which an HTC Desire solves a dodecahedron Rubik’s Cube: an HTC desire runs a custom Android app which uses the phone’s camera to take individual images of each of the puzzle’s 12 faces, then processes the information and sends a signal via Bluetooth to the NXT controller,

Sbucciare Una Mela In 6 Minuti

February 13, 2011 1 comment

Poteva, questo scorcio di 2011 regalarci (in)soddisfazioni di sicurezza informatica solo per il povero Androide? Niente affatto! Ed ecco che dalla Germania, in particolare dal Fraunhofer Institute for Secure Information Technology (SIT), arriva una interessante analisi sul livello di sicurezza del KeyChain Apple, ovvero l’architettura usata dai sistemi operativi di Casa Apple per la gestione dei dati personali (password, etc.). I risultati non sono certo esaltanti poiché gli autori dell’articolo, in 6 minuti, sono stati in grado di decifrare completamente il contenuto del KeyChain, da un gioiello di Casa Apple (iPhone 4 ed iPad), simulando le stesse condizioni al contorno di un furto (quindi dispositivo non Jailbreakato, cifrato con una password complessa, con la funzione di Data Protection attiva e con le attività di hack che sono state effettuate da un PC che non si era mai sincronizzato con il dispositivo).

L’amara considerazione è che quando un dispositivo iOS (la prova è stata effettuata con la versione 4.2.1) in cui è attiva la funzione di cifratura Hardware viene smarrito o rubato, l’utente è avvolto da una ingannevole sensazione di sicurezza. Sensazione familiare  di chi crede che non vi sia modo per il malintenzionato di accedere ai dati contenuti (perlomeno in presenza di una password complessa a protezione dei segreti). L’algoritmo AES256 che sottende al processo di cifratura sarebbe, in teoria, una solida garanzia. Peccato, purtroppo, che la chiave di cifratura del dispositivo non dipenda dalla complessità della password impostata dall’utente, ma è autoconsistente, ovvero tutte le informazioni per la sua creazione dipendono da porzioni di informazioni contenute all’interno del dispositivo e di conseguenza sono virtualmente in possesso di un eventuale malintenzionato che abbia illecitamente messo i propri artigli sull’apparato.

Questa caratteristica dei gioielli di Steve Jobs era già nota ed utilizzata, senza eccessivo sforzo, per decifrare porzioni del file system. La novità di questo 2011 consiste nel fatto che la stessa tecnica può essere utilizzata per ottenere le password contenute nel KeyChain. Nell’attuale versione dell’iOS Cuore di Mela (4.2.1), il keychain contiene, cifrate, informazioni quali: password utente di tutti i tipi e per tutti i gusti (email, groupware, VPN, WiFi, siti Web), ma anche password e certificati utilizzati in applicazioni di terze parti.

I passi effettuati per sbucciare la Mela sono tutto sommato relativamente semplici, a patto di conoscere il coltello lo script utilizzato per estrarre i dati che i ricercatori non hanno comunque rivelato, e si possono riassumere in:

  1. Ottenere l’accesso al file system;
  2. Copiare lo script di accesso al KeyChain nel file system;
  3. Eseguire lo script che rivela le account contenute e le relative password.

Banalmente il primo passo è necessario per accedere al keychain e può essere generalmente ottenuto jailbreakando il dispositivo ed installando un serverino SSH sullo stesso, facendo attenzione a non sovrascrivere i dati utente. Dopo il jailbreak una qualsiasi applicazione è in grado di accedere a tutti i file, incluso il keychain. Naturalmente il database delle credenziali è cifrato con la chiave del dispositivo, che non può essere estratta, ma che può essere utilizzata da altre applicazioni per rivelare i segreti contenuti sotto la buccia scocca del dispositivo.

Il passo successivo richiede l’iniezione di uno script di accesso al keychain mediante la connessione SSH appena stabilità. Lo script  non necessita di effettuare il reverse engineering del meccanismo di cifratura in quanto utilizza le funzioni di sistema per accedere alle informazioni del keychain.

Infine, la degna conclusione, nel terzo e ultimo passo viene eseguito lo script che stampa a video (ovvero esegue l’output su shell) le account.

Il tutto in soli 6 (sei) minuti, senza necessità di conoscere la password di decifratura del dispositivo. Un tempo che è comunque mediamente inferiore all’intervallo in cui l’utente medio realizza lo smarrimento o il furto del dispositivo, un tempo entro il quale l’utente malintenzionato potrebbe già essere entrato all’interno della posta elettronica della malcapitata vittima. E questo a prescindere dal fatto che l’utente possa o meno attuare la procedura di swipe remoto del dispositivo (un attaccante abile e soprattutto rivolto al risultato avrebbe già spento il dispositivo e cambiato la SIM).

Resta la (magra) consolazione che le password di alcuni servizi (ad esempio le password di siti Web) non vengono rivelate con questo tipo di attacco, pur venendo mostrate su schermo sono comunque marcate come protected e sono disponibili allo script solo dopo aver inserito la password di sblocco del dispositivo (quindi fuori scopo per lo scenario di attacco simulato). D’altro canto l’accesso alle credenziali del KeyChain è vittima conseguenza dell’usuale compromesso tra sicurezza e necessità di garantire una esperienza utente immediata: la password per i servizi di rete deve essere da subito disponibile senza necessità di intervento da parte per l’utente, per cui per avere accesso alla stessa è sufficiente avere accesso al file system.

Non c’è che dire… Un grattacapo in più per gli IT Manager che vedono ancora una volta funestate le proprie velleità professionali dall’accoppiata: smartphone/tablet->data leackage, grattacapo che getta nuova ombra sul fatto che questi gioielli siano effettivamente adatti per un uso di tipo enterprise. Lo scenario è ancora più complicato per i Tablet che in questo momento stanno trovando terreno fertile tra i livelli medio-alti che tipicamente sono meno sensibili ai problemi di sicurezza e soprattutto hanno una allergia cronica per l’inserimento di password.

A questo punto chi ha 6 minuti di tempo può scegliere di fare due cose: guardarsi il video sottostante che mostra la procedura (ma lo script di accesso non è stato rivelato), oppure correre al negozio sotto casa e comprarsi un Androide nuovo fiammante (ma non fatevi troppe illusioni perché gli autori dell’exploit sostengono che la diffusione verso altri terminali è solo questione di tempo).


Il 2011 Secondo Cisco: Beware of The Social Network

January 25, 2011 6 comments

E’ stato da poco pubblicato il report Cisco relativo ai trend di sicurezza del 2010 e contenente le previsioni per il 2011. Rispetto alle previsioni analizzate sino ad ora (a cui si sono recentemente aggiunte le previsioni di Sophos), il report Cisco offre una interessante lettura dell’anno passato e delinea gli scenari di sicurezza per l’anno appena entrato dalla prospettiva di chi possiede una offerta di sicurezza network-centrica (la rete per il colosso californiano costituisce l’intelligenza sopra la quale vengono costruiti tutti i servizi della propria offerta), il cui approccio differisce notevolmente da quello dei colossi sino ad ora analizzati. Questi ultimi difatti (con la parziale eccezione di McAfee nato dall’endpoint ma estesosi successivamente verso tutti i settori tramite acquisizioni strategiche) pongono l’endpoint al centro della propria offerta.

Il report di Cisco nasce dall’immane quantità di dati raccolti dalla rete di sensori sparsa nel mare di bit che si estende attraverso i cinque continenti e che sono stati analizzati dal proprio Centro di Security Intelligence Operations.

Ecco le minacce per il 2011 evidenziate dal colosso di San Jose:

Network sempre più Social (soprattutto per il malware)

Ormai sembra un refain immancabile (ma non è il solo) quando si parla di sicurezza informatica). Anche a detta del brand californiano, il Social Network sarà, nel corso del 2011, sotto i poco ambiti riflettori dei malintenzionati. Purtroppo si concretizzerà il fenomeno che Cisco ha definito “Exploitation Of Trust“, ovvero lo sfruttamento della relazione di fiducia che si crea tra individui collegati all’interno di un social network (di tipo personale o professionale) come veicolo di malware o altri mezzi per compiere atti illeciti.

Il motivo è presto detto: da un lato il Social Network consente di raggiungere contemporaneamente molteplici utenti in tempo quasi reale, dall’altro la filosofia del social network richiede che le amicizie (o i contatti) siano esplicitamente accettati, creando una relazione di fiducia tra gli utenti che costituisce il vettore che i malintenzionati sono interessati ad utilizzare per la diffusione dei propri  fini illeciti (mediante spam, malware, etc.).

Un malware o una frode propagati tramite Social Network hanno maggiore probabilità di riuscita (e un impatto più devastante in un minor intervallo temporale) sia per i famosi sei gradi di separazione che consentono una rapida propagazione, sia perché un messaggio (vettore di contenuto malevolo) proveniente da una persona “fidata” (a sua volta vittima) ha già superato il naturale muro di precauzione e diffidenza (già troppo basso in condizioni normali) che costituisce la prima forma di difesa di ciascuno (mai dimenticare che la sicurezza informatica  di ogni individuo comincia dal proprio comportamento sociale)

Se a questo si aggiungono le ulteriori complicazioni:

  • Il social network costituisce una vetrina, per cui le “difese naturali”  dei  contatti sono ulteriormente abbassate (e chi costruisce malware tende a sfruttare atteggiamenti e debolezze di chi si mette in vetrina e segue pedissequamente l’equazione: più contatti = più visibilità);
  • La nota allergia per la privacy (soprattutto da parte di Facebook) che rende possibile ad una applicazione malevola la lettura dei dati personali da un profilo vittima.

Si deduce come nel corso del 2011 dovremo abituarci alle infezioni provenienti dal Social Network, sulla falsa riga di Koobface. Come fare per difendersi? Educazione all’utilizzo del Social Network, mantenimento di un atteggiamento circospetto e ricordarsi che:

If it sounds too good to be true, it probably is


Le minacce di tipo Advanced Persistent Threat, subiranno una metamorfosi nel corso del 2011, diventando sempre più specifiche e soprattutto costruite per scopi ben precisi (ad esempio per rubare informazioni) e con uso massiccio delle vulnerabilità 0-day. Inutile ribadire che anche le minacce APT “trarranno giovamento “dell’involontario supporto infrastrutturale del Social Network per aumentare il livello di diffusione.


Gli exploit di vulnerabilità applicative (soprattutto da parte di Java e PDF) sono destinate a confermare il proprio peso nel corso del 2011. Curiosamente, il colosso di San Jose ritiene che Java turberà maggiormente i sogni degli IT Manager a causa di tre caratteristiche insite nella natura del linguaggio:

  • Java è evasivo: il metodo più affidabile di rilevazione per gli exploit java consiste nel farli girare in una macchina virtuale, ma questo è estremamente intenso dal punto di vista dell’utilizzo delle risorse;
  • Java è pervasivo: spesso il linguaggio SUN Oracle gira in background e questo rende più difficile identificare eventuali comportamenti illeciti da parte di applicazioni Java;
  • Java è invasivo: la natura multipiattaforma del linguaggio che ha costituito la forza per la sua diffusione, ha costituisce anche una sgradita leva per la diffusione del malware che può propagarsi rapidamente tra architetture differenti.

Curiosamente, la previsione è suffragata dai dati raccolti dal proprio Centro di Intelligenza secondo il quale Java si è piazzato al primo posto della poco ambita classifica relativa alla tipologia di Web Malware maggiormente bloccata dal proprio servizio Scansafe, con il 7%, seguito da PDF (in calo) e Flash, relativamente con il 2% e l’1%.

Dispositivi Mobili e Mai Sicuri

Immancabile, anche nelle previsioni del Colosso di San Jose, la presenza delle piattaforme mobili tra gli obiettivi 2011 dei malintenzionati. L’Androide e il Sistema Operativo della Mela saranno i più colpiti dalle infezioni informatiche, sia perché, a detta di Cisco, i sistemi operativi standard hanno raggiunto uno standard di sicurezza elevato che sta spingendo i creatori di malware verso questi siti mobili, sia perché la maggiore attenzione del mondo enterprise verso questi dispositivi li rende una fonte importante di informazioni (e guadagni diretti e indiretti) in caso di compromissione. Come prevedibile le applicazioni (soprattutto se scaricate da Store paralleli) saranno il vettore di infezione privilegiato, mentre le precauzioni rimangono le stesse indicate dagli altri produttori: occhio alla mela con il jailbaco e all’Androide dirootato che aumentano notevolmente le probabilità di una infezione, occhio inoltre ai permessi quando si installano le applicazioni (perché un lettore multimediale dovrebbe accedere agi SMS?). Tra le precauzioni da adottare nel 2011 per i dispositivi mobili anche il ricorso a tecnologie di virtualizzazione che consentiranno di rinnovare il focus su tecnologie di DLP per questi dispositivi.

Da notare come la rete di sensori Cisco abbia rilevato nel corso del 2011 un picco delle vulnerabilità rivolte verso il mondo Apple.

Botnet e Hacktivism

Sebbene Cisco abbia osservato, nel corso del 2010, una leggera riduzione del numero di macchine compromesse (estremamente più diffuse in ambito consumer che in ambito enterprise) si assisterà nel corso del 2011 ad un aumento dello schema di utilizzo delle Botnet, sempre meno per “semplice SPAM” (in diminuzione nel 2011) e sempre più per scopi politici (sulla falsa riga di quanto accaduto nell’affaire Wikileaks) o per mere questioni economiche (ad esempio per la diffusione di spyware per il furto di dati sensibili). Non manca ovviamente il riferimento a Stuxnet (vincitore del premio Evil Award 2010), come esempio di nuova minaccia concepita per scopi politici e aventi obiettivi delimitati e ben definiti.

E’ importante notare come il Colosso di San Jose auspichi iniziative congiunte dei governi per affrontare la nuova emergenza del Cibercrimine, augurandosi nel contempo che la frammentazione delle normative tra i vari paesi non sia un ostacolo per la diffusione delle tecnologie di protezione.


Anche secondo Cisco nel 2011 saranno in bella (si fa per dire) vista le minacce rivolte al Social Network e al mondo mobile. Il riferimento a Stuxnet, in questo caso indicato come capostipite di una nuova famiglia di minacce informatiche organizzate, non manca mai. Curiosa, anche in questo caso, l’assenza di minacce rivolte alle infrastrutture virtuali.

Mali di Stagione

January 12, 2011 3 comments

In una intervista a Bloomberg, il presidente e fondatore di Trend Micro, Steve Chang ha dichiarato come, a suo avviso, l’Androide Verde di Mountain View, presenta una maggiore vulnerabilità ai virus informatici rispetto al gioiello di Casa Apple.

Il motivo è presto detto: il sistema operativo di Big G è open-source, e come tale, lascia maggiore libertà agli sviluppatori di indagare gli internals del codice, e di conseguenza renderebbe più facile lo sviluppo di codice malevolo.

Android is open-source, which means the hacker can also understand the underlying architecture and source code

Per contro, il processo di certificazione delle applicazioni da parte del Gigante di Cupertino è più rigoroso, e di conseguenza è più difficile sviluppare ed immettere in circolazione software malevolo:

We have to give credit to Apple, because they are very careful about it. It’s impossible for certain types of viruses to operate on the iPhone

A mio avviso l’affermazione andrebbe interpretata e calata nel contesto: è vero che l’Androide è (relativamente) open source ma è altrettanto vero che in condizioni normali le applicazioni limitano l’accesso alle risorse del dispositivo e richiedono comunque l’autorizzazione all’utente. In effetti le prime due forme virali rilevate per Android nel corso del 2010 (Trojan-SMS.AndroidOS.FakePlayer e Geinimi) seguivano questo schema per compiere le azioni illecite. Questo non significa che possiamo dormire sogni telefonici tranquilli (la superficialità dell’utente è sempre in agguato: quanti utenti vanno a controllare se un lettore multimediale ha necessità del permesso di accedere agli SMS), ma è comunque un livello di sicurezza appositamente inserito da Google, avendo concepito il sistema operativo in maniera tale che gli utenti debbano garantire e comunque confermare esplicitamente il minor numero possibile di permessi alle applicazioni.

Naturalmente il discorso decade per i telefoni rootati ovvero per i quali l’utente ha ottenuto l’accesso root perché in tal caso le applicazioni riescono ad accedere direttamente alle risorse del dispositivo senza l’esplicito consenso dell’utente. Deve tuttavia essere chiaro che questa operazione viene fatta a rischio e pericolo per l’utente, che vede decadere qualsiasi forma di garanzia (ma si sa, i disclaimer possono ben poco contro gli smanettoni).

Per contro, oramai anche per la piattaforma di Cupertino esistono store paralleli in cui gli utenti di dispositivi jailbreakati possono acquisire applicazioni al di fuori del controllo di qualità della Mela. In questo caso, è ovvio, il livello di sicurezza decade notevolmente (ed il jailbreak della Mela è più frequente dell’operazione di root dell’Androide se l’utente vuole fare normali operzioni, ad esempio utilizzare una qualsiasi periferica bluetooth che altri dispositivi effettuano normalmente), per cui in definitiva non mi sentirei di essere così  perentorio sulla maggiore cagionevolezza informatica dell’Androide nei confronti della mela.

Naturalmente i soliti maligni vedono dietro queste affermazioni una spinta indiretta ad avvicinare l’utenza Android a prodotti commerciali di sicurezza, per la vendita dei quali, il colosso giapponese prevede un largo incremento nel corso del 2011. L’utenza Android ha meno vincoli di applicazioni commerciali in quanto la natura open source del sistema operativo (ed i minori vincoli dello store, si veda a questo proposito l’affaire relativo alla rimozione di VLC) si riflette in una maggiore disponibilità di applicazioni open.

Non mi soffermerei troppo su queste illazioni, ribadendo però il concetto che la sicurezza parte dall’utente: in questo caso significa non effettuarea operazioni strane (ad esempio l’accesso ai privilegi di root), né installare applicazioni di provenienza incerta nei dispositivi utilizzati abitualmente (soprattutto se per motivi di lavoro), controllando sempre e comunque i permessi delle applicazioni.

I giochi li possiamo fare su muletti… Almeno fino a quando Vmware ed LG non usciranno con la prima piattaforma mobile virtuale.


Get every new post delivered to your Inbox.

Join 2,898 other followers