O'Grady's PowerPage

Tag: attack

  • Officials look into Friday’s Mirai-based DDoS, cite Apple’s HomeKit security protocol

    ddos-attack-on-dns-major-websites-including-github-twitter-suffering-outage

    Following up on the large-scale distributed denial of service (DDoS) attack on Friday that temporarily took down large chunks of the Internet, it looks like Apple’s controversial “walled garden” approach to its HomeKit devices may have worked out.

    As detailed in recent reports, the attack, which also targeted unprotected “Internet of Things” (IoT) devices, focused on Dyn, an internet management company that provides DNS services to many major web entities.

    A series of repeated attacks caused websites including The Verge, Imgur and Reddit, as well as services like HBO Now, and PayPal, to see slowdowns and extended downtimes. Follow-up waves played havoc with The New York Times, CNN, Netflix, Twitter and the PlayStation Network, among many others.

    (more…)

  • Federal judge orders Apple to help FBI unlock San Bernadino shooter’s iPhone 5c

    lockediphone5c

    A few months after the San Bernadino shootings, Apple was ordered by a U.S. federal judge on Tuesday to help the FBI unlock the iPhone 5c used by shooter Syed Farook. According to court papers, Apple “declined to provide [assistance] voluntarily.”

    The judge ruled Tuesday that Apple had to provide “reasonable technical assistance” to the government in recovering data from the iPhone 5c, including bypassing the auto-erase function and allowing investigators to submit an unlimited number of passwords in their attempts to unlock the phone. Apple has five days to respond to the court if it believes that compliance would be “unreasonably burdensome.”

    Prosecutors have argued that the “government was unable to complete the search because it cannot access the iPhone’s encrypted content.” The FBI argued that Apple has the “technical means” to assist the government and, in a statement, U.S. attorney Eileen M. Decker said that the order was a “potentially important step” in finding out “everything we possibly can” about the San Bernardino attack.

    (more…)

  • Georgia Institute of Technology security researchers prove App Store security flaw via “Jekyll and Hyde” attack

    The good news is that it’s getting a bit harder to sneak malware into the App Store.

    The bad news is that it can still be done and Apple might need to invest in more security/screening features.

    Per 9to5Mac and Ars Technica, researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.

    It appeared to be a harmless app that Apple reviewers accepted into the iOS App Store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

    The researchers presented their findings in a paper at the USENIX Security Forum.

    “Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”

    An Apple spokesman stated that changes have been made to iOS as a result of the exploit, but it’s not yet clear whether the change is to iOS 7 or the older iOS 5 and 6 versions that had been attacked. The researchers only left their app in the store for a few minutes and said that it was not downloaded by anyone outside the project in that time.

    Apple Senior Vice President Phil Schiller tweeted back in March about a study revealing the rising incidences of malware on Android. The study showed that Android accounted for 79 percent of all mobile malware in 2012, while iOS came in at less than 1 percent.

    Stay tuned for additional details as they become available.

  • New malware strain found to target Uyghur activists on the Mac

    The bad news: There’s yet a new malware strain going around on the Mac.

    The good news: If you’re up to date, it’s not a concern.

    Per CNET, security company F-Secure has located spam e-mail laced with backdoor Trojan horse malware has been continuously delivered to members of Uyghur activist groups in an Advanced Persistent Threat attack.

    Like prior ones, the new variant takes advantage of old vulnerabilities in Microsoft Word, by sending attachments that will embed the malware in the affected system if the document is opened in an unpatched version of Word.

    The malware used has changed a little over the past year, with some versions using Trojans embedded in ZIP files, and others exploiting Word vulnerabilities. F-secure’s report shows this latest attempt uses a Word document called “poadasjkdasuodrr.doc,” though any document name can likely be used. When opened, the malware contained in it will install two files that attempt to pose as update components to RealPlayer, in the following locations:
    ~/Library/Application Support/.realPlayerUpdate
    ~/Library/LaunchAgents/realPlayerUpdate.plist

    Since these folders are within the user account, the malware used in this attack variant can install itself without user passwords being required. However, another mode of attack does ask for authentication; if received, the malware will then be placed in the global Library folder instead, so it will run for every user on the system.

    Using the “launchagent” file, the system will keep the hidden malware in the Application Support folder running, and will attempt connections to a command-and-control server at the URL alma.apple.cloudns.org.

    The best ways to avoid this malware are via safe computing practices, deleting obvious spam messages and avoiding messages with attachments that haven’t hailed from trusted sources. Additionally, these attacks often exploit known vulnerabilities that have been patched, so always keep your operating system and installed applications up-to-date.

    In conclusion, Mac OS X’s Software Update feature is your best friend, avoid suspicious-looking e-mails and you should be set.

    Excelsior!!!

  • Apple cyber attack investigation shifts from Chinese to eastern European hackers

    Ok, maybe we were a bit hasty in blaming the chinese…

    Per Bloomberg, while earlier reports suggested hackers who targeted Apple emanated from China, investigators now believe the criminals are instead based out of Eastern Europe.

    The attacks on Apple, Facebook, Twitter and others are now linked to “an Eastern European gang of hackers that is trying to steal company secrets,” citing sources people familiar with an ongoing investigation.

    “Investigators suspect that the hackers are a criminal group based in Russia or Eastern Europe, and have tracked at least one server being used by the group to a hosting company in the Ukraine,” the report said. “Other evidence, including the malware used in the attack, also suggest it is the work of cyber criminals rather than state-sponsored espionage from China, two people familiar with the investigation said.”

    An earlier report had instead linked recent attacks on companies like Facebook to the Chinese Army. It claimed that there was “little doubt” that an “overwhelming percentage of attacks on American corporations, organizations and government agencies” originate from a People’s Liberation Army group known as “Unit 61398” based out of the outskirts of Shanghai.

    Apple announced on Wednesday that some of its employees’ laptops had been infected through a vulnerability in the Java plug-in for browsers. The company revealed that the same malware was used against a number of companies, but did not indicate what country the attacks may have originated from.

    “We identified a small number of systems within Apple that were infected and isolated them from our network,” the company said in a statement. “There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.”

    The attacks are believed to have occurred through an iPhone developer community website that was hosting malware. It’s believed that the infected code made its way onto the computers of Apple, Facebook, Twitter and other companies utilizing a Java zero-day flaw.

    The method used by the criminals is a so-called “watering hole attack,” in which hackers compromise a popular website that many people visit and trust.

    Apple on Tuesday pushed out an update for all OS X users that patches the exploit, and also removes the Java Web applet.

    Stay tuned for additional details as they become available.