Information Security News (Oct-07-2016)
--iPhone 7s arrive logged into strangers' Apple IDs, iOS 10 browser raises privacy concerns--(Oct-06-2016)
While consumers complain that new iPhones are already logged into strangers' accounts, those with functioning devices should be relieved that researchers said a recently discovered private browsing flaw in iOS 10 isn't as bad as it seems.
The iPhone glitch prevents users from signing in to their accounts and from setting up their devices. It reportedly affects new iPhone 7 and 7 Plus models when they are turned on for the first time and iPhone 6S and iPhone 6s Plus models when they are restored to default setting, according to Mac Rumors.
When the device is turned on it triggers an Activation Lock, a security feature of Find My iPhone that prevents others from using a lost or stolen iPhone. One user reported receiving a new phone that looked immaculate with a screen appearing to be in perfect condition after taking it out the box.
“Only problem is, it appears someone has already used it as the iPhone is asking for the account used to activate it — o.....@icloud.com,” one user wrote in a Mac Rumor forum. “Apple say it needs replacing […] Now got to wait for an expedited replacement iPhone once I've returned this one.”
Some users were reportedly able to unlock their phones after providing a proof of purchase at an Apple retail store, scheduling a Genius Bar appointment, or remotely calling Apple's support team.
Separately, late last month, IntaForensics Digital Rorensic Analyst Stacey Jury reported that Apple had made the private browsing feature in iOS 10 “less private” since it doesn't properly delete data, leaving it vulnerable to recovery, according to a Sept. 30 blog post.
Since the discovery, independent third-party researchers, including Russian computer forensics software firm Elcomsoft, have played down the significance of the supposed vulnerability spotted by Jury, according to The Register.
“We looked at iOS private browsing mode a little bit, but have not found any issues - implementation seems to be good enough; all temp files seem to be properly deleted, visited links are not being saved in history etc.,” ElcomSoft researcher Vladimir Katalov told the publication.
--Apple pushing out OS update automatically--(Oct-04-2016)
Apple is pushing out its new macOS Sierra as an automatic download, according to The Loop.
The Cupertino, Calif.-based company told the site that the update will download on users' computers in the background beginning this week – if a user has automatic downloads enabled in their preferences.
While the upgrade will be pushed to computers, users will be alerted and must then initiate the install manually.
The download would not occur should a user's computer be unable to handle the 5G of space needed or if an older computer is not equipped to integrate the upgrade.
Alternatively, users can download the new version from Apple's App Store.
While some sites are raising concerns over the “pre-download” process, comparing the rollout to the negative response Apple earned for its automatic push of a U2 music download with its launch of iPhone 6, automatic downloads have been an option for some time on Macs and iOS.
--Yahoo, complying with U.S. intelligence directive, searched emails--(Oct-04-2016)
At the behest of a directive handed down by U.S. intelligence officials, Yahoo built a custom software program in secret to dig through all of its customer's emails, according to a Reuters report.
Hundreds of millions of Yahoo Mail accounts were searched in response to a classified U.S. government directive from the National Security Agency (NSA) or FBI directed at Yahoo's legal team, according to unidentified sources who were said to be former employees of the agencies.
The specifics of what the intelligence agencies were looking for is unknown, the sources said, only that a search for a set of characters was requested, i.e., a phrase appearing in an email or an attachment.
This is not the first time phone or internet companies have complied with requests from intelligence agencies to hand over data on customers, but experts who spoke with Reuters said they had never seen such a wide-sweeping collection of real-time web data. It also appears that a custom computer program was used for the trawling.
Reuters reported that according to two former employees, Marissa Mayer, Yahoo's chief executive agreed to the agencies' request with dissent from other executives at the firm. Alex Stamos, the firm's CISO, departed in June 2015 as a consequence, they said, moving to a similar post at Facebook.
It's unknown at this time whether the federal agencies filed directives with other phone or internet providers. However, there is precedent owing to amendments in 2008 to the Foreign Intelligence Surveillance Act, which sanctions intelligence agencies to make the demand of U.S. phone and internet companies to hand over customer data in matters of preventing terrorist attacks and other intelligence gathering.
Reuters reported that Mayer and Yahoo General Counsel Ron Bell left the firm's security team out of the loop and had company engineers create a program capable of digging through email messages in search of the character string requested by the intelligence agencies. The data could then be stored for remote retrieval.
When Yahoo's security team detected the program in May 2015, a few weeks after the install, they initially believed they were under attack from hackers.
Reuters reported that CISO Stamos resigned after finding out that Mayer had approved the FISA request. He was left out of the decision, he said, and the move put users' security at risk, he reportedly told colleagues, as a bug in the programming could allow hackers to gain access to accounts.
"We're deeply concerned with today's Reuters report," Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), told SCMagazine.com on Tuesday. "This type of broad, warrantless surveillance of hundreds of millions of Yahoo users plainly violates the Fourth Amendment."
But it might not be uncommon. "Unfortunately, it sounds very similar to the type of surveillance AT&T and Verizon allow the NSA to conduct on their networks, as well," Rumold said. "This type of upstream surveillance is unconstitutional on Verizon and AT&T's networks, and it's unconstitutional on Yahoo's networks as well."
While the Reuters story, if it is accurate, "may at first blush seem to be another black eye for Yahoo on the privacy front," Michael Sutton, CISO at Zscaler, in a statement emailed to SCMagazine.com, urged that "we shouldn't be quick to rush to judgement or single out Yahoo. It's unlikely that Yahoo alone received the classified U.S. government directive to search all incoming email messages."
He explained that "such a broad directive suggests that the intelligence community needed to cast a wide net, which likely included other providers," but noted that "unfortunately, the very process of such directives precludes transparency and prohibits others from even revealing the existence of such a request."
Writing code in order to give effect to the FISA request is new, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com on Tuesday.
While Hughes admitted that the full extent of what data was handed over is not yet known, he said the news illustrates the terrible position businesses are finding themselves in. On the one hand, he said, enforcement laws on the books order companies to comply with such directives. But at the same time they have an obligation to customers as stewards of their data.
"They're stuck between a rock and a hard place," he said, pointing out the contrast with the legal dispute earlier this year that pitted Apple against the FBI's request to create a backdoor into a locked iPhone. "Apple took a firm stand," Hughes said. The company was both challenged and critiqued for its stand, he said, but also lauded.
Spying agencies absconding with communications has always been a risk with cloud-based email providers, Chris Wysopal, CTO and co-founder, Veracode, told SCMagazine.com on Tuesday. "Given the PATRIOT Act, unless you have end-to-end encryption in your mail reader with something like PGP, all cloud-based email is at risk."
Wysopal posits that there have been other email providers approached and others that complied, but might not be able to speak about it because of a gag order. "I think this will be a boon for offshore secure email providers, like ProtonMail in Switzerland," he said. "I have recently seen more of my security colleagues using offshore services like this."
What should not be surprising to anyone is that requests of this type are being made, said Sutton of Zscaler. "Intelligence agencies will continue to do what they've been tasked with – protecting the nation through any and all legal means available to them. What's changing is that methods used in the past are no longer viable."
Due to the increasingly distributed nature of communications and enhanced security protections, including encryption, security agencies can no longer do everything in house, he explained. "In order to access the same data, they must now leverage the service providers themselves. While the providers may not be willing participants, with denials of FISA applications by the Foreign Intelligence Surveillance Court being extremely rare, service providers largely have their hands tied when such directives arrive.”
--RAUM weaponizes torrents to deliver malware --(Sep-21-2016)
A new and sophisticated tool dubbed RAUM has been uncovered that targets naïve torrent users who download popular software or media content and then replaces the desired content with malware.
The internet security company InforArmor reported that RAUM has been used to essentially “weaponize” torrents to spread a variety of ransomware types including, CryptXXX, CTB-Locker and Cerber, the online-banking Trojan Dridex and password stealing spyware Pony. It does this through a two-prong attack.
“RAUM is a special system developed by the owners of the identified underground malicious network, used for two things - analysis of trending torrent files on torrent trackers with high number of downloads, and further repacking of this files with malware for further distribution. The system uploads final weaponized torrent file to the same trackers under various stolen user accounts, having good reputation there,” Andrew Komarov, InfoArmor's CIO, told SCMagazine.com in an email.
Once the torrent tracker identifies the most popular content being downloaded at that time, say a pirated version of Microsoft Windows or Office, the legit files are extracted and replaced with malware. The Pirate Bay and Extra Torrent are among the torrents being used, InfoArmor said.
“Later, they upload them to the same trackers, and other trackers, using stolen credentials of ‘seeders', having good reputations on them, as it helps their files to be distributed better. In such way, they infect big number of users systematically,” Komrarov added.
RAUM stands out as a malicious tool as it goes after those least likely to understand the dangers of using torrents.
“This is a pretty unique, but very efficient, model of ransomware and malware delivery, as the people downloading torrents are not very experienced from security perspective, and it is really big. The bad actors optimize costs on malware delivery, and in such cases they don't need to spend resources on new exploits acquisition and "loads" services,” he said.
RAUM, and similar tools, also pose a threat to corporations as their employees may use personal devices to access torrent content, which are then connected to the company network.
“It bypasses firewalls and perimeter defenses, entering via BYOD and corporate assets used offline (off of the corporate domain) for downloading, etc.; completely blocking all software downloads on corporate assets is no longer pragmatic for many companies. This underscores that organizational security defenses must include the ability to identify malware by the behaviors it exhibits within the network and at endpoints. Signature solutions are wholly insufficient,” said Lastline CMO Bert Rankin to SCMagazine.com in an email.
There is no direct defense against RAUM other than not using torrent services, Komarov said.