A professional hacker and security researcher exposed a flaw in Apple's iPhone 3GS which could allow a hacker to hijack the phone as part of a botnet or crash the phone, at the Black Hat 2009 security conference in Las Vegas.
Charlie Miller, an authority on Mac OS X security and the co-author of the Mac Hacker's Handbook, said a SMS flaw could allow an attacker to use text messages to remotely execute malicious code to hijack the device or cause it to crash.
Miller, who had discussed the iPhone security bug at a security conference in Singapore earlier this month, said previously he was able to use a vulnerability in the way the iPhone receives text messages to remotely crash the phone.
He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet to send SMS spam or launch distributed denial-of-service attacks (DDoS).
Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.
"If you care about security, don't use a jailbroken iPhone," Miller said.
Monthly Archives: July 2009
Black Hat: Hacker exposes iPhone SMS flaw
Filed under Security News
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
Tagged as Black Hat, crash, exposes, flaw, hacker, iPhone, SMS, vulnerability
Adobe fixes Flash flaws caused by bad Microsoft code
Adobe issued web security patches yesterday for flaws in Flash Player and Shockwave that were caused by vulnerable code in the Microsoft Active Template Library (ATL), a code library included with Visual Studio for developing software.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
Adobe said the flaws could allow a remote attacker to take control of a system. Adobe is making updates available for Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX to fix the security bugs. Adobe Shockwave Player 11.5.0.600 and earlier versions on Windows are also affected.
Microsoft earlier this week had patched the critical bugs in Visual Studio, which were related to an errant ampersand (&) in the code. But any software developed using the code remained vulnerable to attacks.
"We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL," Adobe's security response team said on its blog.
Only Internet Explorer plug-ins are vulnerable to the Flash bug, so people using Flash Player within the Firefox browser or other Windows browsers are not vulnerable, Adobe said.
Hackers have actively targeted the Flash security holes using drive-by download or "browse-and-get-owned" attacks hosted on compromised websites.
UK hacker McKinnon loses extradition appeal
Filed under Security News
Tagged as 2001, 2002, appeal, extradition, hacker, loses, McKinnon, NASA, UK
Tagged as 2001, 2002, appeal, extradition, hacker, loses, McKinnon, NASA, UK
British national Gary McKinnon, accused of hacking the computer networks of the U.S. military and NASA in 2001 and 2002, lost an appeal fighting his extradition to the United States.
McKinnon has admitted to hacking but his attorney challenged extradition in light of his mental health condition.
After losing his appeal to the British High Court and earlier appeals to the House of Lords and the European Court of Human Rights, his options have likely run out.
Karen Todner, McKinnon's defense attorney, said yesterday that extradition would leave McKinnon, who has Asperger's syndrome, a type of autism, vulnerable to mental breakdown or perhaps suicide.
"Gary is clearly someone who is not equipped to deal with the American penal system and there is clear evidence that he will suffer a severe mental breakdown if extradited," Todner said, according to the BBC.
U.S. authorities say McKinnon, 42, compromised the network security of the Army, Air Force, Navy and NASA and caused close to $1 million in damages. McKinnon claims he was looking for classified evidence of UFOs.
He could face up to 70 years in prison in the U.S. if found guilty.
McKinnon has admitted to hacking but his attorney challenged extradition in light of his mental health condition.
After losing his appeal to the British High Court and earlier appeals to the House of Lords and the European Court of Human Rights, his options have likely run out.
Karen Todner, McKinnon's defense attorney, said yesterday that extradition would leave McKinnon, who has Asperger's syndrome, a type of autism, vulnerable to mental breakdown or perhaps suicide.
"Gary is clearly someone who is not equipped to deal with the American penal system and there is clear evidence that he will suffer a severe mental breakdown if extradited," Todner said, according to the BBC.
U.S. authorities say McKinnon, 42, compromised the network security of the Army, Air Force, Navy and NASA and caused close to $1 million in damages. McKinnon claims he was looking for classified evidence of UFOs.
He could face up to 70 years in prison in the U.S. if found guilty.
Black Hat report: ‘Clampi’ Trojan a perfect tool for identity theft
A web security researcher for SecureWorks told hackers gathered at the annual Black Hat conference in Las Vegas that a data-stealing Trojan known as Clampi is being used for one of the most sophisticated malware and identity theft attacks on the web today.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
The Clampi Trojan has spread to hundreds of thousands of PCs and swipes personal information from users for draining their bank accounts. One small business in Georgia, Slack Auto Parts, lost $75,000 earlier this month due to infection by the Trojan, according to Joe Stewart, researcher at SecureWorks.
Stewart said he has identified 1,400 banking websites in 70 different countries out of roughly 4,500 bank sites being targeted by those behind Clampi for the purpose of identity theft and fraud.
Clampi's recent success in infecting PCs is accomplished by using domain administrator credentials stolen by the Trojan to copy itself to all computers on the domain. Clampi also spreads in drive-by download attacks when users visit a compromised website.
SecureWorks recommends that home computer users protect themselves online by using a separate, clean PC for online banking than the one they use to surf the web and send and receive email.
SMBs often forego basic web security measures
Filed under Security News
IT security at small and medium-sized businesses (SMBs) is woefully inadequate, with many SMBs reporting they have no spam filtering or firewall protections in place, according a new study.
Panda Security, which surveyed 5,760 companies worldwide, said 44 percent of the more than 1,400 U.S. SMBs have recently been infected by malware. Worldwide, 58 percent were affected, with Brazil showing the highest infection rate at 86 percent.
Ten percent of SMBs in the U.S. said their online security had been compromised to the point of having to stop production, a worldwide average of 30 percent.
Although 97 percent of U.S. SMBs surveyed said they have installed antivirus systems, 29 percent have no spam blocker in place, 22 percent no antispyware and 16 percent no firewall. About 52 percent lacked any web filtering solution, the survey found.
Of those U.S. SMBs without any security systems in place, 27 percent said they aren't important or necessary and 20 percent said they are too expensive.
SMBs are a frequent target of cybercriminals due to lax security measures. Security experts say SMBs may want to employ the use of email archiving as a way to protect against data loss.
Panda Security, which surveyed 5,760 companies worldwide, said 44 percent of the more than 1,400 U.S. SMBs have recently been infected by malware. Worldwide, 58 percent were affected, with Brazil showing the highest infection rate at 86 percent.
Ten percent of SMBs in the U.S. said their online security had been compromised to the point of having to stop production, a worldwide average of 30 percent.
Although 97 percent of U.S. SMBs surveyed said they have installed antivirus systems, 29 percent have no spam blocker in place, 22 percent no antispyware and 16 percent no firewall. About 52 percent lacked any web filtering solution, the survey found.
Of those U.S. SMBs without any security systems in place, 27 percent said they aren't important or necessary and 20 percent said they are too expensive.
SMBs are a frequent target of cybercriminals due to lax security measures. Security experts say SMBs may want to employ the use of email archiving as a way to protect against data loss.
U.S. contest seeks 10,000 cybersecurity recruits
Filed under Security News
A cybersecurity challenge sponsored by the U.S. government is seeking 10,000 student recruits for national cybersecurity programs. Three competitions sponsored by the Air Force, Department of Defense and the SANS Institute were launched earlier this year.
Winners in the three U.S. Cyber Challenge competitions will qualify for regional cyber camps, training programs that will begin in 2010 and prepare students for entrance into university programs and offer scholarships for advanced cybersecurity training, according to the Center for Strategic and International Studies.
U.S. cybersecurity has come under scrutiny since a policy review by the Obama administration promised reforms and a recent report identified a troubling lack of skilled IT workers in government.
A report released last week by the nonprofit Partnership for Public Service and Booz Allen Hamilton said that a lack of cybersecurity talent is a major problem for the government, in calling for "a vibrant, highly trained and dedicated federal cybersecurity workforce."
"This is the biggest issue for the cyber community, this is the biggest national issue," said Alan Paller, director of research at the SANS Institute, according to Federal Computer Week. "But it's played wrong a lot of the time, it's played as if we need more bodies - it's not that we need more bodies, we need bodies with particular skills."
Winners in the three U.S. Cyber Challenge competitions will qualify for regional cyber camps, training programs that will begin in 2010 and prepare students for entrance into university programs and offer scholarships for advanced cybersecurity training, according to the Center for Strategic and International Studies.
U.S. cybersecurity has come under scrutiny since a policy review by the Obama administration promised reforms and a recent report identified a troubling lack of skilled IT workers in government.
A report released last week by the nonprofit Partnership for Public Service and Booz Allen Hamilton said that a lack of cybersecurity talent is a major problem for the government, in calling for "a vibrant, highly trained and dedicated federal cybersecurity workforce."
"This is the biggest issue for the cyber community, this is the biggest national issue," said Alan Paller, director of research at the SANS Institute, according to Federal Computer Week. "But it's played wrong a lot of the time, it's played as if we need more bodies - it's not that we need more bodies, we need bodies with particular skills."
Microsoft unveils anti-malware tools at Black Hat
Filed under Security News
Microsoft made a splash Monday at the Black Hat USA 2009 conference, introducing new web security tools and guidance designed to help security professionals better manage online threats from malware.
At last year's Black Hat conference, Microsoft kicked off several programs for combating malware through vulnerability research and vulnerability ratings to improve security through information sharing, as outlined in a new Microsoft report.
This year, Microsoft said its tools can aid network security vendors to build more precise malware detection signatures and develop new techniques for analyzing malware.
Microsoft said its Office Visualization Tool is designed to help combat file format-based software vulnerabilities and exploits by allowing customers to deconstruct Microsoft Office-based attacks.
The Microsoft Security Update Guide will help customers better manage processes and practices surrounding Microsoft's security release process. The guide helps customers plan for security releases and highlight the resources available to help customers deploy updates quickly.
A Project Quant report containing a description of the update management model, including the community-developed update management cycle and associated details concerning each phase of the update cycle, is also available for download.
At last year's Black Hat conference, Microsoft kicked off several programs for combating malware through vulnerability research and vulnerability ratings to improve security through information sharing, as outlined in a new Microsoft report.
This year, Microsoft said its tools can aid network security vendors to build more precise malware detection signatures and develop new techniques for analyzing malware.
Microsoft said its Office Visualization Tool is designed to help combat file format-based software vulnerabilities and exploits by allowing customers to deconstruct Microsoft Office-based attacks.
The Microsoft Security Update Guide will help customers better manage processes and practices surrounding Microsoft's security release process. The guide helps customers plan for security releases and highlight the resources available to help customers deploy updates quickly.
A Project Quant report containing a description of the update management model, including the community-developed update management cycle and associated details concerning each phase of the update cycle, is also available for download.
Hackers plot revenge on AT&T for block on 4chan site
Filed under Security News
AT&T on Monday acknowledged blocking customer access to the messageboard 4chan.org to protect its customers against what the company said were denial-of-service attacks originating from IP addresses connected to the site.
Users of the image site img.4chan.org reported being blocked over the weekend, raising the hackles of defenders of net neutrality and prompting calls for revenge on the internet service provider.
At a messageboard called Project AT&T, users plotted cyberattacks against AT&T on Sunday, the day the company lifted its block on the site for its customers.
AT&T said it lifted the block overnight Sunday once it determined that the threat no longer existed.
"This action was in no way related to the content at img.4chan.org; our focus was on protecting our customers from malicious traffic," AT&T said Monday.
The company said it will "continue to monitor for denial-of-service activity and any malicious traffic [in order] to protect our customers."
At the Project AT&T site's "Official AT&T Attack Thread," a poll of members of the group showed a bias toward "Attack, They Asked for War." The poll of users was 17 to 10 in favor of launching distributed denial-of-service (DDoS) attacks on AT&T.
However, a countervailing theory at the site proposed that the only "real threat" to an ISP like AT&T is switching carriers.
Users of the image site img.4chan.org reported being blocked over the weekend, raising the hackles of defenders of net neutrality and prompting calls for revenge on the internet service provider.
At a messageboard called Project AT&T, users plotted cyberattacks against AT&T on Sunday, the day the company lifted its block on the site for its customers.
AT&T said it lifted the block overnight Sunday once it determined that the threat no longer existed.
"This action was in no way related to the content at img.4chan.org; our focus was on protecting our customers from malicious traffic," AT&T said Monday.
The company said it will "continue to monitor for denial-of-service activity and any malicious traffic [in order] to protect our customers."
At the Project AT&T site's "Official AT&T Attack Thread," a poll of members of the group showed a bias toward "Attack, They Asked for War." The poll of users was 17 to 10 in favor of launching distributed denial-of-service (DDoS) attacks on AT&T.
However, a countervailing theory at the site proposed that the only "real threat" to an ISP like AT&T is switching carriers.
South Korean websites source of malware in July 4 DDoS
The malware used to infect thousands of PCs for a series of distributed denial-of-service (DDoS) cyberattacks beginning the weekend of July 4 originated from two online storage websites based in South Korea, according to a report from state police, the Korea Times reported.
A wave of DDoS cyberattacks from more than 160,000 infected PCs brought down government and banking websites in the U.S., South Korea and China, setting off speculation that North Korea was behind the attacks.
But South Korea's National Police Agency said the malicious software was distributed to PCs through two storage websites based in the South, in Seoul and Busan, which host commercial peer-to-peer file distribution, the Korea Times reported Monday.
"Users of these online storage sites unknowingly downloaded the malicious programs, thinking they were updating the programs for the peer-to-peer transactions," a police source told the newspaper. "We found four foreign servers that we believed were used to issue the attack orders."
The command-and-control servers used to direct the attacks were based in the UK and Germany, according to the report.
In the U.S., the attacks overwhelmed the websites of the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation, along with banking websites including the site of the New York Stock Exchange.
A wave of DDoS cyberattacks from more than 160,000 infected PCs brought down government and banking websites in the U.S., South Korea and China, setting off speculation that North Korea was behind the attacks.
But South Korea's National Police Agency said the malicious software was distributed to PCs through two storage websites based in the South, in Seoul and Busan, which host commercial peer-to-peer file distribution, the Korea Times reported Monday.
"Users of these online storage sites unknowingly downloaded the malicious programs, thinking they were updating the programs for the peer-to-peer transactions," a police source told the newspaper. "We found four foreign servers that we believed were used to issue the attack orders."
The command-and-control servers used to direct the attacks were based in the UK and Germany, according to the report.
In the U.S., the attacks overwhelmed the websites of the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation, along with banking websites including the site of the New York Stock Exchange.
Out-of-band patch coming for flaws in IE, Visual Studio
Microsoft alerted customers on Friday that it will be issuing web security patches on Tuesday for two critical vulnerabilities in Internet Explorer and Visual Studio, a suite of developer tools for creating web applications.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.
The fixes are "out of band," meaning Microsoft is issuing the patches outside of its normal monthly security update cycle.
On the company's security response center blog, Microsoft's Mike Reavey did not elaborate on the vulnerabilities, but said the Internet Explorer fix is designed to "address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical."
The Visual Studio fix relates to vulnerabilities affecting certain applications, Reavey said.
Customers who are up to date on security patches are protected from the vulnerabilities related to this patch, the company said.
Microsoft came under fire recently when it was revealed that the company had failed to disclose for more than a year a major security flaw in the Video ActiveX Control in IE, which IBM researchers warned the company about in spring 2008.