November 19th, 2009

Inside the Google Chrome OS security model

Posted by Ryan Naraine @ 11:54 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, iPhone

Tags: Google Inc., Operating System, Web Browser, Google Chrome, Attack, End Goal, Web Browsers, Operating Systems, Security, Internet

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS. Read the rest of this entry »

November 10th, 2009

Source code for ikee iPhone worm in the wild

Posted by Dancho Danchev @ 7:31 am

Categories: Apple, Botnets, Hackers, Malware, Viruses and Worms, iPhone

Tags: Apple iPhone, Worm, Cyberthreats, Smart Phones, Viruses And Worms, Security, Consumer Electronics, Personal Technology, Dancho Danchev

Following last week’s systematic exploitation of jailbroken iPhones in the Netherlands through a technique originally discussed in 2008, a 21 years old opportunist has recently launched the first iPhone worm, this time targeting customers of Australian mobile carriers.

Upon successful exploitation of devices running SSH with default passwords, the worm would announce its presence by changing the wallpaper to a new one featuring pop-star Rick Astley.

Despite the author’s intention to raise awareness on the issue, the originally released as “closed source” code for the “awareness-building worm” has now leaked in the wild, with several modifications already capable of stealing a compromised iPhone’s contacts and SMS messages.

Read the rest of this entry »

November 10th, 2009

Why is Apple meddling with my Windows AutoRun?

Posted by Ryan Naraine @ 6:46 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Digital rights management, Exploit code, Malware, Microsoft, Pen testing, Punditocracy, iPhone

Tags: Operating System, Apple Inc., Microsoft Windows, Apple iTunes, Digital Music, Digital Media, Operating Systems, Personal Technology, Consumer Electronics, Software

Guest editorial by Costin Raiu

In every system designed by man, there is always a balance between features, usability and security. While designing pretty, easy to use and secure systems is possible, quite often this is not what the users get, or worse, this is not what the users want.

The most popular example of this applies to Apple. Focusing on eye-catching designs and easy to use products, Apple is listed in almost every marketing book as a success story.

Interestingly, maybe their second most popular software product, Mac OS X (after iTunes) represents a curious blend between eye-catching, easy to use, flexible, usable and decently secure, modern operating system. Please notice how I avoided saying “secure” and instead, wrote “decently secure”. Read the rest of this entry »

November 6th, 2009

Code execution hole in BlackBerry Desktop Manager

Posted by Ryan Naraine @ 7:33 am

Categories: Anti Virus, Apple, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Mobile (In)Security, Passwords, Patch Watch, iPhone

Tags: Desktop, RIM BlackBerry, Handhelds, Hardware, Ryan Naraine

Research in Motion (RIM) has shipped a patch to cover a gaping hole in its BlackBerry Desktop Manager software.

The vulnerability, which exists in a  Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager uses, allows a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. Read the rest of this entry »

November 3rd, 2009

iHacked: jailbroken iPhones compromised, $5 ransom demanded

Posted by Dancho Danchev @ 6:09 am

Categories: Apple, Botnets, Browsers, Complex Attacks, Hackers, Malware, Passwords, iPhone

Tags: Apple iPhone, SSH, Smart Phones, Consumer Electronics, Personal Technology, Security, Dancho Danchev

Yesterday, a “Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your phone right now!” message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.

Through a combination of port scanning and OS fingerprinting of T-Mobile’s 3G IP range, a Dutch teenager has for the first time automatically exploited a known security vulnerability introduced on jailbroken iPhones - the SSH daemon which unless modified remains running with default users root and mobile, using the same password on each and every device.

Here’s what he demanded, and how he changed his attitude following the suspension of his PayPal and the spamvertised URL:

Read the rest of this entry »

October 9th, 2009

Google patches Android DoS vulnerabilities

Posted by Ryan Naraine @ 11:17 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Google, Mobile (In)Security, Patch Watch, Pen testing, Phishing, Responsible disclosure, Reverse Engineering, Spam and Phishing, iPhone

Tags: Google Inc., Phone, DOS, Vulnerability, Patch Management, Cell Phone, SMS, SMS Message, Text Messaging/SMS/MMS, Telephony

Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.

According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless. Read the rest of this entry »

October 5th, 2009

The case of the fake money-mules: Inside the URLZone Trojan network

Posted by Ryan Naraine @ 2:00 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Malware, Passwords, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware, iPhone

Tags: Account, Bank, Researcher, Network, Trojan Horse, Computer, Raff, Spyware, Spyware, Adware & Malware, Productivity

Security researchers tracking the URL Zone malware/botnet have stumbled upon a new tactic being used by cyber-criminals to hide information on the money mules being used to transfer stolen funds from compromised online bank accounts.

URLZone, which targets computer users in Western Europe, is a botnet of approximately 6,000 hijacked computers that is used primarily to siphon funds from online bank accounts.  It steals between $4,000 and $15,000 from each compromised bank account and uses a nifty trick of modifying the withdrawn amount on the bank’s web site to avoid detection by the user.

Read the rest of this entry »

September 10th, 2009

iPhone's anti-phishing protection offers inconsistent results

Posted by Dancho Danchev @ 2:39 pm

Categories: Apple, Browsers, Data theft, Hackers, Malware, Passwords, Phishing, Spam and Phishing, iPhone

Tags: Apple iPhone, Apple Safari, Fraud, Phishing, Cyberthreats, Spam, Smart Phones, Security, Consumer Electronics, Dancho Danchev

Apple’s iPhone OS 3.1 update includes a new fraud warning feature which is at least theoretically, supposed to warn users when visiting fraudulent websites in Safari Mobile.

However, due to a flawed implementation in the update mechanism, the feature — enabled by default — is offering inconsistent results based on the tests performed by security company Intego, and security researcher Michael Sutton from Zscaler, whose posts basically state that “it simply doesn’t work“.

Here’s how they tested the feature:

Read the rest of this entry »

September 9th, 2009

iPhone, QuickTime bitten by security bugs

Posted by Ryan Naraine @ 2:02 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Patch Watch, Pen testing, Responsible disclosure, iPhone

Tags: Apple iPhone, Apple QuickTime, Movie, H.264, Arbitrary Code Execution, Buffer-overflow, Security Bug, Application Termination, Movie File, Digital Music

Apple has released security patches to cover serious security vulnerabilities in its iPhone, iPod Touch and QuickTime products.

The most serious of the vulnerabilities could lead to remote code execution attacks that give malicious hackers an easy way to hijack computers and mobile devices.

Read the rest of this entry »

August 3rd, 2009

Black Hat recap podcast: SSL, SMS, BIOS rootkits

Posted by Ryan Naraine @ 2:10 pm

Categories: Anti Virus, Apple, Arbitrary Code Execution, Black Hat, Botnets, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Firefox, Hackers, Mobile (In)Security, Mozilla, Passwords, Patch Watch, Punditocracy, Responsible disclosure, iPhone

Tags: Black Hat, SSL, SMS, Rootkits, BIOS, Text Messaging/SMS/MMS, Podcasts, Ssl/Tls, Authentication/Encryption, Telephony

In this podcast, I chat with Threatpost.com co-editor Dennis Fisher about the big news coming out of the Black Hat security conference.  We discuss the attacks using SMS and MMS, rootkits in keyboards and BIOSes, vulnerabilities in SSL and the response from vendors to these problems. Listen here [mp3].