Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
My 3 cents worth ...
Back in the MFIF days when this policy was initiated (for exactly the reasons given by alternaut) it yielded the additional benefit that tons/tonnes of articles originating from other sources would no longer have to be stored on MFIF's (and now FTM's) server. Moreover, nothing disappears from the InterWeb. Even if TVNZ doesn't leave such pages up, usually Googling it will bring up a cached version (ie, Google saves everything — I was even able to dredge up a disgruntled employee's diatribe against a former employer which had been removed by management on kijiji months earlier because it was defamatory).
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
My 3 cents worth ...
Moreover, nothing disappears from the InterWeb. I was not aware of that, thanks.
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
good article, full of interesting details and yet not too geeky for most to read
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
Apple Mac OS X - 10.6.3Snow Leopard operating system. Apple Security Update - 2010-002For Leopard Mac OS X 10.5. Both OS versions share the same security page: http://support.apple.com/kb/HT4077 HELLO... 11 instances of the string “ working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11
Last edited by Hal Itosis; 03/30/10 05:20 AM.
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
11 instances of the string “working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11 Yesterday brought 10 more ZDI-assisted fixes (among others) in QuickTime 7.6.6. So then... 21 total would seem to cover the 20 mentioned by Miller (hopefully).
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
I'm all for encouraging "responsible disclosure", as long as the fixes are timely. It's when someone "responsibly discloses" a bug to the manufacturer, and half a year later it's still not fixed, and so the guy goes public, causing hysteria, and the manufacturer snipes back in a public response, crying about his lack of "responsible disclosure". You lose the right to cry Use Public Disclosure when you drag your feet on it.
When someone fixes things quickly in response, that's how things should work.
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
11 instances of the string “working with TippingPoint's Zero Day Initiative†appears in that kbdoc!!!!!!!!!!!11 Yesterday brought 10 more ZDI-assisted fixes (among others) in QuickTime 7.6.6. So then... 21 total would seem to cover the 20 mentioned by Miller (hopefully). Yesterday's Security Update 2010-003 mentions Charlie Miller by name (along with "TippingPoint's Zero Day Initiative"), bringing the count to 22 tweaks apparently related to that particular event.
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes?
Thanks.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes? Pretty much mostly the former. -- In other news (file under irony): Thousands believed affected by faulty McAfee virus update
Last edited by Hal Itosis; 04/22/10 05:15 PM.
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
One thing on which I've never been clear... Are all the security holes on which these exploits are based present in non-current versions of OS X/Safari/QuickTime/etc, or do they exploit newly introduced holes? Pretty much mostly the former. That's interesting, because: - I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
(Responding to this post merely as a matter of convenience.)
Edit: Oops! I was thinking of Panther's 10.3.9.
Sorry!
Last edited by artie505; 04/24/10 08:17 AM. Reason: Delete incorrect post
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: THE CYBER-SECURITY THREAD
|
|
Joined: Aug 2009
|
Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems.
Almost all of the holes I've seen lately involve a standard user logging in and running a program or visiting a web site, and as a result, getting a root shell on the machine (local program) or leaking information. (browser) While these aren't good things, they're much more benign than remote exploits, the things that make for worms.
The majority of the web browser issues are via java or adobe plugins. Too bad safari doesn't properly sandbox those things... they're notorious for giving safari a bad rep for security. (tho quicktime certainly has its fair share... QT itself should also be sandboxed imho)
Also, most of them are of the "denial of service" variety, meaning they cause something to crash. In all but a few cases, these crashes are difficult to exploit to get something useful like a root shell.
I work for the Department of Redundancy Department
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
That's interesting, because: - I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
- wrong
- right
__ In other news: Cryptographer (and OS security expert) Callas joins Apple
Last edited by Hal Itosis; 04/24/10 06:18 PM.
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
That's interesting, because: - I've always assumed that these exploits are discovered by people scrutinizing new incarnations of OS X and apps, and
- It suggests that at least some of the exploits address security holes that have been around (perhaps waaay) longer than I'd thought.
- wrong
- right
Do Hal's "wrong" and "right" contradict your "Pretty much all of these "we're going to expose security holes in public next week" things do involve new "zero day" bugs. No one pays them any attention if they aren't demonstrated on fully patched, up-to-date systems?"
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
In this context, various posts in MacInTouch's Security Reader Report are relevant. Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party. Note in this context that Intego retracted an initially published list of 'compromised' software after stating there were multiple instances of this issue when in fact they had found only one. This list has now been published in the recently edited MacUser article you linked to (the list did not appear in the original version of the article, only a link to the Intego press release containing it, the one that was later retracted by Intego). Moreover, if Tetraults observations are correct, the installation of spyware items 'bundled' with the listed packages can easily be avoided. The reader report also contains posts discussing diagnosis (e.g., searching a suspected volume for ' PremierOpinion'), repair and possible prevention (Little Snitch port monitoring, taking care while installing the 'carrier' software).
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
Among others, I found Gregory Tetrault's comments especially interesting, suggesting that—apart from the clear threat potential of this 'bundled spyware' route—Intego press releases can be seen as something of a hype by an interested party. Well i agree there... i'm no fan of Intego, i don't use it and i don't recommend that anyone else use it. (ClamXav is more my speed). Nonetheless, i still find this particular screensaver/trojan rather suspicious (especially in the admin password request department). Here is Intego's update posted yesterday: Intego has been monitoring the actions of the different versions it has found of this spyware. It has discovered that, after a certain time, the spyware makes an “upgrade†and installs another application, which is another variant of the same spyware, called PermissionResearch. (It is also possible that further versions of this spyware will upgrade themselves to other variants.) Intego has updated its threat filters today (June 2, 2010) to improve proactive detection of this type of spyware. We strongly recommend that all VirusBarrier X5 and X6 users update their threat filters as soon as possible. And also: some place called Hardmac has posted the "terms of agreement" between the user and some company called VoiceFive. idunno... perhaps they don't harvest credit card numbers, but it still smells rotten somehow. Albeit, very sugar-coated: http://7art-screensavers.com/Mac_OS_X.shtml   (vomit)
Last edited by Hal Itosis; 06/03/10 04:16 PM.
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
I absolutely agree about the less than user-friendly approach of the spyware distributor, aided and abetted by the original software publisher (7Art). Anyone used to simply hit Return during the installation of ‘regular’ software stands a good chance of installing ‘bonus’ material of the spyware kind. Requiring an admin password for software that doesn’t need it (i.e., the screen saver, not the spyware) is bad manners and a clear sign of potential danger to the educated user. Unfortunately, not everyone is sufficiently alert all of the time, so inadvertent installs will increase with this setup. Since the software involved seems to be exclusively freeware, at least you’re not paying for the VoiceFive privilege. Still, the main reason to mention Tetrault’s experience was to point out that it’s apparently possible to install the main software of a 7Art package while avoiding that of bonus material like this spyware. Of course, the main importance of this issue in this tabnabbing week is the addition/improvement of yet another route for distributing malware, and in that sense Intego’s alert is appreciated.
alternaut ◉ moderator
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
Think i'll post this news here instead, because (so far) the real culprit seems to be AT&T: AT&T's Worst Security Breach: 114,000 iPad Owners Exposed Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.
To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.
Goatse Security notified AT&T of the breach and the security hole was closed. Of course —as i googled earlier —most of the hyped-up headlines are worded in such a way (to attract more hits i guess) which sound as if the iPad itself was responsible.
|
|
Re: THE CYBER-SECURITY THREAD
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
AT&T has always had problems like this. Back before the iPhone allowed MMS, when someone tried to text me a picture, I would get a text with an AT&T Web site address instead. By going to the address, I would see the picture.
The AT&T Web site that allowed me to see the MMS pictures had the exact same security flaw. I could manipulate the address bar to see pictures that other people were getting in MMS messages, too! It was trivial to do so--and in fact I discovered it because of a bug in the AT&T system that would only let me see the full-sized picture that had been texted to me if I messed with the address in the address bar.
I never bothered to report it because shortly after I discovered it, AT&T enabled MMS on the iPhone and did away with the need to go to their Web site to see an MMS picture. But it worked *exactly* the same way as the bug that exposed iPad information, so I bet the same Web developer was responsible.
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
Last edited by Hal Itosis; 06/17/10 12:01 AM.
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
Ho-hum... may as well toss this one into the mix for good measure: Initial analysis of trojan.osx.boonana.a[i've always made sure Java was disabled in Safari anyway, so] what can i say?
|
|
Re: THE CYBER-SECURITY THREAD
|
|
OP
Joined: Sep 2009
|
|
|
|
|