Apple releases iOS 4.3.4/4.2.9 to fix JailBreakMe.com flaw

Hands holding jail barsAfter a little more than a week after disclosure, Apple has patched three flaws in iOS for iPod Touch, iPad, iPad2, iPhone 3GS, iPhone 4 and the Verizon iPhone.

You may recall the return of the website JailBreakMe.com 10 days ago which exploited these vulnerabilities to provide an easy method of jailbreaking your iDevice.

The updated version for all but the Verizon iPhone is version 4.3.4, while Verizon customers can update to 4.2.9. To update just open iTunes, check for updates and plug in your phone/MP3 player/tablet.

This raises one of my big pet peeves with Apple products.. Why do I have to tether to update? Oh! I see you will have that feature in iOS 5? I guess I will stay vulnerable until I happen to be in the same city as my copy of iTunes...

JailBreakMe do not update warningTwo of the fixes are for font handling issues in PDFs that allow for remote code execution (RCE). The third fix is in the graphics handling code and can be exploited to allow for elevation of privilege (EoP).

It appears the JailBreakMe.com hack used at least two of the three flaws to jailbreak the iDevices. It initially downloaded a PDF to gain the ability to run arbitrary code and then sent down a PNG file that elevated itself to root to perform the jailbreak.

If your phone is not jailbroken, I recommend updating as soon as possible. If you have jailbroken your device you will need to decide if you wish to trust the unofficial "patch" on Cydia and stay jailbroken, or if you should join the herd and go with Apple.


Zeus for Android and fake Kaspersky Antivirus 2011

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.


Adobe Flash security update for Windows, Mac, Android, Linux and Solaris users

Adobe Flash patchIt doesn't matter if you run Windows, Mac, Linux, Solaris or even Android.. if Adobe goes public about a security vulnerability in its Flash product, you better install the patch to protect against the problem.

Adobe's emergency patch was issued over the weekend to protect against a cross-site scripting vulnerability.

Targeted attacks could use the vulnerability to trick users into clicking on a malicious link delivered in an email message.

Adobe says that Adobe Flash Player 10.3.181.16 and earlier are vulnerable on Windows, Macintosh, Linux and Solaris operating systems. On Android, Adobe Flash Player 10.3.185.22 and earlier versions are at risk.

You can visit a page on Adobe's website to determine which version of Adobe Flash you are running.

More information can be found in Adobe's security bulletin APSB11-13.


How to stop your Gmail account being hacked

GmailAs has been widely reported, high profile users of Gmail - including US government officials, reporters and political activists - have had their email accounts hacked.

This wasn't a sophisticated attack against Google's systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail's login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

  1. Set up Two step verification
  2. Check if your Gmail messages are being forwarded without your permission
  3. Where is your Gmail account being accessed from?
  4. Choose a unique, hard-to-crack password
  5. Secure your computer
  6. Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called "two step verification" to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account - as they will be sending you a magic "verification" number via SMS.

The advantage of this approach - which is similar to that done by many online banks - is that even if cybercriminals manage to steal your username and password, they won't know what your magic number is because they don't have your phone.

Google has made two step verification easy to set up.

Setting up 2 step verification

Once you're set up, the next time you try to log into Gmail you'll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Mobile phone receives verification number

Let's just hope the bad guys don't have access to your mobile phone too..

Here's a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google's website.

By the way, note that two step verification doesn't mean that your Gmail can't ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it's certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the "Forwarding and POP/IMAP" tab.

If your emails are being forwarded to another address, then you will see something like the following:

Gmail forwarding

That's fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn't.

If your messages are not being forwarded you will see a screen more like this:

Gmail forwarding

Hackers want to break into your account not just to see what email you've received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That's why it's so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you'll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven't been using your computer) or from a different location.

Last account activity

Clicking on the "Details" option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up - especially if you spot a computer from another country has been accessing your email.

IP addresses of computers accessing Gmail account

4. Choose a unique, hard-to-crack password

As we've explained before, you should never use the same username and password on multiple websites. It's like having a skeleton key which opens every door - if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it's hard to break with a dictionary attack.

Here's a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don't delay, be sensible and make your passwords more secure today

And once you've chosen a safer password - keep it safe! That means, don't share it with anyone else and be very careful that you're typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

Secure PCIt should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don't, you're risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That's one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don't know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don't really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn't have that in their webmail account? Shouldn't that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account - because if it's only protected by a username and password that may actually be less security than your regular work email system provides.


Security hole could affect 99% of Android smartphones

Android smartphoneAccording to German researchers, 99% of Android devices might be at risk from a vulnerability which could allow unauthorised parties to snoop on your Google Calendar and Contacts information.

The discovery by the University of Ulm researchers brings to light a serious privacy issue, and underlines the difficulty that many Android smartphone owners appear to face keeping their operating systems up-to-date.

According to the paper by Bastian Könings, Jens Nickels, and Florian Schaub, entitled "Catching AuthTokens in the Wild: The Insecurity of Google's ClientLogin Protocol", in Android 2.3.3 and earlier the Calendar and Contacts apps transmit information "in the clear" via HTTP, and retrieve an authentication token (authToken) from Google.

That means that there's the potential for cybercriminals to eavesdrop on WiFi traffic and steal the authToken that your smartphone has just generated.

Wireshark sniffing an authToken

As authTokens can be used for several days for subsequent requests, hackers can exploit them to access what should be private services and data - such as your web-based calendar. Furthermore, it turns out that the generated authTokens are not linked to a particular phone, so they can be easily used to impersonate a handset.

Yuck!

The scenario is a real problem if you use an unencrypted WiFi hotspot (such as those commonly available in hotel lobbies, airports or at the coffee shop on the corner of your street), as someone could snoop on your authToken and abuse it.

According to the researchers, Google has fixed the problem in Android 2.3.4. But there's the rub. Just how many people are still running older versions of the Android OS?

Android OS platform usage

Approximately 99% of Android users are vulnerable, as they haven't updated to at least version 2.3.4 (codenamed "Gingerbread").

GingerbreadUnfortunately it's not always possible to easily upgrade the version of Android running on your phone as you are very dependent on your mobile phone manufacturer and carrier providing the update to you over the air.

There is a huge range of Android smartphones out there, and whereas Apple can issue a single iOS update to patch iPhones and iPads, things aren't so simple for Google's users. This fragmentation inevitably leaves Android devices open to security problems.

Fortunately, Google seems to be aware of this pain, and says it will work more closely with manufacturers and carriers to ensure users can receive the latest Android updates in the future.

But what should you do if you're a concerned Android owner?

My recommendation would be to upgrade to the latest version of Android if at all possible.

Furthermore, do not use open WiFi networks as your communications may not be properly protected. If you're worried about this latest security issue you might be wise to connect to the internet via 3G from their smartphone rather than using unencrypted public WiFi connections.

Using 3G may eat into your data plan, but it's far less likely that your communications are being snooped upon.

Update: Good news. Google has started rolling-out a fix for this vulnerability.


Facebook announces new security features – but do they go far enough?

Facebook has just published an article entitled Keeping You Safe from Scams and Spam. It's all about improving security on its network.

In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.

After all, Facebook's revenue doesn't come from protecting you, the user. It comes from the traffic you generate whilst using the site.

So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let's hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.

But do Facebook's new security features go far enough? Let's look them over.

* Partnership with Web of Trust (WOT)

WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.

Community block lists aren't a new idea - they've been used against both email-borne spam and dodgy websites for years - and they aren't perfect. Here's what I said about them at the VB2006 conference in Montreal:

[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)

But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.

Another problem with a block list based on "crowd wisdom" is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.

False positives, in fact, have already been a problem for Facebook's own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.

In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It's a step forward by Facebook. However, Facebook's own bad-link detector could do with improvement.

* Clickjacking protection

Facebook introduced some anti-clickjacking measures a while ago. It's a good idea. If you're trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won't blindly accept the click. You'll have to re-confirm it.

Again, I approve of this. But in my opinion, it's not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the "blind Likes" triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)

That's not going to happen. Facebook wants Liking to be easy - really easy - as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn't get past Facebook's business development managers. Not yet, at any rate. But if we all keep asking, perhaps they'll see the value?

* Self-XSS

This is a geeky way of saying "Pasting JavaScript into your own address bar."

We've already reported on the potential danger of doing this. When you put JavaScript in your address bar, you implicitly give it permission to run as if it were part of the page you just visited. That's always a risky proposition. Facebook is adding protection against this behaviour.

Facebook also says it's working with browser makers on this problem. That's good.

Perhaps all browsers should simply disallow Javascript in the address bar by default? It's a useful feature, but the sort of user who might need it would surely be technically savvy enough to turn it on when needed.

* Login approvals

Facebook's final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from "a new or unrecognised device". (Facebook doesn't say how it defines "new", or how it recognises devices.)

This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook's "login from new or unrecognised device" warning next time you used the site, by which time it might have been too late.

The new feature means that you'll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won't be able to login because they won't have the magic code in the SMS which is needed to proceed.

It's a pity Facebook isn't offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they'd be welcome to charge a reasonable amount for the token) for the more security-conscious user.

A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook - something they might be unwilling to do after Facebook's controversial flirtation, earlier this year, with letting app developers get at your address and phone number.

In summary

Where does this leave us?

Good work. I'm delighted that Facebook is getting more visibly involved in boosting the security of its users. But there's still a long way to go.

In particular, this latest announcement doesn't address any of the issues in Naked Security's recent Open Letter to Facebook. Those issues represent more general problems which still need attention: Privacy by default, Vetted app developers, and HTTPS for everything.

(If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.)


Apple iOS update quashes location tracking “bug”

iPhoneApple has released an iOS update for the iPhone and iPad, addressing concerns that the devices were tracking users' locations.

As was widely reported last month, a bug in Apple's software meant that iPhones and iPads were collecting location-related data and were archiving it on users' computers.

It was found that location information stored on your computer could pinpoint your iPhone's whereabouts for up to a year afterwards - something which caused a storm of protest from those concerned about their privacy.

And you can see their point. After all, someone with access to your PC might find the backup file in your iTunes and determine places that you regularly visit. And you had no idea that that information was being stored.

iPhone tracking

At the time of the revelation I think my biggest concern was the sheer amount of data that was being backed up to PCs. I couldn't see a legitimate reason for up to a year's worth of location data to be held.

Apple responded to the media interest, and admitted that devices were collecting information about cell towers and WiFi hotspots around users' current location, even when users had specifically turned off Location Services.

Apple says that the newly-released iOS 4.3.3 update will no longer back up location data cached on iPhones and iPads to users' computers, and fixes the Location Services bug.

iOS 4.3.3 update

If you install the update, the location data stored on your iPhone or iPad will reportedly only stretch back seven days, and the cache will be deleted in its entirety if you disable Location Services.

It would still be nice, of course, if the cache of location data was also encrypted - to prevent snooping eyes. Apple says that they plan to encrypt the data in the next major iOS software release (iOS 5.0?).