iOS 6.1 hack lets users see your phone app, place calls

Some sleight of hand will allow iOS 6.1 hackers to access your phone application, listen to your voice mails, and place calls.

A YouTube video showing users how to “bypass iPhone 5 passcode” on Apple’s latest iOS releases, including iOS 6.1, has been published. The person who uploaded the video shows how anyone can access the phone application on a passcode-protected iPhone.

In order to achieve the hack, users must come close to turning off the iPhone, place an emergency call, and keep their finger on the power button. We were able to re-create the hack with ease, and the YouTube user who uploaded the video provided step-by-step directions.

“For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but…please…do not use this trick to do evil,” “videosdebarraquito” posted on the YouTube page.

Apple said it is at work on a fix to the issue, but that it will require a software update.

Advertisements

Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.

Bring Your Own Device (BYOD) – Rules for IT Management – Rule 1

We are starting a series on BYOD – allowing users to bring their own devices to the office and access office infrastructure and files. We have come up with topics to help organizations navigate the ever changing landscape. Here’s rule 1:

1. Create Your Policy Before Procuring Technology

Like any other IT project, policy must precede technology—yes, even in the cloud. To effectively leverage mobile device management (MDM) technology for employee owned devices, you still need to decide on policies. These policies affect more than just IT; they have implications for HR, legal, and security—any part of the business that uses mobile devices in the name of productivity.

Since all lines of business are affected by BYOD policy, it can’t be created in an IT vacuum. With the diverse needs of users, IT must ensure they are all part of policy creation.

There’s no one right BYOD policy, but here are some questions to consider:

  • Devices: What mobile devices will be supported? Only certain devices or whatever the employee wants?

According to Forrester, 70% of smartphones belong to users, 12% are chosen from an approved list, and 16% are corporate-issued. Some 65% of tablets belong to users, 15% are chosen from a list, and 16% are corporate issued. In other words, users in most cases bring their own devices.

  • Data Plans: Will the organization pay for the data plan at all? Will you issue a stipend, or will the employee submit expense reports? Who pays for these devices? For smartphones, 70% paid the full price, 12% got a discount, 3% paid a partial amount, and in 15% of cases, the company covered the full price. With tablets, 58% bought their own, 17% got a corporate discount, 7% shared the cost, and 18% were issued and paid for by their companies. (Source: Forrester, 2011)
  • Compliance: What regulations govern the data your organization needs to protect? For instance, the Health Insurance Portability and Accountability Act (HIPAA) requires native encryption on any device that holds data subject to the act.
  • Security: What security measures are needed (passcode protection, jailbroken/rooted devices, anti-malware apps, encryption, device restrictions, iCloud backup)?
  • Applications: What apps are forbidden? IP scanning, data sharing, Dropbox?
  • Agreements: Is there an Acceptable Usage Agreement (AUA) for employee devices with corporate data?
  • Services: What kinds of resources can employees access—email? Certain wireless networks or VPNs? CRM?
  • Privacy: What data is collected from employees’ devices? What personal data is never collected?

No questions are off limits when it comes to BYOD. There must be frank and honest dialog about how devices will be used and how IT can realistically meet those needs.

BlueToad Was Source of Leaked Apple Data, not FBI Laptop

The little-known app company that lost at least a million Apple Inc. iPhone and iPad identification numbers gathered the data from devices without protecting it and was still sending the data as of Monday.

The information was sent by the company, BlueToad Inc., in “cleartext”—without encryption to hide it—violating widely accepted computer-security practices. The identification numbers, device names and other information were then stored in a database that the company said was recently stolen by hackers.

The BlueToad breach is the latest in a series of events that have raised questions about the security and privacy of the fast-growing app economy. Many apps have been found taking data that users didn’t know about. In 2010, the Journal tested 100 iPhone and Android apps and found that more than half were transmitting identifying details without the user’s knowledge, and some were sending more personal information such as contact lists and location information. Since then, several other apps have been caught transmitting details about users without their knowledge.

The device ID number can allow a hacker to gain access to a user’s social networking accounts and other apps. As a result, Apple has long told developers that “for user security and privacy” they “must not publicly associate a device’s unique identifier with a user account.” And Apple last year began telling developers that it was going to phase out the use of UDIDs, in part because of these concerns.

FBI Agent’s Laptop ‘Hacked’ To Grab 12 Million Apple IDs

Three years ago special agent Christopher Stangl appeared in a video calling on people with computer science degrees to join the Federal Bureau of Investigation, saying they were needed “more than ever.” Last night, hackers with subversive online networks Anonymous and Antisec answered that call with nothing short of irreverence: they published what they claimed were more than 1 milion unique device identifier numbers, (UDID) for Apple devices, stolen from Stangl’s own laptop.

In total, the hackers say they were able to steal more than 12 million of these strings of numbers and letters, but, “we decided a million would be enough to release.” They announced the hack through the widely-watched Twitter feed, @AnonymousIRC last night.

The incident raises many questions, not only about the security of federal devices, but of why an agent might have (allegedly) been carrying a database of Apple UDIDs, which the hackers said also contained “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” of iPhone and iPad users.

Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

In recent months, the ZeroAccess botnet has updated its command and control protocol and grown to infect more computers while connecting to over one million computers globally. The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researchers noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app.

The app has since been taken down from the Apple Store.

Flashback, the Trojan that exploited a Java vulnerability to infect thousands of Mac OS X systems worldwide last spring, infected 10 percent of homes that owned at least one Mac, during the month of April 2012.

DRM server to blame for corrupted iOS and Mac apps

Apple has fixed a glitch that caused some apps downloaded from the iOS App Store and Mac App Store to refuse to work.

Apple confirms that the problem was traced down to a fault with “a server that generated DRM code for some apps being downloaded”.

The DRM code normally prevents apps being run on unauthorized devices, but in this case it seems the glitch prevented the app from working on legitimate devices.

According to Apple, “The issue has been rectified and we don’t expect it to occur again.”

All affected apps will have to be deleted and re-downloaded from the appropriate App Store. This is an annoyance because it will mean losing all settings and data inputted into the app but it will fix the problem.