iOS flaw allows App Store apps download malicious code

Since the App Store's inception, Apple has been carefully examining applications submitted by third-party developers in order to assure its customers a malware-free experience. Approved apps get signed with Apple's cryptographic seal, and only than can they be downloaded and run by iPad and iPhone users.

But well-known Mac hacker and researcher Charlie Miller has discovered a flaw in Apple's restrictions on code signing on iOS devices which would allow attackers to use applications sneaked into the App Store to download and run additional, unsigned code.

To prove his point, Miller created an app called InstaStock that ostensibly lists stock tickers and submitted it to the App Store. The app was approved by Apple and offered to users. But unbeknownst to the company, the app also contained a hidden payload which takes advantage of the aforementioned flaw.

The app was now capable to "phone home" to a server set up by Miller, from which new code - unapproved by Apple - was downloaded and executed without a hitch. This gave him remote shell access to the device and allowed him to do things like making it vibrate, run a video, and most frighteningly, downloading any file present on it to the server.

Miller, who has managed to sneak the InstaStock app into the App Store back in September, has already notified Apple of the flaw on October 14th.

But, as news that he was planning to demonstrate the attack next week at the SysCan conference in Taiwan broke, Apple reacted immediately: not only has his app been removed from the App Store, but he himself has been booted out of the iOS Developer Program since he violated the agreement that forbids developers to “hide, misrepresent or obscure” any part of the submitted apps.

Miller is, understandably, annoyed by the move. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” he says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

I guess that his upcoming demonstration can't be executed now - unless he has predicted Apple's reaction and uploaded (or asked someone to upload) a second booby-trapped app.

Why do malicious Android apps come from China?

It seems like every time we hear about a malicious application aimed at Android users, it is always distributed by third-party Chinese app markets.

You might wonder why the Chinese seem to have a preference for these markets over the official Google Android Market, and the answer is simple: given the Chinese government 's often shaky relationship with Google and its penchant for online censorship, access to the official market is often blocked for one reason or another.

"The inconvenience in accessing the Android Market, one not experienced by users from other countries, can be considered a big factor in the Chinese users’ preference in terms of where to download their Android applications," point out Trend Micro researchers.

These third-party stores popped up when access to the official market was impossible. They started as online forums where Android users gathered, shared their knowledge and discussed various topic, but in time some developers begun offering their (often free) applications for download.

Some 20 or so third-party app stores are currently operating in China, and as popular they are with the country's Android users (who represent 16 percent of Chinese smartphone users), most of them are quite small and the people who run them lack the funds to thoroughly test submitted application.

It's no wonder, then, that cyber crooks prefer to use them to disseminate their malicious applications, along with crooks distributing pirated and repackaged applications. And with the continuing growth of Android users, the targeted public keeps getting bigger.

Brazilian ISPs hit with massive DNS cache poisoning attacks

A massive DNS cache poisoning attack attempting to infect users trying to access popular websites is currently under way in Brazil, warns Kaspersky Lab expert Fabio Assolini.

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

And that is exactly what has been happening during last week. Users trying to reach Google, YouTube, Facebook and other popular global and local sites were being faced with pop-up windows telling them to install "Google Defence" and similar thematic software or Java applet in order to be able to access the wanted site:


Unfortunately for those who fell for the trick, the offered software was a banking Trojan - for a long time now the preferred weapon of choice of Brazilian cyber crooks. According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.

Among the different ways in which a DNS cache poisoning attack can be executed, the simplest option for the attackers is to pay an employee who has access to the DNS records to modify them so that user are redirected to the malicious site. And, as it seems, that is exactly what they did.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.

Siri - Can She Spill Your Secrets?

By Default, Yes.
An IT/infosec expert Ben Schorr points out in an article, the feature of the iPhone 4S that everyone is excited about is Siri, the voice-enabled personal assistant. Siri can do some cool things - she can direct you to the nearest gas station, read you your e-mails and help you remember the coffee shop you liked in Seattle the last time you visited - ah, the wonders of GPS.

Unfortunately, Siri has no loyalty - if someone else gets possession of your phone, Siri will obligingly read them your texts or e-mails - or send text and e-mails that appear to come from you. This is true EVEN if you have your phone locked with a PIN.

This recently discovered security flaw can be corrected, but you must take the affirmative step of disabling Siri when the phone is locked - and how many users are going to do that? Unless you take that step, be wary of what you share with the faithless Siri!

Has your account been pwned? New website will tell...

Security researchers have set up a website that allows punters to check whether or not their email addresses have appeared in data dumps slurped from compromised databases.

Hacking attacks on sites including Gawker and the network of Sony’s gaming division have led on to the publication of hundreds of thousands of users’ credentials online, sometimes (but not always) by activists at Anonymous.

That’s bad enough in itself but is even worse for users use the same login details for all their online activity – from email to online banking. Compromised firms normally make some effort to notify affected customers but this does not always happen.

A new site – called Pwnedlist.com - aims to plug this information gap. Users enter a username or email address into the site’s search box to find out if their username has appeared in any recent public data dumps. Users are not prompted to enter their password itself.

You can also use a SHA-512 hash of your email/username as input. Just don't forget to lowercase all characters first.

If a username or email address appears on the list, users are advised not to panic and to simply change their passwords. There’s also sensible advice of offer on password security even if credentials are not on the list.

Zero-Day Exploit Used for DUQU

A report by a Hungary-based security laboratory, indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

A visual summary as follows:

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon.

More details on this exploit discussed in an article from Trendmicro.