Apple fixes wireless-based remote code execution flaw in iOS

Credit to Author: Lucian Constantin| Date: Tue, 04 Apr 2017 12:03:00 -0700

Apple released an iOS update Monday to fix a serious vulnerability that could allow attackers to remotely execute malicious code on the Broadcom Wi-Fi chips used in iPhones, iPads and iPods.

The vulnerability is a stack buffer overflow in the feature that handles authentication responses for the fast BSS transition feature of the 802.11r protocol, also known as fast roaming. This feature allows devices to move easily and securely between different wireless base stations in the same domain.

Hackers can exploit the flaw to execute code in the context of the Wi-Fi chip’s firmware if they’re within the wireless range of the targeted devices.

The issue is one of several flaws found by Google Project Zero researcher Gal Beniamini in the firmware of Broadcom Wi-Fi chips. Some of these vulnerabilities also affect Android devices and have been patched as part of Android’s April security bulletin.

To read this article in full or to leave a comment, please click here

Read more

Scammers scare iPhone users into paying to unlock not-really-locked Safari

Credit to Author: Gregg Keizer| Date: Tue, 28 Mar 2017 13:28:00 -0700

Apple yesterday patched a bug in the iOS version of Safari that had been used by criminals to spook users into paying $125 or more because they assumed the browser was broken.

The flaw, fixed in Monday’s iOS 10.3 update, had been reported to Apple a month ago by researchers at San Francisco-based mobile security firm Lookout.

“One of our users alerted us to this campaign, and said he had lost control of Safari on his iPhone,” Andrew Blaich, a Lookout security researcher, said in a Tuesday interview. “He said, ‘I can’t use my browser anymore.'”

The criminal campaign, Blaich and two colleagues reported in a Monday post to Lookout’s blog, exploited a bug in how Safari displayed JavaScript pop-ups. When the browser reached a malicious site implanted with the attack code, the browser went into an endless loop of dialogs that refused to close no matter who many times “OK” was tapped. The result: Safari was unusable.

To read this article in full or to leave a comment, please click here

Read more

Apple: Macs and iPhones are safe from newly revealed CIA exploits

Credit to Author: Lucian Constantin| Date: Fri, 24 Mar 2017 12:11:00 -0700

The Mac and iPhone exploits described in new documents attributed to the CIA were patched years ago, according to Apple.

WikiLeaks released a new set of files Thursday that supposedly came from the CIA. They contain details about the agency’s alleged malware and attack capabilities against iPhones and Mac computers.

The documents, dated 2012 and earlier, describe several “implants” that the CIA can install in the low-level extensible firmware interface (EFI) of Mac laptop and desktop computers. These EFI rootkits allow the agency’s macOS spying malware to persist even after the OS is reinstalled.

To read this article in full or to leave a comment, please click here

Read more

Leaked iCloud credentials came from third parties, Apple says

Credit to Author: Lucian Constantin| Date: Thu, 23 Mar 2017 14:13:00 -0700

A group of hackers threatening to wipe data from Apple devices attached to millions of iCloud accounts didn’t obtain whatever log-in credentials they have through a breach of the company’s services, Apple said.

“There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” an Apple representative said in an emailed statement. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

A group calling itself the Turkish Crime Family claims to have login credentials for more than 750 million icloud.com, me.com and mac.com email addresses, and the group says more than 250 million of those credentials provide access to iCloud accounts that don’t have two-factor authentication turned on.

To read this article in full or to leave a comment, please click here

Read more

iPhone, Mac owners: How to stymie hackers extorting Apple, threatening to wipe devices

Credit to Author: Gregg Keizer| Date: Wed, 22 Mar 2017 13:23:00 -0700

Hackers claiming to have hundreds of millions of iCloud credentials have threatened to wipe date from iPhones, iPads and Macs if Apple does not fork over $150,000 within two weeks.

“This group is known for getting accounts and credentials, they have gotten credentials in the past,” said Lamar Bailey, director of security research and development at Tripwire, of the purported hackers. “But whether they have that many … who knows?”

There’s another reason for not panicking, Bailey said: People can quickly make their accounts more secure, assuming the criminals have only collected, not actually compromised the iCloud accounts by changing millions of passwords.

To read this article in full or to leave a comment, please click here

Read more

Hackers demand $150K ransom, threaten to wipe millions of Apple devices

Credit to Author: Lucian Constantin| Date: Wed, 22 Mar 2017 09:43:00 -0700

A group of hackers is threatening to wipe data from millions of Apple devices in two weeks if the company doesn’t pay them US$150,000.

The group, which calls itself Turkish Crime Family, claims to have login credentials for more than 627 million icloud.com, me.com and mac.com email addresses. These are email domains that Apple has allowed for users creating iCloud accounts over the years.

Even though the Turkish Crime Family hasn’t been in the media spotlight before, its members claim that they’ve been involved in selling stolen online databases in private circles for the past few years.

The group said via email that it has had a database of about 519 million iCloud credentials for some time, but did not attempt to sell it until now. The interest for such accounts on the black market has been low due to security measures Apple has put in place in recent years, it said.

To read this article in full or to leave a comment, please click here

Read more

DOJ: No, we won't say how much the FBI paid to hack terrorist's iPhone

Credit to Author: Gregg Keizer| Date: Tue, 14 Mar 2017 11:31:00 -0700

The U.S. Department of Justice yesterday argued that it should not have to reveal the maker of a tool used last year to crack an alleged terrorist’s iPhone or disclose how much it paid for the hacking job, court documents showed.

That tool was used last year by the FBI to access a password-protected iPhone 5C previously owned by Syed Rizwan Farook, who along with his wife, Tafsheen Malik, killed 14 in San Bernardino, Calif., in December 2015. The two died in a shootout with police later that day. Authorities quickly labeled them terrorists.

In March 2016, after weeks of wrangling with Apple, which balked at a court order compelling it to assist the FBI in unlocking the iPhone, the agency announced it had found a way to access the device without Apple’s help. Although the FBI acknowledged it had paid an outside group to crack the iPhone, it refused to identify the firm or how much it paid.

To read this article in full or to leave a comment, please click here

Read more

CIA-made malware? Now antivirus vendors can find out

Credit to Author: Michael Kan| Date: Wed, 08 Mar 2017 04:29:00 -0800

Thanks to WikiLeaks, antivirus vendors will soon be able to figure out if you have been hacked by the CIA.

On Tuesday, WikiLeaks dumped a trove of 8,700 documents that allegedly detail the CIA’s secret hacking operations, including spying tools designed for mobile phones, PCs and smart TVs.

WikiLeaks has redacted the source code from the files to prevent the distribution of cyber weapons, it said. Nevertheless, the document dump — if real — still exposes some of the techniques that the CIA has allegedly been using.

To read this article in full or to leave a comment, please click here

Read more