Archive for the ‘Apple’ Category

Study finds zero-day vulnerabilities abound in popular software

Friday, December 6th, 2013

Subscribers to organizations that sell exploits for vulnerabilities not yet known to software developers gain daily access to scores of flaws in the world’s most popular technology, a study shows.

NSS Labs, which is in the business of testing security products for corporate subscribers, found that over the last three years, subscribers of two major vulnerability programs had access on any given day to at least 58 exploitable flaws in Microsoft, Apple, Oracle or Adobe products.

In addition, NSS labs found that an average of 151 days passed from the time when the programs purchased a vulnerability from a researcher and the affected vendor released a patch.

The findings, released Thursday, were based on an analysis of 10 years of data from TippingPoint, a network security maker Hewlett-Packard acquired in 2010, and iDefense, a security intelligence service owned by VeriSign. Both organizations buy vulnerabilities, inform subscribers and work with vendors in producing patches.

Stefan Frei, NSS research director and author of the report, said the actual number of secret vulnerabilities available to cybercriminals, government agencies and corporations is much larger, because of the amount of money they are willing to pay.

Cybercriminals will buy so-called zero-day vulnerabilities in the black market, while government agencies and corporations purchase them from brokers and exploit clearinghouses, such as VUPEN Security, ReVuln, Endgame Systems, Exodus Intelligence and Netragard.

The six vendors collectively can provide at least 100 exploits per year to subscribers, Frei said. According to a February 2010 price list, Endgame sold 25 zero-day exploits a year for $2.5 million.

In July, Netragard founder Adriel Desautels told The New York Times that the average vulnerability sells from around $35,000 to $160,000.

Part of the reason vulnerabilities are always present is because of developer errors and also because software makers are in the business of selling product, experts say. The latter means meeting deadlines for shipping software often trumps spending additional time and money on security.

Because of the number of vulnerabilities bought and sold, companies that believe their intellectual property makes them prime targets for well-financed hackers should assume their computer systems have already been breached, Frei said.

“One hundred percent prevention is not possible,” he said.

Therefore, companies need to have the experts and security tools in place to detect compromises, Frei said. Once a breach is discovered, then there should be a well-defined plan in place for dealing with it.

That plan should include gathering forensic evidence to determine how the breach occurred. In addition, all software on the infected systems should be removed and reinstalled.

Steps taken following a breach should be reviewed regularly to make sure they are up to date.

Source:  csoonline.com

HP: 90 percent of Apple iOS mobile apps show security vulnerabilities

Tuesday, November 19th, 2013

HP today said security testing it conducted on more than 2,000 Apple iOS mobile apps developed for commercial use by some 600 large companies in 50 countries showed that nine out of 10 had serious vulnerabilities.

Mike Armistead, HP vice president and general manager, said testing was done on apps from 22 iTunes App Store categories that are used for business-to-consumer or business-to-business purposes, such as banking or retailing. HP said 97 percent of these apps inappropriately accessed private information sources within a device, and 86 percent proved to be vulnerable to attacks such as SQL injection.

The Apple guidelines for developing iOS apps help developers but this doesn’t go far enough in terms of security, says Armistead. Mobile apps are being used to extend the corporate website to mobile devices, but companies in the process “are opening up their attack surfaces,” he says.

In its summary of the testing, HP said 86 percent of the apps tested lacked the means to protect themselves from common exploits, such as misuse of encrypted data, cross-site scripting and insecure transmission of data.

The same number did not have optimized security built in the early part of the development process, according to HP. Three quarters “did not use proper encryption techniques when storing data on mobile devices, which leaves unencrypted data accessible to an attacker.” A large number of the apps didn’t implement SSL/HTTPS correctly.To discover weaknesses in apps, developers need to involve practices such as app scanning for security, penetration testing and a secure coding development life-cycle approach, HP advises.

The need to develop mobile apps quickly for business purposes is one of the main contributing factors leading to weaknesses in these apps made available for public download, according to HP. And the weakness on the mobile side is impacting the server side as well.

“It is our earnest belief that the pace and cost of development in the mobile space has hampered security efforts,” HP says in its report, adding that “mobile application security is still in its infancy.”

Source:  infoworld.com

New OS X Trojan found and blocked by Apple’s XProtect

Tuesday, September 24th, 2013

A new command-and-control Trojan for OS X appears to be associated with the Syrian Electronic Army.

Security company Intego recently found a new malware package for OS X, called OSX/Leverage.A, which appears to be yet another targeted command-and-control Trojan horse, this time with apparent associations with the Syrian Electronic Army; however, Apple has blocked its ability to run with an XProtect update only days after its discovery.

The Trojan horse is distributed as an application disguised as a picture of two people kissing, presumably a scene from the television show “Leverage,” hence the name of the Trojan.

When the Trojan’s installer is opened, it will open an embedded version of the image in Apple’s Preview program, in an attempt to maintain the idea that it is just a picture, while the program installs the true Trojan in the background. In addition, the Trojan is built with a couple of code modifications that prevent it from showing up as a running application in the user’s Dock or in the Command-Tab application switch list.

The Trojan itself will be a program called UserEvent.app and will be placed in the /Users/Shared/ directory. It will then install a launch agent called UserEvent.System.plist in the current user’s LaunchAgents directory, which is used to keep the program running whenever the user is logged in. These two locations do not require authentication for any user to access, so the Trojan can place these files without prompting for an admin username and password.

Syrian Electronic ArmyOnce installed, the running Trojan will, among standard command-and-control activity like grabbing personal information, attempt to download an image associating the nefarious activity with the Syrian Electronic Army, a relatively new hacking group associated with the Assad regime in Syria. When contacted by Mashable, the group claimed that it is not associated with the Trojan.

While this new malware is out there and has affected a few people, it is not a major threat at this time, one reason being that the command and control servers it connects to appear to be offline. In addition, though for now the exact mode of distribution is unknown, if done through a Web browser or Apple’s Mail e-mail client, then Gatekeeper in OS X will issue a warning about the program not being a signed package. Additionally, Apple has recently updated its XProtect anti-malware scanner to specifically detect and quarantine this malware.

Beyond these security measures, you can take some additional steps to help secure your system from similar Trojans. Since most malware attempts in OS X have used various Launch Agent scripts to keep themselves running, you can use Apple’s Folder Actions feature to set up a launch agent monitor that will notify you of anytime such scripts are being set up in the system.

Source: CNET

iOS and Android weaknesses allow stealthy pilfering of website credentials

Thursday, August 29th, 2013

Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs.

“The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app’s Web content,” XiaoFeng Wang, a professor in Indiana University’s School of Informatics and Computing, told Ars. “As a result, we show that origins can be crossed and the same XSS and CSRF can happen.” The paper, titled Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation, was recently accepted by the 20th ACM Conference on Computer and Communications Security.

All your credentials belong to us

The Plaintext app in this demonstration video was not configured to work with Dropbox. But even if the app had been set up to connect to the storage service, the attack could make it connect to the attacker’s account rather than the legitimate account belonging to the user, Wang said. All that was required was for the iPad user to click on the malicious link in the Google Plus app. In the researchers’ experiments, Android devices were susceptible to the same attack.

A separate series of attacks were able to retrieve the multi-character security tokens Android apps use to access private accounts on Facebook and Dropbox. Once the credentials are exposed, attackers could use them to download photos, documents, or other sensitive files stored in the online services. The attack, which relied on a malicious app already installed on the handset, exploited the lack of same-origin policy enforcement to bypass Android’s “sandbox” security protection. Google developers explicitly designed the mechanism to prevent one app from being able to access browser cookies, contacts, and other sensitive content created by another app unless a user overrides the restriction.

All attacks described in the 12-page paper have been confirmed by Dropbox, Facebook, and the other third-party websites whose apps were tested, Wang said. Most of the vulnerabilities have been fixed, but in many cases the patches were extremely hard to develop and took months to implement. The scientists went on to create a proof-of-concept app they called Morbs that provides OS-level protection across all apps on an Android device. It works by labeling each message with information about its origin and could make it easier for developers to specify and enforce security policies based on the sites where security tokens and other sensitive information originate.

As mentioned earlier, desktop browsers have long steadfastly enforced a same-origin policy that makes it impossible for JavaScript and other code from a domain like evilhacker.com to access cookies or other sensitive content from a site like trustedbank.com. In the world of mobile apps, the central role of the browser—and the gate-keeper service it provided—has largely come undone. It’s encouraging to know that the developers of the vulnerable apps took this research so seriously. Facebook awarded the researchers at least $7,000 in bounties (which the researchers donated to charity), and Dropbox offered valuable premium services in exchange for the private vulnerability report. But depending on a patchwork of fixes from each app maker is problematic given the difficulty and time involved in coming up with patches.

A better approach is for Apple and Google developers to implement something like Morbs that works across the board.

“Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user’s sensitive resources,” the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. “We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users’ authentication credentials and other confidential information such as ‘text’ input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered.”

Source:  arstechnica.com

“Jekyll” test attack sneaks through Apple App Store, wreaks havoc on iOS

Monday, August 19th, 2013

Like a Transformer robot, Apple iOS app re-assembles itself into attacker

Acting like a software version of a Transformer robot, a malware test app sneaked through Apple’s review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS “sandbox” designed to isolate apps and data from each other.

The app, dubbed Jekyll, was helped by Apple’s review process. The malware designers, a research team from Georgia Institute of Technology’s Information Security Center (GTISC), were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn’t anywhere near long enough to discover Jekyll’s deceitful nature.

The name is a reference to the 1886 novella by Robert Louis Stevenson, called “The Strange Case of Dr Jekyll and Mr Hyde.” The story is about the two personalities within Dr. Henry Jekyll: one good, but the other, which manifests as Edward Hyde, deeply evil.

Jekyll’s design involves more than simply hiding the offending code under legitimate behaviors. Jekyll was designed to later re-arrange its components to create new functions that couldn’t have been detected by the app review. It also directed Apple’s default Safari browser to reach out for new malware from specific Websites created for that purpose.

“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge,” says Tielei Wang, in a July 31 press release by Georgia Tech. http://www.gatech.edu/newsroom/release.html?nid=225501 Wang led the Jekyll development team at GTISC; also part of the team was Long Lu, a Stony Brook University security researcher.

Some blogs and technology sites picked up on the press release in early August. But wider awareness of Jekyll, and its implications, seems to have been sparked by an August 15 online story in the MIT Technology Review, by Dave Talbot, who interviewed Long Lu for a more detailed account.

Jekyll “even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware,” Talbot wrote.

A form of Trojan Horse malware, the recreated Jekyll, once downloaded, reaches out to the attack designers for instructions. “The app did a phone-home when it was installed, asking for commands,” Lu explained. “This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”

Sandboxing is a fundamental tenet of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It’s also explicitly used as a technique for detecting malware by running code in a protected space where it can be automatically analyzed for traits indicative of a malicious activity. The problem is that attackers are well aware of sandboxing and are working to exploit existing blind spots. [See “Malware-detecting ‘sandboxing’ technology no silver bullet”]

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,” according to Talbot’s account. “During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.”

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says.

The results of the new attack, in a paper titles “Jekyll on iOS: when benign apps become evil,” was scheduled to be presented in a talk last Friday at the 22nd Usenix Security Symposium, in Washington, D.C. The full paper is available online. In addition to Wang and Lu, the other co-authors are Kangjie Lu, Simon Chung, and Wenke Lee, all with Georgia Tech.

Apple spokesman Tom Neumayr said that Apple “some changes to its iOS mobile operating system in response to issues identified in the paper,” according to Talbot. “Neumayr would not comment on the app-review process.”

Oddly the same July 31 Georgia Tech press release that revealed Jekyll also revealed a second attack vector against iOS devices, via a custom built hardware device masquerading as a USB charger. Malware in the charger was injected into an iOS device. This exploit, presented at the recent Black Hat Conference, was widely covered (including by Network World’s Layer8 blog) while Jekyll was largely overlooked.

Source:  networkworld.com

New attack cracks iPhone autogenerated hotspot passwords in seconds

Thursday, June 20th, 2013

Default password pool so small scientists need just 24 seconds to guess them all.

If you use your iPhone’s mobile hotspot feature on a current device, make sure you override the automatic password it offers to secure your connections. Otherwise, a team of researchers can crack it in less than half a minute by exploiting recently discovered weaknesses.

http://cdn.arstechnica.net/wp-content/uploads/2013/06/base-iphone-passwords-640x583.jpgIt turns out Apple’s iOS versions 6 and earlier pick from such a small pool of passwords by default that the researchers—who are from the computer science department of the Friedrich-Alexander University in Erlangen, Germany—need just 24 seconds to run through all the possible combinations. The time required assumes they’re using four AMD Radeon HD 7970 graphics cards to cycle through an optimized list of possible password candidates. It also doesn’t include the amount of time it takes to capture the four-way handshake that’s negotiated each time a wireless enabled device successfully connects to a WPA2, or Wi-Fi Protected Access 2, device. More often than not, though, the capture can be completed in under a minute. With possession of the underlying hash, an attacker is then free to perform an unlimited number of “offline” password guesses until the right one is tried.

The research has important security implications for anyone who uses their iPhone’s hotspot feature to share the device’s mobile Internet connectivity with other Wi-Fi-enabled gadgets. Adversaries who are within range of the network can exploit the weakness to quickly determine the default pre-shared key that’s supposed to prevent unauthorized people from joining. From there, attackers can leach off the connection, or worse, monitor or even spoof e-mail and other network data as it passes between connected devices and the iPhone acting as the access point.

“Taking our optimizations into consideration, we are now able to show that it is possible for an attacker to reveal a default password of an arbitrary iOS hotspot user within seconds,” the scientists wrote in a recently published research paper. “For that to happen, an attacker only needs to capture a WPA2 authentication handshake and to crack the pre-shared key using our optimized dictionary.”

By reverse engineering key parts of iOS powering iPhones, the researchers discovered that default hotspot passwords always contained a four- to six-letter word followed by a randomly generated four-digit number. All the words were contained in an open-source Scrabble word list available online. By using a single AMD Radeon HD 6990 GPU to append every possible four-digit number to each of the words, the researchers needed only 49 minutes to cycle through all possible combinations. Then they stumbled on a discovery that allowed them to drastically reduce the amount of time required.

The hotspot feature, they found, uses an observable series of programming calls to pick four- to six-letter words from an English-language dictionary included with iOS. By cataloging the default passwords issued after about 250,000 invocations, they determined that only 1,842 different words are selected. The discovery allowed them to drastically reduce the number of guesses needed to correctly find the correct password. As a result, the required search space—that is, the total number of password candidates needed to guess a default password—is a little less than 18.5 million.

They were able to further reduce the time required after noticing that certain words on the reduced list are much more likely than others to be chosen. For instance, “suave,” “subbed,” “headed,” and seven other top-10 words were 10 times more likely to be selected as the base for a default password than others. The optimized list in the attack orders words by their relative frequency, so those most likely to be used are guessed first. Given a four-GPU system is able to generate about 390,000 guesses each second, it takes about 24 seconds to arrive at the correct guess.

Among the many security features included in the WPA standard is its use of the relatively slow PBKDF2 function to generate hashes. As a result, the number of guesses that the researchers’ four-GPU system is capable of generating each second is measured in the hundreds of thousands, rather than in the millions or billions. The paper—titled “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots”—demonstrates that slow hashing alone isn’t enough to stave off effective password cracks.

Also crucial is a selection of passwords that will require attackers to devote large amounts of time or computing resources to exhaust the required search space. Had Apple engineers designed a system that picked long default passwords with upper- and lower-case letters, numbers, and special characters, it could take centuries for crackers to cycle through every possibility. Alas, passwords such as “3(M$j;]fL[ZU%<1T” aren’t easy for most people to use in practical settings. Still, a Wi-Fi password that’s randomly generated—say “MPuUjxRpz0″ or even “arNEsISIon” will require considerably more time and resources to crack than the default passwords currently offered by iOS.

Readers who use their iPhone’s hotspot feature should override the default password offering and replace it with something that’s harder to guess. They should also take advantage of the hotspot feature’s ability to monitor how many people are connected to the Wi-Fi network. Those who use hotspot features on other mobile platforms would also do well to carefully monitor the passwords protecting their connections. By default, passwords offered by Microsoft’s Windows Phone 8 consist of only an eight-digit number, according to the researchers, and depending on the carrier, some Android handsets may also generate default passwords that are easy to crack.

Source:  arstechnica.com

iPhones can auto-connect to rogue Wi-Fi networks, researchers warn

Friday, June 14th, 2013

Attackers can exploit behavior to collect passwords and other sensitive data.

Security researchers say they’ve uncovered a weakness in some iPhones that makes it easier to force nearby users to connect to Wi-Fi networks that steal passwords or perform other nefarious deeds.

The weakness is contained in configuration settings installed by AT&T, Vodafone, and more than a dozen other carriers that give the phones voice and Internet services, according to a blog post published Wednesday. Settings for AT&T iPhones, for instance, frequently instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available. Carriers make the Wi-Fi signals available in public places as a service to help subscribers get Internet connections that are fast and reliable. Attackers can take advantage of this behavior by setting up their own rogue Wi-Fi networks with the same names and then collecting sensitive data as it passes through their routers.

“The takeaway is clear,” the researchers from mobile phone security provider Skycure wrote. “Setting up such Wi-Fi networks would initiate an automatic attack on nearby customers of the carrier, even if they are using an out-of-the-box iOS device that never connected to any Wi-Fi network.”

The researchers said they tested their hypothesis by setting up several Wi-Fi networks in public areas that used the same SSIDs as official carrier networks. During a test at a restaurant in Tel Aviv, Israel on Tuesday, 60 people connected to an imposter network in the first minute, Adi Sharabani, Skycure’s CEO and cofounder, told Ars in an e-mail. During a presentation on Wednesday at the International Cyber Security Conference, the Skycure researchers set up a network that 448 people connected to during a two-and-a-half-hour period. The researchers didn’t expose people to any attacks during the experiments; they just showed how easy it was for them to connect to networks without knowing they had no affiliation to the carrier.

Sharabani said the settings that cause AT&T iPhones to automatically connect to certain networks can be found in the device’s profile.mobileconfig file. It’s not clear if phones from other carriers also store their configurations in the same location or somewhere else.

“Moreover, even if you take another iOS device and put an AT&T sim in it, the network will be automatically defined, and you’ll get the same behavior,” he said. He said smartphones running Google’s Android operating system don’t behave the same way.

Once attackers have forced a device to connect to a rogue network, they can run exploit software that bypasses the secure sockets layer Web encryption. From there, attackers can perform man-in-the-middle (MitM) attacks that allow them to observe passwords in transit and even forge links and other content on the websites users are visiting.

The most effective way to prevent iPhones from connecting to networks without the user’s knowledge is to turn off Wi-Fi whenever it’s not needed. Apps are also available that give users control over what SSIDs an iPhone will and won’t connect to. It’s unclear how iPhones running the upcoming iOS 7 will behave. As Ars reported Monday, Apple’s newest OS will support the Wi-Fi Alliance’s Hotspot 2.0 specification, which is designed to allow devices to hop from one Wi-Fi hotspot to another.

Given how easy it for attackers to abuse Wi-Fi weaknesses, the Skycure research isn’t particularly shocking. Still, the ability of iPhones to connect to networks for the first time without requiring users to take explicit actions could be problematic, said Robert Graham, an independent security researcher who reviewed the Skycure blog post.

“A lot of apps still send stuff in the clear, and other apps don’t check the SSL certificate chain properly, meaning that Wi-Fi MitM is a huge problem,” said Graham, who is CEO of Errata Security. “That your phone comes pre-pwnable without your actions is a bad thing. Devices should come secure by default, not pwnable by default.”

Source:  arstechnica.com

Server hack prompts call for cPanel customers to take “immediate action”

Monday, February 25th, 2013

Change root and account passwords and rotate SSH keys, company advises.

The providers of the cPanel website management application are warning some users to immediately change their systems’ root or administrative passwords after discovering one of its servers has been hacked.

In an e-mail sent to customers who have filed a cPanel support request in the past six months, members of the company’s security team said they recently discovered the compromise of a server used to process support requests.

“While we do not know if your machine is affected, you should change your root level password if you are not already using SSH keys,” they wrote, according to a copy of the e-mail posted to a community forum. “If you are using an unprivileged account with ‘sudo’ or ‘su’ for root logins, we recommend you change the account password. Even if you are using SSH keys we still recommend rotating keys on a regular basis.”

The e-mail advised customers to take “immediate action on their own servers,” although team members still don’t know the exact nature of the compromise. Company representatives didn’t respond to an e-mail from Ars asking if they could rule out the possibility that customer names, e-mail addresses, or other personal data were exposed. It’s also unclear whether the company followed wide-standing recommendations to cryptographically protect passwords. So-called one-way hashes convert plain-text passwords into long unique strings that can only be reversed using time-consuming cracking techniques. This post will be updated if cPanel representatives respond later.

The cPanel compromise is the latest in a long string of high-profile hacks to be disclosed over the past few weeks. Other companies that have warned users they were hacked include The New York Times, The Wall Street Journal, security firm Bit9 Twitter, Facebook, Apple, and Microsoft. On Tuesday, a computer firm issued an unusually detailed report linking China’s military to hacks against US companies, although at least some of the most recent attacks are believed to have originated in Eastern Europe.

It’s unclear how many cPanel users are affected by the most recently disclosed compromise. The hack has the potential to be serious because the passwords at risk could give unfettered control to a large number of customers’ Unix-based computers.

Source:  arstechnica.com

Microsoft suggests fix for iOS 6.1/Exchange problem: Block iPhone users

Thursday, February 14th, 2013

iOS 6.1 hammering Exchange, dragging down server performance.

iOS 6.1 devices are hammering Exchange servers with excessive traffic, causing performance slowdowns that led Microsoft to suggest a drastic fix for the most severe cases: throttle traffic from iOS 6.1 users or block them completely.

“When a user syncs a mailbox by using an iOS 6.1-based device, Microsoft Exchange Server 2010 Client Access server (CAS) and Mailbox (MBX) server resources are consumed, log growth becomes excessive, memory and CPU use may increase significantly, and server performance is affected,” Microsoft wrote on Tuesday in a support document.

The problem also affects Exchange Online in Microsoft’s Office 365 cloud service. Office 365 customers may get an error message on iOS 6.1 devices stating “Cannot Get Mail: The connection to the server failed.” The Microsoft support article says both Apple and Microsoft are investigating the problem.

Microsoft suggests several fixes, starting out gently, then escalating to the complete blockage of iOS 6.1 devices. Based on the fixes suggested, the problems may be caused when iOS devices connect to Exchange calendars.

The first workaround is “do not process Calendar items such as meeting requests on iOS 6.1 devices. Also, immediately restart the iOS 6.1 device.”

If that doesn’t work, users are instructed to remove their Exchange accounts from their phones or tablets while the Exchange Server administrator runs a “remove device” command on the server side. After 30 minutes, users can add the Exchange accounts back onto their devices but should be advised “not to process Calendar items on the device.”

If that doesn’t work, the fixes get more serious. The next method is for the server administrator to create a custom throttling policy limiting the number of transactions iOS 6.1 users can make with the server. “The throttling policy will reduce the effect of the issue on server resources,” Microsoft notes. “However, users who receive the error should immediately restart their devices and stop additional processing of Calendar items.”

One Exchange administrator who created a throttling policy through PowerShell to solve the problem provides a guide here, but Microsoft also has a page providing instructions.

Finally, the last method Microsoft recommends is to block iOS 6.1 users. “You can block iOS 6.1 users by using the Exchange Server 2010 Allow/Block/Quarantine feature,” Microsoft notes. (See this post for more detailed instructions.)

Businesses of all sizes limiting or blocking iOS devices

We don’t know exactly how widespread this problem is. It’s clearly not affecting everyone, but the impact seems to run the gamut from small businesses to large.

“We’re using Exchange 2010 in a small software firm with about a dozen iOS users (each with multiple iOS devices),” Shourya Ray, chief administrative officer of Spin Systems in Virginia, told Ars via e-mail. “Last week our Exchange server froze (internal mail was being routed, but external mail stopped flowing).”

It turned out that the 300GB VMware virtual machine hosting the Exchange server was full. “You can imagine our surprise when that VM filled up overnight,” Ray said. “If we were running Exchange in a typical hardware-based server with a 1TB drive, it would have taken us a week to realize the problem.”

How did it happen, and how did the company get things working “normally” again? “The transaction log had 200,000 records and was the indication of a problem,” Ray said. “Our temporary solution has been to ask iOS users to switch to manual pull rather than ActiveSync push. For heavy e-mail users, we are recommending an automatic pull every 30 minutes. So far, that seems to have kept Exchange happy with no other issues since last week. Let’s hope that Apple and Microsoft put their heads to together and fix this soon.”

We heard from several other people on Twitter that they have been bit by the iOS 6.1/Exchange problem. One said, “My 22,000+ employee enterprise has blocked iOS 6.1, execs all have iOS.”

A support thread on Microsoft’s Exchange Server site was opened January 31 to discuss the excessive logging caused by iOS 6.1. The server administrator who began the thread identified an iPad that “caused over 50GB worth of logs” on a single database.

The thread got more than a dozen replies. One Exchange administrator explained that “malformed meetings on a device cause the device to get into a sync loop which causes excessive transaction log growth on the Exchange mailbox servers.” This in turn “will cause Exchange performance issues and potentially transaction log drives to run out of disk space which would then bring down Exchange.”

To solve the problem, this admin simply “disabled all iOS 6.1 on our Exchange system.”

iOS 6.1 was released on January 28. iOS 6.1.1 came out a couple of days ago, but for now it can only be installed on the iPhone 4S and is designed to fix cellular performance and reliability. Apple didn’t mention anything about Exchange fixes when releasing this latest version. Last year, iOS 6.0.1 fixed an Exchange problem that could lead to entire meetings being canceled when even a single iOS user declined a meeting invitation.

The iOS 6.1 problem isn’t the first time iOS has caused Exchange servers to perform poorly. An Apple support article from 2010 describes sync problems in iOS 4 and says, “Exchange Server administrators may notice their servers running slowly.” At the time, Microsoft noted iOS 4 led to “Exchange administrators… seeing heavier than normal loads on their servers from users with iOS devices.” Microsoft got in touch with Apple to fix that problem.

We’ve asked both Apple and Microsoft how many users are impacted by the latest problem, and when a more permanent fix is coming. We also asked Apple if it agrees with the workarounds suggested by Microsoft. Microsoft told us it has nothing else to say, as the “support article contains the latest.” Apple has not responded to our request for comment as of yet.

UPDATE: Apple posted a support document of its own today, describing the problem thusly:

When you respond to an exception to a recurring calendar event with a Microsoft Exchange account on a device running iOS 6.1, the device may begin to generate excessive communication with Microsoft Exchange Server. You may notice increased network activity or reduced battery life on the iOS device. This extra network activity will be shown in the logs on Exchange Server and it may lead to the server blocking the iOS device. This can occur with iOS 6.1 and Microsoft Exchange 2010 SP1 or later, or Microsoft Exchange Online (Office365).

Apple’s suggested fix is to turn the Exchange calendar off and back on again within the iPhone’s settings. An operating system update to fix the problem is on the way. “Apple has identified a fix and will make it available in an upcoming software update,” Apple said.

Source:  arstechnica.com

Mobile’s dawning signal crisis

Wednesday, February 13th, 2013

Telecommunications tower (Copyright: SPL)

In April 1973, Marty Cooper made a phone call that put him straight into the history books. As he strolled down Lexington Avenue, New York, the Motorola executive (CK) whipped out an enormous prototype handset that he had built and placed the first public, mobile phone call.

The brief chat – and the photograph that immortalised the moment – marks the start of the mobile phone era. But Cooper’s legacy extends far beyond just that first conversation.

Along with a host of inventions, the engineer also formulated – and lent his name to – a mathematical law that captures the inexorable progress of our communications. Cooper’s Law, as it is known, shows how our use of the ether has grown since Guglielmo Marconi first transmitted radio waves 2.4 kilometres across the streets of Bologna – eight decades ahead of Cooper’s own historic transmission.

It has been estimated that the technology available when Marconi made his first transatlantic transmission, radio techniques were able to support just 50 simultaneous conversations worldwide. Since then radio capacity has grown by a factor of a trillion – doubling every two-and-a-half years. That’s Cooper’s law.

As well as describing progress, the law also become the mobile industry’s ruthless master: providing an aggressive roadmap for the rise of mobile culture.

The industry met this challenge thanks to advances in technology.

But now the game has changed. Although few in the industry acknowledge it publically, Coopers Law, which has stood for more than a century, is broken. And it is all down to the phone in your pocket.

Bin there, sent that

To understand the scale of the problem, you only need to look at the numbers.

For example, the mobile giant Ericsson has been tracking the growth in mobile traffic for years. But 2009 was a landmark year, according to the firm’s Patrik Cerwall: “That year saw more data traffic than voice traffic over the mobile networks”. And the data traffic has been doubling every year since – far outracing Cooper’s law.

The big accelerator was the smartphone, which suddenly made the data-carrying capacity of 3G networks attractive. “People didn’t really understand the benefit of 3G until the app concept changed everything,” Cerwall elaborates.

Data-hungry video is also driving demand. Networking firm Cisco has just reported video downloads last year crossed the 50% threshold, accounting for half of all data transferred over the mobile networks.

At the moment, there are around 1.1 billion smart phones across the world; by 2018 (the horizon for the Ericsson forecasts) that will treble to 3.3 billion. If you think that in 2012, smartphones represented only 18% of total global handsets, but represented 92% of total global traffic, you begin to see the problem.

And the growth will continue relentlessly, according to the Cisco analysis. In 2012, for example, global mobile data traffic grew 70% from 2011, to 885 petabytes per month – that is 885 million gigabytes of data. And in the next five years, it is expected to increase 13-fold, eventually reaching 11.2 exabytes (11, 200 million gigabytes) per month by 2017, according to Cisco.

These dramatic hikes will in part be driven by more people switching to smartphones, particularly in emerging markets, as well as new features on phones and in apps.

The impact of simple changes in an app was dramatically demonstrated in November 2012 when Facebook released new version of its mobile app for Android and Apple phones. Prior to the release, according to networking firm Alactel, the social network already accounted for 10% of the signalling and 15% of the airtime load on 2G/3G networks, respectively. But, as users around the world updated and started to use this new version, the firm noticed a dramatic increase of almost 60% in the signalling load and 25% in the airtime consumed by new features in the app.

However, data hikes will not just be driven by consumers. Firms also predict a rise in so-called machine-to-machine (M2M) communication, that will connect the mobile networks to an array of inanimate objects – from bins that will signal when they are full to electricity meters that will constantly call in to the utility company.

By the end of this year, Cisco predicts that the number of mobile-connected devices will exceed the number of people on earth, and by 2017 there will be more than 10 billion.

No wonder the chairman of the US Federal Communications Commission recently declared: “The clock is ticking on our mobile future.

Running out

The illusion is that the airwaves, like the atmosphere they pass through, are effectively limitless. We can’t see them, they can travel in any direction and link any two points – why should they be limited? Yet, in practice they are as hemmed in as a motorway through a city.

Radio spectrum is a limited resource, strictly farmed out by national and international regulation. At the moment it is all spoken for by the military, mariners, aviation, broadcasters and many more – all the way up to the very extreme of useful frequencies at 300 gigahertz.

No-one can get more bandwidth without someone else losing out. The 4G spectrum auction that recently began in the UK, for example, is the equivalent of adding a new six-lane motorway to the existing wireless infrastructure (itself already running at 10-lanes), built on virtual land vacated by old-fashion TV broadcasts.

It helps, but will only keep the expansion going for a certain time. Which is why mobile operators, and their rivals, are gearing up for major spectrum negotiations at the International Telecommunications Union in 2015. The so-called WRC-2015 conference aims to carve up the available spectrum amongst different competing uses. But an overriding priority is identifying and allocating additional frequencies to mobile services.

Already, the stakeholders are preparing their positions. Ericsson’s Afif Osseiran, project coordinator for the European consortium Metis, says the ITU conference “will be a crucial moment for laying out the spectrum needs for the 2020s.”

But industry will not just rely on these delicate negotiations to secure its future. Much of the advance in the past 20 years has not been about how many of these wireless “lanes” we have, but how efficiently we use them.

Like a newly built motorway that’s used by just a few cars, the first generation of phones were incredibly wasteful of the spectrum they used. Capacity was wasted in the same way as the gaps between vehicles represented lost transport opportunities.

In going from 1G to 2G, there was a 1,000-fold increase in capacity, mostly not because of the new radio lanes added in, but because more traffic was squeezed onto those lanes.

And in going from 2G to 3G, capacity rose another factor of 1,000: digital techniques managed to squeeze out yet more of the empty space.

But with the latest generation of tricks being rolled out in 4G (actually described as 3G Long Term Evolution by developers), the industry is running out of ways to improve the efficiency further.

These limits that determine how much information can be transmitted were established in the 1940s by the American engineer Claude Shannon. Although his employers, the Bell Labs of AT&T telephone, were interested primarily about the limitations of telephone wires, Shannon’s equations can be used equally for radio transmissions.

And mobile experts generally accept that the limits to data flow revealed by Shannon’s formulae are close to being reached.

Data crunch

So how will the mobile industry meet this challenge and keep satisfy out appetite for data?

The industry is clearly optimistic. It already confidently speaks of 5G – a further generation of technology that will roll out as current ideas have run their course. What exactly they mean by 5G is poorly defined, but a host of tricks are being discussed that it’s hoped will keep past trends going well into the next decade.

Which is just as well, as the lure of being immersed in a seamless flow of data will only become more compelling, says Rich Howard, formerly head of wireless research at Bell Labs and now with Winlab at Rutgers University.

“Mature technology is invisible – and that’s the direction we’re heading,” he says.

Howard looks forward to a day when phones begin to make intelligent decisions by themselves.

“What you want is a digital assistant that, while you’re having a call with somebody, will be busy looking at options for actions relevant to that call and have them available,” he says. So, if you are talking about a train journey, the phone could begin to check your calendar, ticket prices and connections. By the time you hang up, it would be able to present you with a list of available options. “Everytime you start to say something, you turn around and it’s already done, the way you want it done.”

It is a vision that is a world away from Cooper’s first call forty years ago and one that is only going to add the coming data crunch.

How the industry plans to keep up and deliver this future will be explored in the next article in this series.

Source:  BBC

DoS vulnerability affects older iPhones, Droids, even a Ford car

Friday, October 26th, 2012

Publicly available code allows hackers to disable Wi-Fi in a range of products.

The iPhone 4 and a slew of older devices from Apple, Samsung, HTC, and other manufacturers are vulnerable to attacks that can make it impossible to send or receive data over Wi-Fi networks, a security researcher said.

http://cdn.arstechnica.net/wp-content/uploads/2012/10/broadcom-poc_exploit-640x475.jpgProof-of-concept code published online makes it trivial for a moderately skilled hacker to disable older iPhones, HTC Droid Incredible 2s, Motorola Droid X2s, and at least two-dozen other devices, including Edge model cars manufactured by Ford. The Denial-of-Service vulnerability stems from an input-validation error in the firmware of two wireless chips sold by Broadcom: the BCM4325 and the BCM4329. The US Computer Emergency Readiness Team has also issued an advisory warning of the vulnerability.

“The only requirement to exploit the vulnerability is to have a wireless card that supports [the] raw inject of 802.11 frames,” Andrés Blanco one of the researchers from Core Security who discovered the vulnerability, told Ars. “The Backtrack Linux distribution has almost everything you need to execute the POC provided in the advisory.”

The Core Security advisory said that Broadcom has released a firmware update that patches the “out-of-bounds read error condition” in the chips’ firmware. Device manufacturers are making it available to end users on a case-by-case basis since many of the affected products are older and already out of service.

Blanco said the exploit makes it impossible for an affected device to send or receive data over Wi-Fi for as long as the DoS attack lasts. Once the malicious packets subside, the device will work normally. Other device functions are unaffected by the Wi-Fi service interruption. He said it’s possible the bug could be exploited to do more serious things.

“We are not sure that we could retrieve private user data but we are going to look into this,” he said.

Source:  arstechnica.com

Confirmed: Apple-owned fingerprint software exposes Windows passwords

Tuesday, October 9th, 2012

Security consultants have independently confirmed a serious security weakness that makes it trivial for hackers with physical control of many computers sold by Dell, Acer, and at least 14 other manufacturers to quickly recover Windows account passwords.

The vulnerability is contained in multiple versions of fingerprint-reading software known as UPEK Protector Suite. In July, Apple paid $356 million to buy Authentec, the Melbourne, Florida-based company that acquired the technology from privately held UPEK in 2010. The weakness came to light no later than September, but Apple has yet to acknowledge it or warn end users how to work around it. No one has accused Apple of being responsible for the underlying design of fingerprint-reading software.

The UPEK software has long been marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, instead of a user-memorized password. Last month, Elcomsoft, a Russia-based developer of password-cracking software, warned that the software makes users less secure than they otherwise would be because it stores Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. It takes only seconds for people with the key to extract a password, company officials said. They withheld technical details to prevent the vulnerability from being widely exploited.

Now, a pair of security consultants say they have independently verified the vulnerability and released open-source software that makes it easy to exploit it. Easily decrypted passwords are stored in one of several registry keys located in HKEY_LOCAL_MACHINE\Software\Virtual Token\Passport\, depending on the application version. The duo said they released the software and additional information so that penetration testers, who are paid to penetrate the defenses of their customers, can exploit the weakness.

“From a penetration testing perspective, local administrator access is required to obtain the necessary registry key’s value, so it only matters if you already have control of the PC,” Brandon Wilson, one of the security consultants, told Ars. “But since so many of these devices are used in corporate environments, it makes it easy to obtain domain credentials, and from there, easily expand an attack to other systems.”

When Protector Suite isn’t activated, Windows doesn’t store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic log in. Disabling Windows login functionality from within Protector Suite will not remove the password from the registry key, the penetration testers confirmed. If the “passport” for that user is deleted from within the application, the password is also deleted. When uninstalling the application, an option is presented to the user to also delete the passport data. If left, the password remains, and if removed, the password is deleted, Wilson said.

According to Wilson, every version of the software labeled “UPEK Protector Suite” that he and fellow penetration tester Adam Caudill have analyzed has tested positive for the vulnerability. In addition to Dell and Acer, other PC makers that preinstall the software include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba. UPEK Protector Suite is also rebranded by Lenovo as ThinkVantage Fingerprint Software, Wilson said.

Given the claims made in the UPEK software that it’s a safe alternative to account logins, it’s surprising there has been no recall or an advisory warning of the vulnerability. Representatives from Apple and Authentec didn’t respond to an e-mail seeking comment for this brief.

Source:  arstechnica.com

Spoofing a Microsoft Exchange server: a new how-to

Friday, July 27th, 2012

The smartphone-based attack wreaks havoc on Android and iOS smartphones.

http://cdn.arstechnica.net/wp-content/uploads/2012/07/exchange_server_spoofing.pngIf you use an Android or iOS device to connect to a Microsoft Exchange server over WiFi, security researcher Peter Hannay may be able to compromise your account and wreak havoc on your handset.

At the Black Hat security conference in Las Vegas, the researcher at Edith Cowan University’s Security Research Institute in Australia described an attack he said works against many Exchange servers operated by smaller businesses.  Android and iOS devices that connect to servers secured with a self-signed secure sockets layer certificate will connect to servers even when those certificates have been falsified.

“The primary weakness is in the way that the client devices handle encryption and do certificate handling, so it’s a weakness in SSL handling routines of the client devices,” Hannay told Ars ahead of his presentation on Thursday.  “These clients should be saying that the SSL certificate really doesn’t match, none of the details are correct.  I won’t connect to it.”

Hannay has developed an attack that uses a WiFi network to implement a rogue server with a self-signed certificate, rather than one issued by a trusted certificate authority. Vulnerable devices on the same network that try to connect to their regular Exchange server won’t reach that intended destination. Instead, it will initiate communications with Hannay’s imposter machine.

The use of an SSL certificate to protect an Exchange server is designed to preclude precisely this kind of man-in-the-middle attack. Devices are supposed to connect only if the certificate bears a valid cryptographic key certifying the service is valid. But that’s not what always happens, the researcher said.

Android devices that connect to an Exchange server with a self-signed certificate will connect to any server at its designated address, even when its SSL credential has been spoofed or contains invalid data. iOS devices fared only slightly better in Hannay’s tests: They issued a warning, but allowed users to connect anyway.  Microsoft Windows Phone handsets, by contrast, issued an error and refused to allow the end user to connect.

Once a phone connects to a rogue server used in Hannay’s experiments, a script he wrote issues a command to remotely wipe its contents and to restore all factory settings.  He said it’s also possible to retrieve the login credentials users need to sign in to their accounts. Hannay said a malicious hacker could then use that information to login to the legitimate account.

“It’s really simple and that’s what’s disturbing to me,” Hannay said.  The whole attack is just 40 lines of python and most of that is just connection handling.”

As stated earlier, the attack works only against phones that have connected to an Exchange server secured by a self-signed SSL certificate.  Hannay said most organizations with fewer than 50 people use such credentials, rather than paying to have a certificate signed by a recognized certificate authority.

Google and Apple didn’t respond to an e-mail seeking comment for this article.  A Microsoft representative said members of the company’s Exchange team are looking in to the report.

Source:  arstechnica.com

Spam-happy iOS trojan slips into App Store, gets pulled in rapid fashion

Friday, July 6th, 2012

Spamhappy iOS trojan slips into App Store, gets pulled in rapid fashionYou could call it technological baptism of sorts… just not the kind Apple would want.  A Russian scam app known as Find and Call managed to hit the App Store and create havoc for those who dared a download, making it the first non-experimental malware to hit iOS without first needing a jailbreak.

As Kaspersky found out, it wasn’t just scamware, but a trojan: the title would swipe the contacts after asking permission, send them to a remote server behind the scenes and text spam the daylights out of any phone number in that list.

Thankfully, Apple has already yanked the app quickly and explained to The Loop that the app was pulled for violating App Store policies.  We’d still like to know just why the app got there in the first place, but we’d also caution against delighting in any schadenfreude if you’re of the Android persuasion. The app snuck through to Google Play as well, and Kaspersky is keen to remind us that Android trojans are “nothing new;” the real solution to malware is to watch out for fishy-looking apps, no matter what platform you’re using.

Source:  engadget.com

U.N. could tax U.S.-based Web sites, leaked docs show

Friday, June 8th, 2012

Global Internet tax suggested by European network operators, who want Apple, Google, and other Web companies to pay to deliver content, is proposed for debate at a U.N. agency in December.

http://asset3.cbsistatic.com/cnwk.1d/i/tim/2012/06/07/unbw.jpg

The United Nations is considering a new Internet tax targeting the largest Web content providers, including Google, Facebook, Apple, and Netflix, that could cripple their ability to reach users in developing nations.

The European proposal, offered for debate at a December meeting of a U.N. agency called the International Telecommunication Union, would amend an existing telecommunications treaty by imposing heavy costs on popular Web sites and their network providers for the privilege of serving non-U.S. users, according to newly leaked documents.

The documents (No. 1 No. 2) punctuate warnings that the Obama administration and Republican members of Congress raised last week about how secret negotiations at the ITU over an international communications treaty could result in a radical re-engineering of the Internet ecosystem and allow governments to monitor or restrict their citizens’ online activities.

“It’s extremely worrisome,” Sally Shipman Wentworth, senior manager for public policy at the Internet Society, says about the proposed Internet taxes. “It could create an enormous amount of legal uncertainty and commercial uncertainty.”

The leaked proposal was drafted by the European Telecommunications Network Operators Association, or ETNO, a Brussels-based lobby group representing companies in 35 nations that wants the ITU to mandate these fees.

While this is the first time this proposal been advanced, European network providers and phone companies have been bitterly complaining about U.S. content-providing companies for some time. France Telecom, Telecom Italia, and Vodafone Group, want to “require content providers like Apple and Google to pay fees linked to usage,” Bloomberg reported last December.

ETNO refers to it as the “principle of sending party network pays” — an idea borrowed from the system set up to handle payments for international phone calls, where the recipient’s network set the per minute price. If its proposal is adopted, it would spell an end to the Internet’s long-standing, successful design based on unmetered “peered” traffic, and effectively tax content providers to reach non-U.S. Internet users.

The sender-pays framework would likely prompt U.S.-based Internet services to reject connections from users in developing countries, who would become unaffordably expensive to communicate with, predicts Robert Pepper, Cisco’s vice president for global technology policy.

Developing countries “could effectively be cut off from the Internet,” says Pepper, a former policy chief at the U.S. Federal Communications Commission. The ETNO plan, he says, “could have a host of very negative unintended consequences.”

It’s not clear how much the taxes levied by the ETNO’s plan would total per year, but observers expect them to be in the billions of dollars. Government data show that in 1996, U.S. phone companies paid their overseas counterparts a total of $5.4 billion just for international long distance calls.

If the new taxes were levied, larger U.S. companies might be able to reduce the amount of money they pay by moving data closer to overseas customers, something that Netflix, for instance, already does through Akamai and other content delivery networks. But smaller U.S. companies unable to afford servers in other nations would still have to pay.

The leaked documents were posted by the Web site WCITLeaks, which was created by two policy analysts at the free-market Mercatus Center at George Mason University in Arlington, Va, who stress their Wikileaks-esque project is being done in their spare time. The name, WCITLeaks, is a reference to the ITU’s December summit in Dubai, the World Conference on International Telecommunications, or WCIT.

Eli Dourado, a research fellow who founded WCITLeaks along with Jerry Brito, told CNET this afternoon that the documents show that Internet taxes represent “an attractive revenue stream for many governments, but it probably is not in the interest of their people, since it would increase global isolation.”

Dourado hopes to continue posting internal ITU documents, and is asking for more submissions. “We hope that shedding some light on them will help people understand what’s at stake,” he says.

One vote per country

ETNO’s proposal arrives against the backdrop of negotiations now beginning in earnest to rewrite the International Telecommunications Regulations (PDF), a multilateral treaty that governs international communications traffic. The ITRs, which dates back to the days of the telegraph, were last revised in 1988, long before the rise of the commercial Internet and the on-going migration of voice, video and data traffic to the Internet’s packet-switched network.

The U.S. delegation to the Dubai summit, which will be headed by Terry Kramer, currently an entrepreneur-in-residence at the Harvard Business School, is certain to fight proposals for new Internet taxes and others that could curb free speech or privacy online.

But the ITU has 193 member countries, and all have one vote each.

If proposals harmful to global Internet users eventually appear in a revision to the ITRs, it’s possible that the U.S. would refuse to ratify the new treaty. But that would create additional problems: U.S. network operators and their customers would still be held to new rules when dealing with foreign partners and governments. The unintended result could be a Balkanization of the Internet.

In response to the recent criticism from from Washington, ITU Secretary-General Hamadoun Toure convened a meeting yesterday with ITU staff to deny charges that the WCIT summit in Dubai “is all about ITU, or the United Nations, trying to take over the Internet.” (The ITU also has been criticized, as CNET recently reported, for using the appearance of the Flame malware to argue it should have more cybersecurity authority over the Internet.)

“The real issue on the table here is not at all about who ‘runs’ the Internet — and there are in fact no proposals on the table concerning this,” Toure said, according to a copy of his remarks posted by the ITU. “The issue instead is on how best to cooperate to ensure the free flow of information, the continued development of broadband, continued investment, and continuing innovation.”

Robert McDowell, a Republican member of the Federal Communications Commission who wrote an article (PDF) in the Wall Street Journal in February titled “The U.N. Threat to Internet Freedom,” appeared to reference the ETNO’s proposal for Internet taxes during last week’s congressional hearing.

Proposals that foreign governments have pitched to him personally would “use international mandates to charge certain Web destinations on a ‘per-click’ basis to fund the build-out of broadband infrastructure across the globe,” McDowell said. “Google, Tunes, Facebook, and Netflix are mentioned most often as prime sources of funding.”

They could also allow “governments to monitor and restrict content or impose economic costs upon international data flows,” added Ambassador Philip Verveer, a deputy assistant secretary of state.

ITU spokesman Paul Conneally told CNET this week that:

There are proposals that could change the charging system, but nothing about pay-per-click as such. There isn’t anything we can comment about this interpretation because, as stated before, member states are free to interpret proposals as they like, so if McDowell chooses to interpret as pay-per-click, that is his right and similarly it is he who should provide pointers for you.

From the beginning, the Internet’s architecture has been based on traffic exchange between backbone providers for mutual benefit, without metering and per-byte “settlement” charges for incoming and outgoing traffic. ETNO’s proposal would require network operators and others to instead negotiate agreements “where appropriate” aimed at achieving “a sustainable system of fair compensation for telecommunications services” based on “the principle of sending party network pays.”

“Not all those countries like open, transparent process”

This isn’t the first time that a U.N. agency will consider the idea of Internet taxes.

In 1999, a report from the United Nations Development Program proposed Internet e-mail taxes to help developing nations, suggesting that an appropriate amount would be the equivalent of one penny on every 100 e-mails that an individual might send. But the agency backed away from the idea a few days later.

And in 2010, the U.N.’s World Health Organization contemplated, but did not agree on, a “bit tax” on Internet traffic.

Under the ITU system for international long distance, government-owned telecommunications companies used to make billions from incoming calls, effectively taxing the citizens of countries that placed the calls. That meant that immigrants to developed nations paid princely sums to call their relatives back home, as high as $1 a minute.

But technological advances have eroded the ability of the receiving countries to collect the fees, and the historic shift to voice over Internet Protocol services such as Skype has all but erased the transfer payments. Some countries see the WCIT process as a long-shot opportunity to reclaim those riches.

The ITU’s process has been controversial because so much of it is conducted in secret. That’s drawn unflattering comparisons with the Anti-Counterfeiting Trade Agreement, or ACTA, an international intellectual property agreement that has generated protests from Internet users across the world. (The Obama administration approved ACTA in 2011, before anyone outside the negotiations had a chance to review it.)

By comparison, the Internet Society, with 55,000 members and 90 worldwide chapters, hosts the engineering task forces responsible for the development and enhancement of Internet protocols, which operate through virtual public meetings and mailing lists.

“Not all those countries like open, transparent process,” says Cisco’s Pepper, referring to the ITU’s participants. “This is a problem.”

Source:  CNET

U.N. takeover of the Internet must be stopped, U.S. warns

Friday, June 1st, 2012

A U.N. summit later this year in Dubai could lead to a new international regime of censorship, taxes, and surveillance, warn Democrats, Republicans, the Internet Society, and father of the Internet Vint Cerf.

Democratic and Republican government officials warned this morning that a United Nations summit in December will lead to a virtual takeover of the Internet if proposals from China, Russia, Iran, and Saudi Arabia are adopted.

It was a rare point of bipartisan agreement during an election year: a proposal that Russian Prime Minister Vladimir Putin described last year as handing the U.N. “international control of the Internet” must be stopped.

“These are terrible ideas,” Rep. Fred Upton, a Michigan Republican, said during a U.S. House of Representatives hearing. They could allow “governments to monitor and restrict content or impose economic costs upon international data flows,” added Ambassador Philip Verveer, a deputy assistant secretary of state.

Robert McDowell, a member of the Federal Communications Commission, elaborated by saying proposals foreign governments have pitched to him personally would “use international mandates to charge certain Web destinations on a ‘per-click’ basis to fund the build-out of broadband infrastructure across the globe.”

“Google, iTunes, Facebook, and Netflix are mentioned most often as prime sources of funding,” McDowell said. Added Rep. Anna Eshoo, a California Democrat whose district includes Facebook’s headquarters, many countries “don’t share our view of the Internet and how it operates.”

What prompted today’s hearing — and a related congressional resolution (PDF) supporting a free and open Internet — is a Dubai summit that will be convened by the 193 members of the U.N.’s International Telecommunications Union, which was chartered in 1865 to oversee international telegraph regulations.

Called the World Conference on International Telecommunications, or WCIT, the summit will review a set of telecommunications regulations established in 1988, when home computers used dial-up modems, the Internet was primarily a university network, and Facebook CEO Mark Zuckerberg was a mere 4 years old.

That review has created an opening for countries with a weak appreciation of free speech and civil liberties — with Russia and China in the lead — to propose the U.N. establish an new “information security” regime or create an alternative to ICANN, the nonprofit organization that has acted as the Internet’s de facto governance body since the late 1990s.

Unless the U.S. and its allies can block these proposals, they “just might break the Internet by subjecting it to an international regulatory regime designed for old-fashioned telephone service,” Rep. Greg Walden, an Oregon Republican said. (U.S. allies include Japan, Canada, Mexico, and many European countries.)

This is hardly the first time that the U.N. or its agencies wanted to expand their influence over the Internet. At a 2004 summit at the U.N.’s headquarters in New York, U.N. Secretary General Kofi Annan criticized the current system through which Internet standards are set and domain names are handled, and delegates from Cuba, Ghana, Bolivia and Venezula objected to what they said was too much control of the process by the U.S. government and its allies.

Two years later, at another U.N. summit in Athens, ITU Secretary General Yoshio Utsumi criticized the current ICANN-dominated process, stressing that poorer nations are dissatisfied and are hoping to erode U.S. influence. “No matter what technical experts argue is the best system, no matter what self-serving justifications are made that this is the only possible way to do things, there are no systems or technologies that can eternally claim they are the best,” Utsumi said.

In 2008, CNET was the first to report that the ITU was quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous. A leaked document showed the trace-back mechanism was designed to be used by a government that “tries to identify the source of the negative articles” published by an anonymous author.

December’s meeting has alarmed even the Internet’s technologists. The Internet Society, which is the umbrella organization for the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB), sent a representative to today’s hearing.

ISOC’s Sally Wentworth, senior manager of public policy for the group, warned that the proposals to be considered are not “compatible” with the current open manner in which the Internet is managed.

Vint Cerf, Google’s chief Internet evangelist, co-creator of the TCP/IP protocol, and former chairman of ICANN, said the ITU meeting could lead to “top-down control dictated by governments” that could impact free expression, security, and other important issues..

“The open Internet has never been at a higher risk than it is now,” Cerf said.

Source:  CNET

Official version of Office for iPad, Android now rumored for November

Thursday, May 24th, 2012

The mobile version will reportedly look similar to a version leaked in February.

A new rumor suggests iPad and Android tablet users will be able to use a native, tablet-optimized version of Microsoft Office this fall. According to a source speaking to BGR, Microsoft will have a version of Office for both platforms ready in November.

A purported iPad version of Office was allegedly leaked in February, though Microsoft denied that what was published was “an actual Microsoft product.” Despite this, the company wouldn’t say whether it was in fact working on a version of Office for Apple’s popular tablet or not.

BGR’s source claimed to have seen Office running on an iPad, and confirmed that it looked “almost identical” to the previously leaked version. Additionally, Microsoft will reportedly release the software for Android-based tablets in the same November timeframe.

Microsoft would neither confirm nor deny the information in BGR’s report. “We have nothing to share at this time as we do not comment on rumors or speculation,” a Microsoft spokesperson told Ars.

With the increasing uptake of tablets at home, work, and school, there has been a growing demand to use Microsoft’s popular word processing, spreadsheet, and presentation applications on mobile devices. There are a number of apps that offer varying compatibility with existing Office documents, and a few solutions have popped up which allow running Office on virtualized Windows environments running on remote servers. Such solutions do work, but aren’t optimized for tablet interfaces.

Source:  arstechnica.com

Apple patches 36 bugs in OS X, fixes encryption password goof

Thursday, May 10th, 2012

Update includes fixes to FileVault in Lion and Snow Leopard, as well as QuickTime bugs

Apple yesterday patched 36 vulnerabilities in Mac OS X, most of them critical, plugging a hole that revealed passwords used to encrypt folders with an older version of FileVault.

Both Mac OS X 10.7, aka Lion, and 10.6, better known as Snow Leopard, were updated with fixes. The two operating systems were last updated in February.

High on the fix list was one specific to Lion that put FileVault passwords in plain text, where they could easily be read — and thus encrypted folders deciphered — if a Mac was stolen or lost. The software consultant who publicly reported the bug attributed it to a programming error on Apple’s part.

“The login process recorded sensitive information in the system log, where other users of the system could read it,” Apple’s advisory stated. Apple also acknowledged that the plain-text passwords may persist in the Mac’s logs after users update to 10.7.4 and urged them to review a support document that walked through steps to eradicate any that are remaining.

Among the other patches were four Snow Leopard-only fixes quashing bugs that could be exploited via malicious image files; another four in QuickTime, Apple’s media player and browser plug-in; and one in FileVault 2, the full-disk encryption technology used by Lion.

The FileVault 2 flaw caused some date to be left unencrypted when a Mac went into “sleep” mode.

Twenty-one of the 36 vulnerabilities were tagged with Apple’s phrase of “arbitrary code execution,” indicating they were critical flaws that, if exploited by attackers, could result in a Mac malware infection.

Eight of the bugs affected only Snow Leopard.

On Lion, Apple also included a number of nonsecurity fixes it categorized as stability and compatibility improvements. Many of them were related to connecting to network services, such as Microsoft’s Active Directory and that company’s Server Message Block (SMB) file-sharing protocol. Both are used by Macs in enterprises to access corporate resources held on servers running Windows.

Snow Leopard’s update, dubbed “Security Update 201-002,” received no feature improvements.

Yesterday’s update may be the last for Snow Leopard, as Apple seems to be on the fast track for OS X 10.8, aka Mountain Lion, which may ship as soon as late June. Apple typically stops serving security updates to the oldest edition in its support rotation when it finalizes a major operating system upgrade.

Last year, OS X 10.5, or Leopard, received its final security update in late June, about a month before Apple launched Lion. Leopard’s versions of iTunes, QuickTime, and Java, however, were updated after June 2011.

As usual, some users reported problems with the update.

On the Lion support forum, complaints ranged from kernel errors and difficulty reaching a Wi-Fi network to numerous reports of bricked MacBook Pros.

No one problem was dominant in those reports, but the MacBook Pro-not-booting thread was heavily trafficked, with more than 1,500 views since its inception Wednesday afternoon.

Mac OS X 10.7.4 and the separate 2012-002 security update for Snow Leopard can be downloaded from Apple’s support site or installed using the operating system’s built-in update service.

Source:  infoworld.com

Half of all Macs will lack access to security updates by summer

Tuesday, May 8th, 2012

Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.

Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will — baring a change in a decade-old habit — stop serving patches to OS X 10.6, or Snow Leopard.

Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed “n,” then “n-2″ support ends at the debut of “n.”

In other words, patches are provided only to the newest OS X and the one immediately preceding it.

Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.

Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will — baring a change in a decade-old habit — stop serving patches to OS X 10.6, or Snow Leopard.

Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed “n,” then “n-2″ support ends at the debut of “n.”

In other words, patches are provided only to the newest OS X and the one immediately preceding it.

The company has practiced this since OS X’s birth: The second iteration, 10.1 — dubbed Puma — received its final security update in January 2004, three months after the appearance of OS X 10.4, or Panther.

More recently, Apple snuffed out support for OS X 10.5, aka Leopard, when 10.7, or Lion, shipped. The former got its last security update in June 2011, a month before the latter was released.

If Apple continues this policy, Snow Leopard users will stop seeing patches about the time Mountain Lion ships. Apple has not set a hard date for OS X 10.8′s debut, although it has pegged “late summer.”

But Snow Leopard currently accounts for 41.5% of all versions of OS X, according to Web metrics company Net Applications’ latest statistics. Assuming Snow Leopard’s share continues to drop at the average pace of the last six months, it will still power 34.4% of all Macs in August or 32.6% in September.

With earlier editions included, that means 48.4% of all Macs will be without security updates if Apple stops serving Snow Leopard in August. If it continues patching until September, the number sans fixes drops to 45.9%.

Some security professionals see those numbers as too high, and Apple’s support lifespan too short.

“[OS X] 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support [Emphasis in origin],” Robin Stevens, part of the University of Oxford’s network security team, said in a blog post last month.

“[Apple has] been complacent in terms of their attitude to security and support, especially when compared to their chief competitor [Microsoft],” Stevens added. “By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result.”

Stevens wanted Apple to commit to a support lifetime of at least five years.

Other experts don’t see Apple’s support practice as the biggest problem, but instead tagged the company’s notorious silence.

http://www.computerworld.com/common/images/site/features/2012/05/os_x_support.jpg“The average seems to be about three years,” said Andrew Storms, director of security operations for nCircle Security, talking about the length of time Apple provides security updates for a given edition of OS X. “That’s not bad if you compare it to hardware amortization. But really, the bigger issue is that no one really knows. Apple doesn’t communicate how long it will support a version or a roadmap for future releases.”

John Pescatore, a Gartner analyst, agreed, citing Apple’s lack of a roadmap as the biggest sticking point for companies that increasingly must manage Macs alongside Windows PCs. “That’s not enterprise friendly,” he said.

Apple’s opacity stands in contrast to Microsoft, which has long clearly laid out its support lifecycle, and regularly reminds users when an edition of Windows or Office is nearing its end.

“When they decide to release a new OS X, if you’re behind two [versions], you’re DOA or SOL, take your pick,” said Storms. “But we never see those blogs from Apple that we do from Microsoft reminding that you need to upgrade [to keep receiving security updates].”

Pescatore didn’t have a problem with Apple’s support lifecycle, calling it “in the middle” between Microsoft’s 10-year policy for Windows and the constantly-updating cloud services like Google Apps or Microsoft’s Office 365.

More to the point, Apple’s shorter support stretch is how things are quickly leaning, said Pescatore, ticking off the typical two-year turnover of smartphones and businesses taking to the cloud because of continuous updates.

Customers, including IT managers, better get used to it.

“In the real world, IT is going to have less and less control over the OS,” said Pescatore. “IT really doesn’t want to operate that way — they’ll try to fight it — but they’re going to have to learn how. Fighting the trend is going to be impossible.”

Even though the recent Flashback malware campaign has demonstrated that unsupported Leopard Macs were infected at a rate almost double its market share, Pescatore said the move to shorter support lifespans will continue. And customers will adopt. If they can’t, the market will provide solutions — as it has before for Windows — to keep Macs safer.

And most users can upgrade when Apple releases a new operating system, Pescatore and Stevens noted.

While Apple has yet to define the migration path for Snow Leopard users, it has dropped hints that they may be able to upgrade to Mountain Lion: Snow Leopard machines can be boosted to Mountain Lion’s developers preview.

Source:  computerworld.com

Apple to release Flashback removal software, working to take down botnet

Wednesday, April 11th, 2012

Apple plans to release software that will detect and remove Flashback malware infections on the Mac, the company announced Tuesday. In a knowledge base link published late in the day, Apple explained that it’s aware of the infection—which takes advantage of a previously unpatched Java vulnerability—saying that the software was coming, but no specific release date was given.

In addition to the Flashback detection software, Apple said that it’s “working with ISPs worldwide” to disable the botnet’s command and control (C&C) servers. Kaspersky researcher Kurt Baumgartner told Forbes earlier on Tuesday that “Apple is taking appropriate action by working with the larger Internet security community to shut down the Flashfake [also known as Flashback] C2 domains,” and Apple’s latest efforts seem to coincide with Baumgartner’s statement.

“Apple is developing software that will detect and remove the Flashback malware,” Apple wrote. “In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.”

We have been covering the Mac Flashback trojan since 2011, but the malware recently picked up steam. Last week, Russian security firm Dr. Web reported that it had infected more than half a million Macs worldwide. (The aforelinked Forbes report claimed Apple tried to take down Dr. Web’s sinkhole server for Flashback, but it seems most likely that this was an accidental inclusion in Apple’s attempts to take down the botnet’s C&Cs.)

There are already a couple ways to detect and remove a Flashback infection, but they involve some Terminal kung-fu that less experienced users might not feel comfortable with. Apple’s solution will undoubtedly target mainstream users who have heard about Flashback and want to ensure their Macs remain malware-free.

Source:  arstechnica.com