People don’t like it when apps surreptitiously steal personal information. Apparently Apple’s primary concern is the “surreptitious” part, though, rather than preventing personal data from being leaked or collected. New dialog boxes in iOS 6 may protect Apple, but will do little to help users safeguard their privacy.
Earlier this year the proverbial “stuff” hit the fan when it was discovered that Path--a popular social networking app--was stealing contact info from the address books of the iOS devices it was installed on. That incident was followed by other revelations of privacy infringement, and congressional inquiries demanding stricter protection for users.
Apple responded to Congress with a statement claiming that a future release of iOS would change the process so that any app wishing to access sensitive data like contact information will require explicit user approval. That “future release”, it seems, is iOS 6.
It's no secret that the Web is full of malicious content, but Google on Tuesday published some statistics that reveal just how breathtaking the scale of that danger really is.
In fact, Google uncovers some 9,500 new malicious websites every day through its Safe Browsing initiative, according to a blog post from Google Security Team blogger Niels Provos.
“These are either innocent websites that have been compromised by malware authors, or others that are built specifically for malware distribution or phishing,” Provos explained. “While we flag many sites daily, we strive for high quality and have had only a handful of false positives.”
Generally when Google shows up in the news regarding information being exposed on the Web it’s about privacy issues and concerns that too much data is being stored or distributed by the Internet giant. It’s also possible, though, that in some cases Google may not be displaying enough information.
About two years ago Google started posting data online in its Transparency Report. The data includes real-time traffic information, as well as requests from individuals, companies, or governments to surrender data, and requests to have sites or information removed from Google search or from YouTube.
Requests from users to remove sites is monitored in real-time, but the data for government takedown requests is only updated every six months. While we might expect certain strict regimes like China or Thailand to police the Internet in this way, Google says it’s not necessarily the case.
Analysis of the massive ‘Flame’ cyber attack code has revealed that rogue Microsoft security certificates were used to make the malware appear as if it was officially signed by Microsoft. Microsoft has issued a security advisory, revoked trust in the rogue certificates, and provided steps to help IT admins and users prevent attacks that rely on the spoofed Microsoft certificates.
A post on the Microsoft Security Response Center blog states plainly, “We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”
Andrew Storms, director of security operations for nCircle, declares, “The discovery of a bug that’s been used to circumvent Microsoft’s secure code certificate hierarchy is a major breach of trust, and it’s a big deal for every Microsoft user. It also underscores the delicate and problematic nature of the trust models behind every Internet transaction.”
Malware researchers claim that the code behind “Flame” bears many resemblances to Stuxnet and Duqu. The sophistication of the attack and the techniques used within the threat are similar, and so is the primary target: Iran.
While no group or nation has yet taken responsibility officially for Stuxnet or Duqu, the complexity of the attacks combined with the focus on Iran have fueled speculation that the malware is possibly a state-sponsored attack engineered by the United States, or Israel. A Symantec blog post suggests similar origins for ‘Flame’: “As with the previous two threats, this code was not likely to have been written by a single individual but by an organized, well-funded group of people working to a clear set of directives.”
A tireless collaborative effort by the iOS Jailbreak Dream Team (a group comprised of members from the Chronic-Dev Team and the iPhone Dev Team) has yielded Absinthe 2.0--a jailbreak utility for iOS 5.1.1. While some appreciate being able to break out of Apple’s “walled garden”, the fact that iOS devices can be rooted poses a significant security risk.
A press release for Absinthe 2.0 explains the concept of jailbreaking: “iOS jailbreaking, or simply jailbreaking, is the process of removing the limitations imposed by Apple on devices running the iOS operating system through use of custom security exploits. Jailbreaking allows users to gain elevated access to the operating system. Consequently it also allows users to download additional applications, extensions and themes that are unavailable through the official Apple App Store.”
Those who choose to jailbreak their own iOS devices to get around Apple restrictions or limitations do so with conscious intent and understand the risks involved. A jailbroken iOS device is also able to install apps from outside of the Apple App Store which have not been vetted by Apple and could contain malicious code. Apple will not support jailbroken devices, so you’re on your own.
Microsoft released a total of seven new security bulletins for May’s Patch Tuesday. Four are rated as Important, and the other three are Critical, but two in particular are getting the most attention: MS12-034 and MS12-029.
MS12-034 fixes 10 separate vulnerabilities spanning a range of Microsoft products including Windows, Office, .NET Framework, and Silverlight. It’s unusual for Microsoft to lump so many products together in a single security bulletin or patch.
Wolfgang Kandek, CTO of Qualys, provides some background to explain the unusual patch in a blog post. MS12-034 is the result of an effort by Microsoft to seek out other products using the same flawed code exploited by Duqu. This patch knocks out all of the other instances, and addresses a variety of other security issues in the affected products at the same time.