Security Week 39: XcodeGhost, D-Link certificate leak, million for a bug on iOS9

A new episode of the series wants to start with the news, not related to information security in general. In Volkswagen cars with a diesel engine found different indicators of emission of harmful substances during the movement, and during stationary testing. Until everything is completely clear with this story, I would prefer to stick to just such a formulation. This story tells us how important the software has become: it turned out that using a small tweak in the program code you can change a very important characteristic of the car, so much so that no one will notice.



Wired writes that it was easy to hide the increased level of emission of harmful substances. How is laboratory testing done? The car is put on rollers, press on the gas, the wheels spin, the engine is running, the exhaust is analyzed. What is the only difference between this mode and the usual driving on the highway? That's right, the steering wheel doesn't move. That is, it is enough to enter the only condition: nobody turns the steering wheel, and the car is driving - that means we are at the vehicle inspection station. Such a "hack" could be detected only by chance - which, in fact, happened.



Again, until the story was told to the end, the difference in exhaust can be considered as a deliberate action of the auto concern (or rather a narrow group of people responsible for the control code), as well as a simple mistake. Could this be a mistake? Yes, it is quite. In today's digest of the most important news from the Threatpost.ru site in a week - stories about how mistakes occur, how they are used and how they make money on them. All previous issues here .



D-Link mistakenly posted its own certificates to the public.

News Detailed investigation on the Dutch website Tweakers.net with a thick layer of Google Translate.

')

Just imagine that you are a manufacturer of a variety of network pieces, from routers to surveillance cameras. Firmware, drivers, software, software for updating firmware, software for updating drivers, drivers for updating software and firmware, and so on are attached to the hardware. All of this lies somewhere on the secret server in the “Virtual Flow” daddy and, according to a pre-approved schedule, is updated, sent out, laid out on the update servers, and there are checked boxes, users get updates, everything is fine.



Naturally, it is impossible to maintain a dimensionless nomenclature of glands with your hands; scripts are involved in this. So we got a fresh code, so we launched a batch file (shell script, python, etz), so the fresh code decomposed into the necessary daddies, all this was packed into an archive, everyone is happy and happy. But the engineer, named Jack, who decided to make a radical improvement in the script, tested it on a couple of tasks and was completely satisfied with the result. But the bug that Jack built. In one line of code responsible for selecting files and folders for updating, a space is missing or an extra bracket is placed, and hello - that which should not have gone to public under any circumstances begins to be sent to users.



This I, of course, fantasize, maybe it was not so. And in fact it turned out that: a vigilant user who downloaded the firmware update for the D-Link webcam found in the archive the keys with which the vendor signs his software. There were several certificate keys; some of them have expired, but one recently - September 3.







And before that, for six months the key was in the public domain, and they could sign any software, including malicious software. There is a clear mistake, offensive and dangerous. We live in an era when a line of 512 numbers can contain anything: the key to infecting millions of computers, and hundreds of thousands of dollars in virtual currency, and access codes to top-secret information. In this case, the same 512 bytes - a speck of dust on the surface of the hard disk of your computer, which can just as easily be thrown into open space. It remains to hope that no one noticed, and yes, most often it happens. But sometimes, alas, they notice, although specifically in the case of D-Link, a simple search for malware using a lost key did not give anything.



XcodeGhost - Apple IDE Bookmark

News Palo Alto study . List of infected applications. Official information from Apple. Alas, in Chinese.



Imagine that you are a Chinese iPhone application developer. Actually, there is nothing to imagine here: devices, development tools are the same for all developers, from any country. Is that you need to add a little local flavor. And here you are for the next cool project to buy a new Mac, put on it the Xcode development environment and, therefore, code. Everything is good, except for one thing: from the Apple site, free Xcode downloads very slowly, because it is hosted for the great firewall. It's easier to download from the local site, it's much faster, and what's the difference - for free.



Then suddenly in the code of several applications, popular and not so, a malicious insert is detected, which, at a minimum, sends the encrypted information about the device to the C & C server. As a maximum, commands are received from the server, possibly allowing you to do something bad with the device owner, and exploiting vulnerabilities in iOS.





Code "bookmarks" from the study of Palo Alto.



Next, it turns out that the tab was in those very locally-available versions of Xcode, and in several releases of Xcode at once, that is, someone made these bookmarks quite purposefully. It is even worse: it’s not even the fact that two dozen of quite popular applications have suffered (including the popular WeChat chat and the local version of Angry Birds), but the malicious code went through the App Store moderation. Naturally, now all the infected applications have been deleted, and finding a bookmark, after everyone has learned about it, is quite simple - at least across the domains of the management servers (they are also blocked). But without knowing about the tab, it was quite difficult to find it: they hid it wisely, inserting into the standard Apple libraries used in 99.9% of applications.



Here is another interesting moment. The Intercept edition, which specializes (including) in disclosing secret data from Edward Snowden, reports that the method of penetration of infected software on Apple devices from XcodeGhost is fully consistent with the secret plans of those very leaks. Journalists say that they made this information public in March of this year. Say "Vooot, and we said!". Well, and we said even earlier: in 2009, before Snowden and others, we, for example, found malware infecting IDE Delphi, and inserting a bookmark in all compiled applications. The idea lies on the surface. However, knowing about such a problem, it is also easy to eliminate it: it is enough to verify the integrity of the development tool with the standard. Well, do not download software from dubious sources, although we seem to be talking about experienced developers, right? Oh, they can not make such a banal mistake? It turns out that they can.



Hole dealer announced a million award for vulnerability in iOS 9

News



Wikipedia has a sign about the history of the jailbreak of Apple devices. Unlike Android and desktop operating systems, where the ability to have full control over the system is, in general, standard, and relatively easy to operate, smartphones, tablets (and even watches and TV set-top boxes) from Apple were originally made so that user rights quite seriously limited. And now, for seven years, the vendor, on the one hand, has been trying to protect his devices as much as possible, and on the other hand, ahem, the community of caring lovers of the root hacks this protection. And almost always cracks: jailbreak for all devices, with the exception of the third version of Apple TV and (so far) hours, always appears in the period from one day to six months after the device appeared on sale.



So, for a fresh iOS 9 jailbreak seems to be there, but on the other hand it doesn't seem to exist. It was not possible to break the system to the end. Zerodium is planning to “ rectify ” the situation, announcing a reward of up to a million dollars to anyone who shows how iOS 9 is hacked with the following properties:



- The exploit should be launched remotely (for example, automatically when visiting a prepared page in a browser, opening or receiving an SMS or MMS)

- Exploit allows you to install an arbitrary application on the device (for example, Cydia)

- Changes to the device should be saved after a reboot

- The exploit should be “reliable, imperceptible, not requiring user intervention”







According to this list, it is already clear that the company is not going to throw three million dollars to the wind at all (this is a general prize fund) in order to satisfy the rut-fans. The founder of Zerodium, Chauki Bekrarar, had previously formed VUPEN. The latter specializes in providing "government agencies" with tools for computer hacking. This is such a muddy gray area in which, presumably, the good guys catch the bad guys with the tools of the bad guys. And if VUPEN, at least officially, does not trade in exploits, then Zerodium was created just for this. This means that as a result, someone may receive a lot of money, someone else will hack using the device exploit purchased, without revealing the details of the vulnerability (otherwise, what’s the point of paying?). What happens when exploit traders are cracked, we already know from the example of the Hacking Team: all of a sudden there were many zero-day vulnerabilities in public access, and the dark business of the company in the Middle East, and in general.



So, if someone really wants to break his own iPhone, then this is absolutely not forbidden (or rather, it is forbidden, but with restrictions). But hacking someone's device without the knowledge of the user is not very good, and if such a possibility is found, then it is desirable that the vendor should know it and close it. In the end, hacking for the sake of the most good goals is still hacking.



What else happened:

Adobe has closed 23 vulnerabilities in Flash Player. In August , another 30 were closed .



Data from millions of public sector employees, including 5.6 million (!) Fingerprints, were stolen from the US government. Couch analysts point out that the finger is not a password, you just can’t change it, and the number of combinations is limited. So far, nothing illegal with these prints can be done, but who knows what the progress will be.





Change fingerprints more often, use a fingerprint manager and never use the same fingerprint twice.



Antiquities:

"PrintScreen"



Very dangerous virus, 512 bytes in length (1 sector). It infects the boot sector of floppy disks and the hard drive when reading from them (int 13h). The old boot sector stores on the floppy disk at 1/0/3 (stron / track / sector), and on the hard drive at 3/1/13. At the same time, it can destroy one of the FAT sectors or data (depending on the disk size). When infecting a hard drive, it assumes that its boot sector is located at 0/1/1 (this indicates a low qualification of the author of the virus).



Intercepts int 13h. Judging by the virus's listing, when a disk is infected with a probability of 1/256 (depending on the value of its internal counter), the virus should cause int 5 (screen printing), but an error is made, as a result of which the new counter value is not saved.



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 102.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.