Security Week 07: Apple vs. FBI, global glibc vulnerability, crypto-fiber and medicine

The week with extra work day turned out to be saturated and balanced. Events around the dispute between Apple and the US government agencies in the face of the FBI and the Ministry of Justice continue to evolve, but it is already clear that they will seriously affect the development of the security industry in terms of the protection of personal information. Unlike this purely political history, the critical vulnerability in the glibc library is an absolutely technical news, but directly or indirectly also affects everyone.

I would like to say that this week the debate over the possibility of influencing the development of technologies has intensified: between, so to speak, techies and humanities politicians. The first ones are guided by the opportunity to implement this or that functionality in software and hardware, the second - the need to negotiate with various stakeholders. In fact, they are not arguing about this. Technologies always evolve regardless of whether others are agreeable or not. By bringing its argument with the FBI into public space, Apple is struggling to stay at the forefront of this very technical development. In other words, if Apple loses, and the real (and even imaginary!) Security of the company's devices somehow suffer, it does not mean that the big brother will be sure to follow all of us. This means that a conditional pennant with the words “the safest smartphone” will be intercepted by some other company.

However, this is only a hypothesis. It is possible that while we are all vigorously discussing the breaking of encrypted data, someone somewhere is digging the next critical hole in the next glibc, and when it gets to the bottom, everything else on security will be irrelevant. Consider both cases in more detail. All editions of the digest are available by tag .

Apple vs FBI: Blocked iPhone Case, Terrorism, and the 1789 Law.
News
')
December 2, 2015 in San Bernardino, California, the attack occurred. An American citizen of Pakistani origin, along with an accomplice, shot his colleagues from the district health department. The attackers managed to escape, but they were blocked three kilometers from the crime scene. In the ensuing shootout, the criminals were shot. During the investigation, the criminal's phone was discovered: Apple iPhone 5c, a corporate smartphone officially owned by the employer. Presumably, Apple, at the request of government agencies, provided a backup of the data from the phone from a cloud service with iCloud. But there was an outdated copy of data in the cloud, dated October 19, after which, again, the owner of the phone was supposedly turned off the backup feature.

The intention of the FBI is to get absolutely all the data from the smartphone in the court order against Apple (the source filed the EFF), which quite clearly stated what the company should do to help the investigation. Namely: (1) disable the function that destroys the data on the phone after ten incorrect attempts to enter the passcode (2) to ensure the possibility of entering the passcode electronically (3) disable the delay between input attempts.



In other words, the FBI wants to select a passcode by brute force, and requires Apple to bypass all the built-in restrictions that make matching impossible. The material of The Intercept notes that the success of such a scenario depends on the length of the password: a four-digit pincode takes seconds, a seven-digit one — up to nine days, a ten-digit one — 25 years. But this is if Apple obeys, but so far the company does not want to do this. In an appeal to Apple CEO clients, Tim Cook said that the company had transferred all the data that it had to government agencies that could help the investigation. And the “brute force plan” rightly called the backdoor: “The US government asked us to give what we simply do not have and do what we consider too dangerous.”



The facts ended there, and a heated discussion began. But we are dealing with a political issue, which is very remotely related to technology, and the possible victory or loss of Apple will most likely be the result of negotiations, influenced by public opinion, arguments of lawyers in court, statements by interested parties in the media and so on. To bring together the main (today) results of such a “discussion” is easiest in the format of questions and answers.

What is the reason for the Apple requirement from the point of view of US law?
Very interesting question, thank you. The claim is based on the 1789 Act, known as the All Writs Act. He is part of the law, which actually created the entire US judicial system, after being signed by George Washington, the country's first president. In general, this happened back in the days when California, where Apple’s headquarters will be located two hundred years later and the terrorist act will take place, was a colony of Spain along with Mexico, and was not part of the United States. If to simplify everything to the utmost, the act left a loophole for the imperfect legislative system of the young American state: it gave the courts the freedom to make the necessary decisions without referring to the laws that had already been adopted.

In a detailed review of the legislative part of this story, Gizmodo cites judicial practice using this act. Now, when there are no problems with legislation, All Writs Act is not often used, but regularly. For example, in 1977, a telecommunications company was obliged to help track down negotiations of a criminal gang involved in racketeering. That is, it turns out that the ancient law applies because the rules for hacking smartphones are not written anywhere else. If the US Congress did not bother with putting this practice in order, then the court has to use these shortcuts. The Gizmodo material also contains a rare case when the judge refused to use this act, putting a fair question (though in another case and for another reason): is there no legislative basis, because Congress did not have time to create it, or because it did not want to?

Why does the FBI ask Apple to hack an iPhone and not do it on their own?
Obviously, because the feds cannot do this on their own. The whole situation suggests that the methods of information protection implemented by Apple work. There is another nuance that surfaced just yesterday. Apple organized a conference call with journalists, on some unprecedented conditions. Representatives of the company shared their vision of the problem, while journalists were not allowed to quote them verbatim! Moreover, even the names of company representatives were not disclosed. According to anonymous Apple employees, the FBI shot itself in the foot, accidentally dropping the password to the iCloud account to which the smartphone was attached. If this had not happened, the phone, being turned on, but still blocked, would have synchronized itself with iCloud, from where the data could supposedly be obtained with the help of the company. After the reset, such an opportunity was missed: the password on the phone is wrong, and what is correct , no one knows and cannot find out.

What are the positions of the parties?
Apple announced its position on February 16: the proposed solution is equivalent to creating a backdoor, this puts all our customers in danger, we don’t want to do this. Moreover, the statement was made in a public field. State representatives responded on February 19, and not publicly, but as a statement to the court in this case. According to representatives of the Department of Justice, Apple has the technical ability to implement a password search system, but does not want to obey, preferring not the Law, but “marketing strategy”. “Not willing to obey” in this case may have direct legal consequences in court, and sounds like a threat.



Can Apple even bypass the security system?
Unknown. Tim Cook’s statement does not contain a clear answer to this question: “this is dangerous,” “they are asking for what we don’t have,” and so on. It is clear that Apple, as a developer of software and hardware for iPhones, can do a lot. The main question is: will the company comply?

According to the opponents of Apple, there is no particular danger. The court statement expressly states that the company can tie this dirty hack to a single phone, moreover, it is not obliged to transfer the soft-made software for password retrieval to the state. On the other hand, even the knowledge that Apple was able to implement such a scenario could theoretically enable the state or attackers to create their own backdoor. Naturally, the perception of the security of Apple smartphones will suffer if the company complies. Everyone will know that, in which case, the state will get to your data.

So the story is really important. It takes place against the background of a general discussion about where the balance is between the protection of personal data and the interests of the state, including when investigating crimes, acts of terror and so on. Here is a representative news from December last year: the FBI (and not only) claims that backdoors to encryption systems are normal if only specially trained people have access to them by court decision. Naturally, data protection specialists disagree: anyone can use backdoors. The dispute between Apple and the FBI in this context becomes an illustrative case: its outcome can seriously affect the security of the devices that we all use. Stocking up on popcorn.

Loss of Apple will not mean that strong cryptography will be unavailable or banned. It will simply become less common, and in the further development of data protection technologies such companies as Apple, Google, Facebook, Twitter (the last three supported Apple in the dispute) will play a smaller role. And they, clearly, would like to avoid it.

Cherry on the cake: John McAfee volunteered to hack the iPhone for free, for three weeks, using "mostly social engineering methods." The Internet is wondering exactly how McAfee is going to apply social engineering techniques to the owner of the phone, who was shot three months ago.

Critical glibc vulnerability detected
News

A critical vulnerability has been discovered in the GNU C Library (glibc), affecting all versions starting from 2.9, which was released in 2008. Guilty was the getaddrinfo () function, which is responsible for querying the DNS server. The problem is that an arbitrary code can be added to the response from the server, and, causing a buffer overflow, to execute it on the victim's system. The vulnerability was discovered by researchers at Google, and accidentally - their attention was attracted by the constant falling of the SSH client from the segmentation fault when accessing a specific server. That is, in order to conduct an attack using this vulnerability, you need to configure the DNS server in a certain way and somehow force the victim to make a request. This is not so difficult, and can be implemented, for example, in the process of man-in-the-middle attack, when instead of a legitimate DNS server, the path of the request is fake.

Opinions differ on how easy it is to run arbitrary code. Protection technologies such as ASLR can prevent this, but it is not at all necessary that they work on all devices — for example, in routers with the traditionally minimalistic linux environment, all the necessary protections may not be present. The detailed description of the vulnerability made by Red Hat employees indicated that realistic scripts for launching arbitrary code exist.



The severity of the vulnerability lies in the fact that glibc is used everywhere. As an illustration, I can not cite this tweet :



The library of standard functions is an addiction for a huge number of programs and packages for Linux. Accordingly, it is difficult to properly assess which programs and how this vulnerability is affected. For example, Android (the system itself) is not affected, because instead of glibc, it uses the Bionic alternative developed by Google. This does not mean that all native Android applications are not affected. The previous serious vulnerability in glibc, known as GHOST , caused the same issues, although there were fewer opportunities for actual remote operation. Result: a lot of problems for developers and administrators of a huge amount of software and hardware. It is noteworthy that researchers at Google and Red Hat discovered a bug independently of each other. Moreover, it turned out that glibc mainteners learned about the problem in July 2015. It is not clear why the problem was not closed for so long, and how did it happen that vulnerability appeared. But unlike the history of Apple, there is nothing to discuss, first of all you need to roll patches. Many patches in the most unexpected places in the software and hardware.

Hollywood hospital paid a ransom after a crypto-fiber attack
News

Well, for a snack, the story of the world of ordinary malware. The encryption industry Trojans, alas, are making millions in losses, but ordinary users are a typical victim of such cyber-divorce. Everything is much more complicated when companies are attacked. In this case, the victim was a hospital in Hollywood (the same). Judging by everything, the attackers were able to encrypt all or almost all of the data, after which they demanded a record ransom from the hospital management - three million dollars (more precisely, 3.4 million or 9,000 bitcoins). Or they didn’t demand - messages from the places are contradictory, and the official statement of the organization refutes the fact of requesting such a huge amount.



Nevertheless, the fraudsters received the ransom, although the smallest - 17 thousand dollars. The hospital stated that it was the only way to quickly restore the operability of the hospital's IT systems. It is sad, but it is clear that, first of all, the attack of the coders should be prevented. And if it happens, the damage will be limited to data on one system (and not on all network folders at once). The news attracted a lot of attention because of the specifics of the organization that came under attack - no one wants to leak the most sensitive data about their health. Hospital computer networks, meanwhile, remain vulnerable not only and not so much to ordinary Trojans. At the Security Analyst Summit conference, our expert Sergey Lozhkin talked about this: with quite simple tools, he was able to find vulnerable specialized software available from the Internet, such as software for MRI.

Antiquities:
"Typo-Boot"

A dangerous virus, using the “Brain” method, infects the boot sector of a hard drive and floppy disks when reading from them. On the disc is a standard way. It works only on IBM PC / XT computers, as it contains the command 'MOV CS, AX' (inter-segment JMP), which is executed only by the 8086 processor. It hooks int 13h, 17h. Replaces characters that are printed to the printer.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 103.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.