Security Week 10: extortionist for OS X, iPhone passcode bypass, Facebook vulnerability and bug bounty benefits

In the next release of our series:

- Sly extortionist KeRanger for Mac OS X struck everyone not so much with its malicious properties as with a clear organization of the attack and an unusual method of distribution. But everything ended well - not so many victims as it could be.

- While Apple and US government agencies continue to argue about the right to hack the protection of iPhone, it turned out that you can bypass the passcode and more trivial methods. Not the first time, however.

- A serious vulnerability in Facebook explains well the complexity of the infrastructure of a modern company - a trivial and extremely dangerous method of breaking into any social network account was impossible on the main site, but it was available on a third-party project.



Previous series can be viewed by tag .



KeRanger - the first notable extortioner Trojan for Mac OS X

News Palo Alto study .



The discovery of KeRanger attracted the attention of many media outlets, and in publications this Trojan was often called the “first”, then the “first really dangerous” malicious ransomware product for Mac OS X. , found in the summer of 2014), and you cannot call it particularly advanced - Apple fans did not hesitate to tell. Say, yes, it encrypts data, yes, on MacBooks, but look at Windows - this is where everything is really very bad.

')

And the fans are generally right, but that's not the point. After installation, KeRanger waits for three days, after which it partially encrypts files on the infected system and requires a ransom in the amount of 1 Bitcoin (about $ 400). This is extremely unpleasant if you are a victim of such an extortioner, but in general the Trojan cannot boast of anything remarkable. An interesting distribution system. First, the trojan is signed by a legitimate (before detection, of course) developer certificate, so GateKeeper built into Mac OS X would not be able to block it. Secondly, the Trojan was introduced into the Transmission torrent client installer and was distributed for a short time from the official site of the project.







And this slightly changes the perception of history: the assertion that Mac OS X is more protected from malicious software than Windows loses relevance. And it's not the number of bugs. The point is the interest of cybercriminal. Before KeRanger, it was clear that a simple malware avoids Mac OS, but if it is necessary to hack a macbook as part of a targeted attack, it will be hacked. And after it became clear that the usual "user" Trojans can quite successfully infect unprotected Apple computers. Using vulnerabilities not in the system, but in the ecosystem - software developers and certificates Apple cannot control as strictly as it does on the iPhone.



An interesting point: according to the researchers of Palo Alto, a three-day delay between downloading the Trojan and data encryption was introduced in order to spread the infected version of Transmission as widely as possible - have not yet been noticed. But they noticed all the same earlier, therefore there are relatively few victims. The joint work of researchers, a software developer, and an OS developer has helped reduce the damage.



A serious Facebook bug allowed access to any account.

News Post a blog explorer.



Researcher Anand Prakash recently received $ 15,000 from Facebook as part of the Bug Bounty program - and by the standards of the money for vulnerability program, the social network is a lot. The vulnerability was indeed serious, in the most crucial place in terms of security - in the password reset system. When you try to reset your Facebook password, you can approve this action on a device that is already logged in - from your phone or tablet. The phone displays a six-digit code that you need to enter on the site. The six-digit code is easy enough to pick up if the system allows it, that is, it does not block brute force attempts.



All security systems, except the most leaky, such attempts are blocked, and Facebook is no exception. But only the main site. Anand discovered that alternative versions of FB - beta.facebook.com and msbasic.facebook.com (the latter is for older devices) do not contain a brute-force check. Normal Facebook blocks brute force after about a tenth attempt. On these versions of FB, which are likely to be developed separately from the main branch, there was no verification, but access to the user base was - that is, anyone could be hacked. The attack scheme is shown on the proof of concept:







To bypass the password in iOS 9.1 and later, you can use Siri

News Research



Judging by the amount of news from the trial between Apple and US government agencies, the main function of the company's phones is password protection. Of course, this is not entirely true, but the password (and most often the four-digit code) is the only thing that prevents your data from falling into the hands of intruders, jealous relatives, investigators, or scouts. It is not the first time that it turns out that to bypass a password it is not always necessary to force Apple itself to write a backdoor to the operating system. It is enough to use one of the problems of “docking” of various functions among themselves. The main problem of Apple is that without a password, the phone does not turn into a brick at all: some functions are available on it and so.



This is what they use. Researchers at Vulnerability Lab claim that you can bypass the password using Siri, and the problem is present in all devices with iOS 9.1 or higher, and has not yet been resolved. Researchers describe several ways to bypass the pin. The easiest: ask Siri to open an application that is not yet installed on the phone. After that, Siri will open the application store, and from there you can switch to the home screen without entering a password for access. The remaining methods are similar, although they are implemented somewhat more complicated.



Vulnerability was discovered in January of this year, another three months it took to communicate with Apple, but it is a little strange that the information was disclosed before the patch. The Vulnerability Lab claimed that Apple had informed them that the information had been taken into account, after which it had stopped contacting. Proof of concept:







What else happened:

Many patches. Very serious vulnerabilities in Adobe Flash. No less serious holes in Google Chrome. And very serious vulnerabilities in Microsoft IE and Edge.



Everything is very serious.



Antiquities:

"Ping-pong"



Not dangerous, has a byte containing the version number of the virus. If it detects a disk infected with its previous version, it “updates” it. Changes the int 8 and int 13h vectors. Causes a bouncing ball video effect (the 7h ASCII character) that moves across the screen, reflecting from the signs and edges of the screen.



Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 96.



Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.