Security Week 12: FBI Hacks iPhone Without Apple, iMessage Cryptoderer, Hospital Cipher

Before turning to the news, let 's talk about physicists and lyricists about marketing vulnerabilities. This relatively new term was born a couple of years ago, with the advent of Heartbleed , the first vulnerability to get its own name, logo and commercial . It cannot be said that everyone took this innovation positively: companies or experts who discovered the hole use the language of advertising instead of the harsh technical language, and thus profit from trouble. I can not agree with that. Although there is a certain moment of advertising (and where is it not?), Attempts to explain with simple words (or even images) complex technical things that it is important to know and for non-specialists should only be welcomed.

This topic was developed this week, when it appeared, no, not information about vulnerability, but the announcement of vulnerability . Specialists of the company SerNet, in whose team there are developers of the SMB protocol (more precisely, its free implementation of Samba), have announced a serious vulnerability. Both the Linux implementation of the protocol and Windows itself are affected. But they did not disclose the details: the information will be disclosed only on April 12. Why have done so? The authors of the study believe that so potential victims of the attack will have the opportunity to prepare. A rather controversial statement: critics of this idea argue that in this way, researchers could give a head start to an attacker if the latter figure out the nature of the vulnerability, at least from the name of the minisite (Badlock). It was worth it to do so - we will find out in two weeks, in all the file balls of the Internet.

And now to the news. Previous issues of digest here .

The FBI asked to postpone the judicial debate with Apple and try to hack the iPhone without the help of the manufacturer
News
')
On Monday, Apple introduced new devices, and at the very beginning of the event, the head of the company, Tim Cook, spoke about the FBI's demands to help the iPhone 5c burglary, which belonged to a terrorist (a summary of the previous series is in this digest). Anticipating the planning the next day after the presentation of the court hearing, Cook made it clear that the company is not going to retreat or surrender. And did not have to. The FBI asked to postpone the hearing due to the fact that it was possible to solve the problem (that is, unlock or otherwise obtain information from the iPhone) without the help of the manufacturer.

In general, it is quite popular among specialists that the FBI could get data from the phone on its own, while Apple’s requirements are an attempt to weaken the cryptographic protection of phones in general. Be that as it may, until April 5, news from the front of Apple’s fight against the FBI is not expected - it is by this date that investigators must understand whether the “alternative” method works. What is the method? Unclear. There is a conspiracy version that the FBI decided to help the National Security Agency and threw some exploit from the store for a vulnerability in the phone. Two days ago, as usual with reference to unnamed sources, the Reuters agency wrote that the Israeli company Cellebrite would be engaged in burglary. A rather old iPhone 5c is on the list of devices “supported” by this company. There are no new iPhone 6s by the way. And this is such a nice nuance of this whole story: among other things, it gives a lot of information on choosing a phone and setting it up for those who are seriously concerned about protecting their information. Let us list the main and obvious ones: only the most recent iPhone (not advertising), a long pin code, and a symbolic password for unlocking, non-use of iCloud is better.

iOS 9.3 closes serious iMessage cryptographic breach
News Research

The new version of the Apple operating system for mobile devices introduced on Monday adds a special “night” mode to quickly fall asleep, but this is not the most important update. The most important was the patch for the iMessage messaging vulnerability, which many traditional I-device users replaced with traditional SMS. Data transmitted through the system is encrypted, but, as researchers at Johns Hopkins University found out, the protection is not good enough. As a result, if a number of conditions are met, the attacker can get the victim's correspondence history.


The mechanism of message encryption in iMessage. The study became possible, among other things, because Apple publicly talks about encryption methods, which allows independent researchers to analyze their reliability.

The conditions are quite strict: you need to either organize the (complex) version of the man-in-the-middle attack, or get direct access to the Apple servers, for example (hello news above) upon a court request. One of the methods uses the transfer mechanism through the iMessage file attachments - they are stored in encrypted form on the Apple server, and a special URL is sent to the recipient. Using this feature, an attacker can try to reconstruct the key by sequentially sending slightly modified URLs to the victim’s device to download attachments.

This should be done about 130 thousand times, but since the victim’s device does not respond to such requests in a noticeable way for the owner, an attack is theoretically possible. As usual, the study is a very sophisticated mat , and attack methods include registering domains similar to icloud.com (and not one, but many), using file compression features and much more. The main thing is that the attacker will not be able to access the data on the smartphone, but will be able to see the message history that is stored on the server for up to 30 days. Or will not - depends on whether you updated the device to the latest version of iOS.

Another American hospital fell victim to the extortionist cryptographer
News

Most recently, we wrote about how an extortion Trojan attacked a Hollywood hospital. In that case, due to the threat of losing important data, the organization paid a decent ransom - 17 thousand dollars. This week, a similar problem arose at a hospital in Kentucky. As reported in the analysis of security expert Brian Krebs, the attack method did not shine with originality. A hospital employee received spam with an infected attachment. Infection from one computer spread throughout the network, apparently through shared folders. As a result, a message appeared on the hospital website about an “emergency situation due to a computer virus infection”.

The virus, or rather the Trojan, is called Locky and uses the already forgotten method of infecting the computer using malicious macros in office documents. Unlike the previous attack on the hospital, the staff of the hospital in Kentucky did not pay the ransom, although the requested amount was less - 4 Bitcoins or $ 1,600. Details of infection allow you to outline and direction of protection. And this is not only about proactive blocking of a malicious program using a security solution. It would be nice to have a) the employee not open spam with a suspicious attachment and b) even if infected, the Trojan does not spread rapidly across the network without any resistance. The first is achieved with the help of security trainings, the second with the help of competent access to common documents.

What else happened:
The interesting news is not from the world of security. Microsoft Research launched two days ago a chat bot called Tay. With the help of some kind of artificial intelligence system, Tay could communicate with users on Twitter (publicly or through direct messages), gradually learning during such communication. Two days later, the robot had to be turned off, because (who would have thought!) Netizens taught the robot bad. Microsoft made an official statement in which it referred to a kind of "coordinated attempt to misuse Tay's ability to comment on messages." Translated into a normal language, it sounds like this: "This is the Internet, baby, and you were not ready for it." Commentators of the story vied with each other in regret that the Internet is full of hatred, believing that the robot’s fault is not here.



I do not agree. Microsoft researchers really gave the robot the opportunity to perceive the unstructured flow of information and respond intelligently to it. It's really cool. And so that such failures do not occur, artificial intelligence must distinguish between "good from bad." And this is such a very relative thing, in fact, we are talking about endowing the robot with its own position on a wide range of issues. In general, returning to the topic of security, do not believe if someone sells you a miracle protection, consisting only of "intelligent algorithms". It will not work for the same reason: in security you need not only to understand what is happening, but also to be able to evaluate events correctly.

Antiquities:
Taiwan Family

Family of non-resident very dangerous viruses. Bypass subdirectories and written to the beginning of .COM files. When infecting files, they block the keyboard (apparently, the action is directed against resident antivirus monitors). If no .COM file is found, then the Taiwan viruses can erase part of the sectors of the current disk and then report: “Greetings from National Central University. Is today sunny? ".

In addition to this, they contain the string "* .com".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 47.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.