Category: software security

Hacking and software security matters

Apple App Store – Walled garden, or pit of snakes; the security flaws

No Comments

Some might be familiar with the name Charlie Miller. He is a well-known software security expert, most known for his work with Apple products of late. His previous accomplishments include the hack of the Intel MacBook line smart batteries, which were all protected by the same two passwords and could be accessed by software (Good one Apple – create a situation where some internet script kid could disable my battery remotely…). This time around, he turned his eye to Apple’s prized feature – the App Store.

Whatever you think of the walled garden approach they adopt, there is no doubt that the App Store is a commercial success (for Apple – unfortunately for the devs, it’s mostly a gambling exercise where a few make millions, the rest lose their shirt). It works well for the consumer, as Apple personally go through each submitted app, making sure it meets the standard they expect. Apparently, that inspection is supposed to cover security. However, Charlie Miller has put a chink in that assertion, by releasing an app which is capable of receiving remote commands and putting those commands into effect on your device. What’s more important, is that this app, called InstaStock and designed as a simple stock ticker, got right through the fabled verification process without a hitch.

The roots of the flaw are based on how Apple enforce code-signing, and Apple’s desire to speed up the phone browser in competition with other devices. A technique used in all sorts of software and security, code-signing in basic terms relies on Apple wrapping the software with a code, and any software without this code is refused. That is similarly why you can’t just download some app straight onto your iPhone – it isn’t signed and therefore the phone won’t run it without a jailbreak. However, by manipulating the access given to javascript commands in the browser, and Apple’s addition of a special exception (allowing the browser to run unsigned code in an area of the memory) opened a hole. Whilst Apple had protected that exception with other methods, blocking untrusted websites from using it, Miller found a way around that:

“Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller has already promised that he won’t reveal more detail about the bug until his talk next week in order to give Apple more time to fix the flaw, planning to discuss the flaw in detail at the SysCan conference in Taiwan next week.
Using the flaw, he got the aforementioned app placed into the store, and demonstrated that it could connect to a remote machine to download instruction and execute them at will. Functions such as photos, contacts, sound, vibration and other iOS functions are accessible, according to Forbes.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

Whilst many will point out that Android already has this kind of malicious application, Google do not purport to guarantee the safety of their Market – they encourage you to be vigilant, and use a permissions-check system to tell you exactly what services and functions a program requires. Apple, on the other hand, present a model where worries over safety can be ignored as they have checked everything and it all just works.

”Android has been like the Wild West,” says Miller. “And this bug basically reduces the security of iOS to that of Android.”

Worse, when the deception was all pointed out to Apple, instead of a response of “whoa, dude, thanks. We’ll get this patched right up. Cheers for the heads-up”, instead the app was pulled (no big deal obviously) and then Miller was struck from the developer programme – Miller announced the news on Twitter this afternoon, saying “OMG, Apple just kicked me out of the iOS Developer program. That’s so rude!” But as Apple notes in its letter to Miller (posted below), he violated sections 3.2 and 6.1 of Apple’s iOS Developer Program License Agreement (a separate agreement), which respectively cover interfering with Apple’s software and services, and hiding features from the company when submitting them.

“I don’t think they’ve ever done this to another researcher. Then again, no researcher has ever looked into the security of their App Store. And after this, I imagine no other ones ever will,” Miller said in an e-mail to CNET. “That is the really bad news from their decision.”

The real shame from all this is that Apple and their walled garden gives its users a totally false sense of security. Whilst, for both the App Store and Android Market (and any other app stores), 99% of apps will be genuine and safe, you can never be 100% sure. Users should be taking their own precautions, and should not be lulled into complacency. Apple’s insistence on an ‘it just works’ method results in expectation, expectation that when Apple assert that an app is safe (by publishing it on their store) it must be.
In computer terms, you’d call the Apple model gateway security – you secure the entrance, and therefore anything that gets inside must be safe. Unfortunately, that leaves one big, central point of failure. The gateway. And any knowledgeable computer user knows it isn’t just enough to use the firewall on your router – you need the antivirus and firewall protection on the PCs too.

And the final observation – if some nice, white-hat hacker finds a flaw and tells you about it for free, ‘thanks’ will do much better than a swift kicking. I know you have an image to maintain, Apple, and you can’t allow people to lose confidence in your garden, but at least give him some credit.

Sony – Suing GeoHot won’t put Pandora back in the box


So the JIG is up, and thanks to fail0verflow and GeoHot, the PS3 is well and truly hacked. And it seems likely that more than one person has been fired from Sony; their security model is so comprehensively broken in it’s design that there is very likely no comeback without changing the hardware, and that will not do anything either as now the private keys have been released.

In cryptography, there are a set of keys used for encryption. Simply, signing and encryption involves two keys. These keys are twinned; each half can encrypt, and only the other half can decrypt. Yet the keys are distinct – someone can know one of the keys and still be helpless.
In PGP signing, and in console cryptography, one key is the public key, and the other is a private key. The public key is built into the console, and the private key is in a safe at Sony. Sony sign every executable with their key, and the PS3 verifies that it is valid by using the public key, which as the name suggests, is often known.
Mathematically, if this is properly implemented, it is almost unbreakable. Unfortunately, Sony messed up. See, the equation would easily be broken if many files were signed identically, as the differences could be eliminated and the key calculated. So, the encryption uses a random number in its equation; the number is changed with each executable to be signed. This simple step is one of the basic and most important parts of the security. Fail. Sony’s idea of a random number?

4. Four. Quatre. 5-1. Whatever number. FOR EVERY EXECUTABLE.

So, with only two sets of files, the random variable in the equation can be eliminated and the keys calculated.

Since this was done on one part of the Sony OS, it’s expanded to all of the parts; the master keys are all over the Internet! And this key means that anyone can sign their PS3 programs, and the PS3 will just think it’s from Sony! The person doesn’t even have to have ‘jailbroken’ their PS3!

Sony’s response is to sue fail0verflow and GeoHot – yet the key is everywhere. This key has signed every PSN software so far. So Sony can’t even revoke the key in an update without breaking all the legitimate software so far. Worse still, the total breaking of the security means that with digging, people have discovered Blu-Ray and PSP master keys too!

Too late to sue, Sony. The secret is out. The number 4.

Peace, out!


(Note – Apparently the number in itself wasn’t 4, this was an example however given by the failoverflow team, hence originally quoting here. The point illustrated is the same – they used the same ‘random’ number in multiple places, a grave mistake)

The War for the Internet


You must be living under a rock if you haven’t heard about ‘Cablegate’ – the continuing saga of USA, WikiLeaks, Julian Assange, Anonymous, TheJester, the list goes on. A quick summary of the situation follows, and some analysis and knock-on effects as I see them.

WikiLeaks is an anonymous whistle-blower organisation – ‘wiki’ being that anyone can contribute, similarly to Wikipedia. WikiLeaks stopped this ‘free edit’ policy a while back as it was too hard to manage, but set up a system for people to anonymously submit secrets. Now, we aren’t talking about how you’re the one stole your neighbour’s gnome here; we’re talking big things – governments, corporations, groups etc.
A while back, WikiLeaks released a multitude of material on the Iraq war, including video of US chopper pilots and soldiers shooting at a bunch of civilians, journalists and children. Ever since, the US has been on a slow burn – make no mistake, they hate WikiLeaks in the US Government. It’s very clear.
Cablegate has pushed the US to breaking – it is the simultaneous release of hundreds of ‘cables’ i.e. little notes or snippets from US ambassadors, representative and more. They are retained by the government and access is restricted but the cables are NOT classified. The contents range from little observances on foreign policitians, to records of orders from Hilary Clinton to collect intelligence, DNA, biometrics and more on foreign UN ambassadors. It also sheds light on the relationship between nations.

The US Government knew about the planned release and had worked hard to mitigate the damage but there will obviously be fallout, and perhaps a loss of trust between nations, spies, ambassadors and so on. And that’s when things get silly…
The Americans are taking things out firmly on Julian Assange and WikiLeaks. I have a number of problems with that. Firstly, they are spouting a line of “This will cost lives” yet have admitted that the information has, thus far, neither been damaging nor has placed anyone at risk. They have also called to name WikiLeaks a ‘terrorist organisation’

WHAT? WikiLeaks a terrorist organisation? Or from Sarah Palin, who called that Assange be designated a terrorist and that US Special Forces move in and assassinate him? What is WRONG with the USA???

I know that every government, to a greater or lesser degree, involves themselves in this kind of stuff. But what they all have to realise is that information flow is greater now than it ever has been. When something occurs, everybody knows in seconds. And I’m sorry, but governments need to rethink themselves – this stuff WILL out, and in this age everybody WILL hear about it. So it’s time to STOP. If you don’t want to be damaged by a leak, stop doing crazy, morally ambiguous, evil, terrorising stuff.
“Oh, but the UK does it too, they all do” – Yeah, I bet. And it’s in YOUR name. Is ignorance bliss? You don’t care as long as nobody finds out? Bullshit. I don’t want this stuff done in my name.

Moving on to Assange. I don’t know the ins and outs of his accused crime, but all the coverage I’ve seen suggests that the allegations have some serious flaws, mostly in the two particular girls. They seem to have decided it was non-consensual AFTER they found out he was two-timing them. So, he’s a dick, but hardly rape. However, Sweden has odd sex laws such as “I was drunk therefore it was rape” kinds of allegations. I personally think these are damaging on the whole to the victims of rape.
I hope that the US did not put pressure on Sweden to continue to pursue allegations that had TWICE been rejected at appellate courts, but I’m willing to bet they did. At the same time, PayPal, Visa, MasterCard, SwissBank, Amazon, EveryDNS… they have all cut their ties with WikiLeaks for various reasons. This has severely hurt the funds of WikiLeaks. The only one to actively admit that it was pressed by the US was PayPal, who said that the “State dept. informed us that they were involved in illegal activities”.

So yeah, forget courts, burden of proof, justice. PayPal doesn’t care. I’m willing to bet the story is similar to the rest. What exactly has America got to hide?

Enter TheJester and Anonymous. TheJester is some absolute juvenile cunt who, prior to this, was presumably in the US army serving in the Middle East. He calls himself a “hacktivist fighting for good” when really he is a patriot. And you know, I use that word now without even thinking of the presumed “I love my country” bullshit. When I hear patriot I think of a stupid, blind, puppet of an American. The ones that blindly follow the whim of the government or their leaders for some delusion of national pride. TheJester also seems to be some sort of programmer, though I suspect his programming experience is average. He seems to have ‘adapted’ (plagiarised) a program called SlowLORIS to make XerXes, a DDOS (Distributed Denial Of Service) program that routes using Tor, the onion network, for anonymity. He has used his software in the past in order to DDOS ‘jihadist’ websites. A noble cause maybe.
Now he has turned on WikiLeaks. Yet, his failings became evident very quickly; mere hours after egotistically declaring “TANGO DOWN” on his twitter the WikiLeaks site was back. And this guy has himself an enemy.

Anonymous have waded in, in the name of Internet openness and freedom. And they have launched Operation:Payback, and it has been working fantastically! They have their target list of all those who betrayed WikiLeaks, and have been attacking as a group; today, MasterCard has been down.
Anonymous are a force and one you do not want against you – they have no head, only teeth. They are generally morally guided to causes, and while sometimes dicky, I think they are an important bunch. Those who do not care that their methods are illegal, they are vigilantes and rioters. But sometimes you need such people to effect great change.

So, in what could be the first Internet War, who are the players?
WikiLeaks and their ally Anonymous fight for a free internet and world.
USA government (and others), their foot-soldiers (TheJester) and their subservient corporations fight for their own ends.

This won’t be a war that you know when it ends. But it could fundamentally change the internet, and it some ways it already has shown me one thing. Companies control too much of the Internet for my liking. Amazon, Ebay, Google, Microsoft, Facebook, PayPal… the list goes on. And as long as these entities have no moral centre of their own and will do whatever the US tell them to, the Internet is at risk. They want WikiLeaks shut down because its not under their control, and that scares them. Bastards, that’s all I can say. USA always has the approach of policing the world, and always to its own ends. The line stops here; the Internet is NOT yours to police and there are those who will fight to keep it from you.

In summary; go WikiLeaks, go Anonymous, go fuck yourself USA. Hypocritical, paranoid monsters with some severe entitlement issues.

I know which side I’m on, have you chosen yours yet? The time may soon come where your voice needs heard, not just in disapproving comments in the pub, work, online comments, but instead on the streets – it is the only thing they will listen to.
It is time that governments started doing what their masters tell them; that’s you and me.

UPDATE: Anonymous has now taken down Visa

Vapourware – Like a Needle in a Haystack

No Comments

Vapourware describes a product, usually software, that has been announced by a developer during or before its development, if there is significant doubt whether the product will actually be released. It is software which at best is still in development, and at worst is no more than an interesting concept in the mind of someone at the organisation. Vapourware is sometimes announced with great fanfare as a spoiling tactic to hurt sales of a competitors already launched product.

Maybe you don’t know, but in many parts of the world the internet is not free. It is not open. Many countries have, or are considering, filtering the internet. The reason for this is always cited as “protecting the public” or even just “child porn” (‘Think of the Children!’ defence). Make no mistake; filtering the internet is a bad thing, and it is coming to a country near you – the USA, Australia and UK are both considering ‘net neutrality’ bills, and the continued tightening of digital rights (think the Digital Economy Act) pushes us one step closer to a constrained internet, an internet which is no longer the last true bastion of free speech.

…but this article isn’t about that. This article is a warning. Vapourware. The definition is above. So, Matt, why did you launch into a tirade against internet law? Well, because the people of the world have been had; specifically the people of Iran. I’m talking about ‘Haystack‘.

Haystack was a fantastic story. The myth – a young, bright, entrepreneurial and morally-guided man, Austin Heap, heard the suffering of the people of Iran, and developed an encrypted proxy network, one which would bypass the filtering imposed upon the innocent Iranian people.
The fact – no software officially released to date; the beta has leaked to many Iranians but is full of basic security holes. Despite much money donated to the project, it fails and in fact risks the security of millions of Iranians, both online but also from state police.

Austin Heap, the creator, was being lauded in the press, with absolutely no software credentials to back this up. He conjured false hope about a solution better than any currently available. He even claims that Haystack is better for privacy than the Tor onion network. He refused outside, open-source development, under the guise of preventing the Iranian authorities from breaking his system. However, when the executable finally found its way into the hands of some reputable software programmers, it was clear that the product was just not what it should have been (link is to Danny O’Brien’s twitter feed. He also wrote an article about Haystack here). Even their main developer resigned.

Austin Heap was quoted as saying:

“I hope we are ready to take on the next country. We will systematically take on each repressive country that censors its people. We have a list. Don’t piss off hackers who will have their way with you. A mischievous kid will show you how the Internet works.”

I think he fell victim to his own hype, and his own motto.

A lesson indeed in the dangers of getting wrapped up in an idea. I doubt that the Dragons from Dragon’s Den would have invested in his idea. An idea is NOT a product, not a result. Ideas are easy; the idea of creating a proxy system for repressed regimes is an easy idea. The reality is all the steps in between, the lives you are risking along the way, the code and its robustness. One error can spell doom, and it seems for Haystack, this might have happened.

So… Diaspora anyone? Yeah, this is still vapourware. Diaspora purports to be a better Facebook – fixing the much-maligned privacy concerns in Facebook, removing the trash, making it clean. You can host your own Diaspora network, with its own look and feel, but all the Diaspora networks can interact and share information in a controlled way. And, yet again, it was hyped to an insane degree, raising hundreds of thousands of dollars in funding, for a mere idea.

Even at the time of announcing I was dubious. Now Facebook is everywhere, it is tightly integrated into so much of the web at the minute. Diaspora might now be a step backwards. Heck, Facebook might even be getting into the phone OS game now. But Diaspora has now released the first elements of its source code. It at least has one advantage over Haystack – it is open-source. Bugs and problems can be fixed by the internet swarm. But, so far, it has more problems than fixes.

Diaspora may still come out clean in the wash. Haystack, doubtful. The point is, don’t pay people for an idea. Or at least, if you are going to pay someone for an idea that won’t happen, pay me. But don’t get your hopes up on software that might never materialise. And, Austin Heap, don’t get up the hopes of an entire country, and don’t release to them insecure software that might end up getting them in severe trouble for using it.

Peace, out!


Virus Alert – PDF Exploit


Just a heads up that there is currently a nasty exploit on PDF files doing the rounds. It’s based on a vulnerability in Adobe PDF Reader / Acrobat 9.2 and lower, and can act through browser plugins.

The best protection is to avoid any untrusted PDF files. Most antivirus software does not detect affected PDFs as of yet. Failing that, DEP affords some protection – if it’s available to you its likely already turned on. Outlook users should be sure that Outlook isn’t set to automatically preview PDF files, this might trigger the exploit.

Peace out!