Tag Archives: video

Apple in Denial

Note: Many of the security articles I have written about Apple on this blog are negative and the reader could think I do not like Apple. This is actually very far from the truth, I am a big Apple fan; but I am also a security professional and I do not agree with their overall security strategy.

The title of this post is inspired directly from an Article I read on ZDnet, discussing the latest security threat that infected an estimated half a million Mac with malware: “BackDoor.Flashback.39″.

Mac Trojans are evolving and becoming more frequent, last August a Mac Trojan (Bash/Qhost.WB) was found in a fake Flash updater that once installed would redirect google search results to “bad sites”, then in September another Mac Trojan (OSX/Flashback.A) was found by Intego using a similar exploit mechanism  but with a different payload, this time it was more complex and disabling some security settings on the infected systems as well as attempting to inject some code in running processes to ultimately leak personal information.

Both Trojans had a relatively low success rate, as it relied either on the user to download a file and run it, or… for an attacker to adapt some kind of “EvilGrade” attacks where DNS MIT attacks could be leveraged to intercept legitimate software update requests and replace the update status answers with the need to upload the Mac Trojans.

However, a few days ago another variant surfaced. As mentioned by Intego, this latest threat to Mac Users is more of a “drive-by-download” threat than a “Trojan”. What it means is that malware can be pushed onto a Mac computer just by visiting a compromised site, it does not require for the user to take any actions such as entering their passwords or confirming for a new software to be installed. The compromise happens silently!

As a result, the infection rate is much stronger: More than half a million Mac users! and the impact is much worse: it will leave the victim’s computer vulnerable to be remotely commanded as part of a Botnet.

To check if your mac has been infected you can follow those STEPS.

It could be considered as the first major security crisis to affect the Mac OSX, one that will have the first major exposure in the media (BBC, CNN,  FORBES, etc) and one, I hope, that will pave the way for Apple to rethink their security strategy (although I have very little hope!). The fact this Java vulnerability was known a couple of months ago and that Oracle had provided a patch since the 14th of February does not play in Apple’s favor. By wanting to control everything (including Java updates) Apple is playing with fire when it comes to IT Security. This is hardly surprising, although I am very tempted to say “I told you so, HERE and HERE“, I will just echo the ZDnet article I mentioned at the beginning, this security mess is the result of Apple being in denial with the IT security landscape and the threats that every computer and user faces regardless of the Operating System they are on.

This state of denial is also exploited by the “Trojan” itself as it will apparently not install if it finds some software that could be used to analyse it and therefore not target a computer belonging a user that may be aware that there is more to security than a slogan “I am a Mac, I am secure”


YouTube Direkt

 

Attack on Quantum Cryptography

There is a recent BBC article on a new attack against a key component of Quantum Cryptography: Key Transportation.

There are 3 main components to a cryptographic system:
– The strength of the algorithms used (close/open, random generator, collision, etc)
– The integrity of the system (implementation, key storage, devices security, etc)
– The transportation of keys (no full or partial interception of the keys, etc)

Quantum Cryptography has for some been seen as the future for ensuring the integrity and detection of any interception attempts during key transportation.

I am not a Quantum Physic expert, but what I understand is that key transportation is done through light, where photons of light are sent to the receiver who will inspect the states of those photons to reconstruct the key. It is similar of sending a stream of bits which make the key, apart from the fact that in Quantum Physics a photon has not just a binary state (0/1 or -/+) but multiple values at the same time.
One of the key Quantum property useful for cryptography is that once a stream of photons is inspected, it is “destroyed” or changed. Therefore if someone was trying to evesdrop the receiver would know.

As a side comment, there are a few things that still puzzle me how this can only be a good thing. What about repeaters? you would need those to exchange keys to very far distances? So even if you can guarantee the key hasn’t been intercepted you cannot apply the same “quantum” guarantees to the repeaters (ref Integrity of the System). Furthermore, this could lead to a Denial of Service attack, I don’t see how Quantum Physic Key Exchange infrastructure could be as resilient as today’s internet. You would need specific “light tunnels”, if it gets damaged or if someone tries to intercept the key exchange even in the sole goal of disrupting the exchange process, then keys cannot be exchanged and the communication cannot take place…

Anyway, I would hope they must have thought about all this and have an answer. But what a team of scientists has just done, is to prove they could intercept the key and “blind” both ends into believing the exchange had been successful.

However some scientists have replied it was just a “configuration” problem with the system implementation and that it was possible to detect that attack after all.

Nonetheless, this adds weight to those who believe Quantum Cryptography is not the Saint Graal some claim it is, and that similar implementation issues there are today in “standard” cryptography also exist in “Quantum” Cryptography.

The BBC Article (Summary)
The Norwegian University Article where the paper came from (Original Article)
The Quantum Hacking Group responsible for the discovery (More info)

Below is a great video from the Quantum Hacking Group Website explaining the attack:


YouTube Direkt

Time Square Video Screen Hack – A Nice hoax

The video below would be a really great hack, but it seems to only be a hoax for a couple of reasons:

– It is unlikely such hacker would be showing his face so willingly.
– Apparently to hack those wireless billboard you would attack first the central “billboard broadcasting computer”.

Now… if the wireless communications to those billboard was unsecured, then it could be a different story :)


YouTube Direkt