Rich Mogull for TidBITS:
Reports emerged yesterday that a security exploit broker paid $1,000,000 for a browser-based iOS 9 attack, setting a record for buying and selling a computer exploit, at least in public.
[a] reliable iOS exploit can run into the low-six figures on exploit markets. Government agencies use these for surveillance and law enforcement, and iOS is consistently a tough nut to crack. (…) The agencies that do purchase it will most likely use it judiciously in order to lengthen the lifespan of the attack and minimize the chances it will end up in Apple’s hands.
I recommend reading the whole article. It is painting a very frightening picture. I mean, it’s logical and certainly true, but I wasn’t aware how this business worked. Even though you have the latest OS installed, you must know, that if you’re targeted, government in the US has access to your phone. (What they can get out of it is a different question.) This 1 mil gig was good for show, but the real deals are not announced anywhere in any form.
Dale Myers is concerned:
For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. (…) The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.
Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).
I looked at the file in question and indeed, just as Dale pointed out, everything is there. I’m also concerned by the justification of AgileBits, they certainly don’t seem to care deeply about this. Mind you, both parties acknowledge that a new storage format, called OPVault that is supposed to resolve this, will be enabled by default. The reason they hadn’t done so is because of some backwards compatibility (srsly?).
On the Mac you can terminal-magic yourself into the future, but be sure to backup your data first. Dale’s post will definitely push AgileBits to do this more quickly, so I’ll wait until the official migration is out.
The whole thing made me realize that 1Password is a black box at this point. Should they migration fail with my database, I won’t really be able to get my data out of their encrypted files, my only option seems to be reverting to an earlier backup hoping they’ll be able to read that. Now I need to figure out how to back up my data so that I can read it at my own leisure.
Bluebox Security, két nappal ezelőtt:
Bluebox Labs recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years – or nearly 900 million devices
Szenzációhajhász megfogalmazás a számokkal, hiszen csak azok vannak veszélyben, akik felraknak maguknak olyan programot, ami kihasználja ezt a biztonsági rést és nincs még befoltozva. Ettől függetlenül komoly probléma, ha nyitva maradnak a telefonok négy évre visszamenőleg.
Most, hogy az Apple-höz, a Facebookhoz és a Google-höz majdnem betörtek már a Java biztonsági résén keresztül, illetve az Apple is kiadott épp egy Java biztonsági frissítést, itt az ideje, hogy kikapcsoljuk a dolgot a böngészőnkben.
Safariban a “Preferences – Security – Enable Java” kikapcsolása:
Chrome-ban írjuk be, hogy chrome://plugins/, Enter, aztán a lap alján bökjük ki:
Ha új Macet vásároltunk, vagy Mountain Lionra frissítettünk, akkor nem kell aggódnunk, mert ott sem böngésző plugin, sem command line Java nincs már, csak akkor, ha magunk telepítettük fel az Oracle oldaláról. Ettől függetlenül, felelős Plastik olvasóként, nézzük azért meg. (A Minecraftnek sajnos kell Java, viszont a legnagyobb gondot a böngésző pluginek okozzák, azt kapcsoljuk ki.)