Posted on 06/05/2015 6:05:07 PM PDT by for-q-clinton
NEW YORK (CNNMoney) —So much for the argument "Apple computers are safer and bug-free."
It's not true. We're accustomed to annoying glitches in PCs. But the past few years have shown that Macs, iPads and iPhones have them too.
So far in 2015, five major flaws have affected Apple products.
Just this week, we encountered a nasty bug that lets hackers bury computer viruses so deep inside Macs, you'll never find it. A week earlier, a flaw appeared that lets a text message crash an iPhone.
These are significant issues, and neither has been fixed yet.
Faulty code is found in every operating system, app and software program. But Apple has an outdated strategy for fixing them.
Remember when Apple would advertise it was safer than Windows? No more. Apple is now where Microsoft was a decade ago.
The problem
Computer engineers, hackers and people familiar with the company's practices explained that Apple is doing five things wrong in its approach to security.
1) Apple's security updates are irregular and infrequent. Last year, it took Apple 100 days to fix a problem that some folks at Google found. (And when Apple finally did patch the hole, its supposed fix was weak and easily bypassed by hackers.)
In 2012, Oracle quickly moved to patch its Java program that was susceptible to a terrible, information-stealing malware called Flashback. But Apple waited two whole months to issue a fix -- even though an estimated 650,000 Macs were infected.
"They don't appear to have a regular patch schedule like Microsoft, nor do they appear to patch continuously like Google does with Chrome," said Tod Beardsley, a research manager at cybersecurity firm Rapid7.. "Sometimes, patches are slow to arrive, but then again, sometimes patches are difficult to develop."
Sure, issuing quick fixes sometimes backfires. In this sense, Apple treats bugs like it does products. It's usually a little late to the game, but it plans to do the job right.
But waiting too long can have devastating effects, leaving Apple customers vulnerable to hacks and theft of personal information.
2) Secrecy. Apple keeps quiet about its security holes.
For example, Apple didn't admit the latest Mac bug is even real (because that would entice hackers to exploit it). And while it acknowledges the text message flaw and offers advice for how to fix it, Apple hasn't explained the bug's root cause.
"Apple works in mysterious ways. It has a reputation for being tight-lipped when it comes to confirming the existence of security issues," Beardsley said.
Transparency would keep customers alert and help the large community of Apple developers suggest fixes. In this sense, secrecy is harmful.
3) Updates are only for the latest software. If you're still using old versions of the Mac operating system, Apple has forsaken you.
For example, Apple patched a serious vulnerability in April -- but only for its latest version, Yosemite. That means it left behind 47% of its users, those who use the operating systems Mavericks, Mountain Lion, Lion, and Snow Leopard, according to industry figures gathered by Net Market Share.
Apple's defense? Customers can upgrade to the latest version for free. That's true, but not entirely fair. Some older laptops can't handle the latest software.
4) Unwillingness to pay. Apple is one of the only major tech companies that doesn't reward researchers -- with money -- for finding potentially disastrous computer bugs.
Although criminals and spies are willing to pay $150,000 for an iPhone bug that hasn't been made public, Apple pays nothing. Zip. Zilch.
5) No admission of guilt. This is what frustrates security folks the most. Apple doesn't tend to acknowledge when it's wrong. When hackers broke into celebrity iCloud accounts and exposed nude photos last year, Apple CEO Tim Cook said the company would beef up security measures. But he blamed users, saying the problem was "not really an engineering thing."
But security features that would have prevented the celebrity iCloud episode -- like requiring a text message as a second passcode -- are precisely an engineering problem. To Apple's credit, it eventually added that crucial feature to iCloud.
Dealing with Apple isn't easy. Security researcher Xeno Kovah said that even in the most serious cases, when he had to report a critical software flaw to the Carnegie Mellon's Computer Emergency Readiness Team, Apple was still not as "responsive or accurate" as other companies.
"Apple has a bug fixing problem," he said.
It's so bad that 684 independent Apple developers launched a formal campaign in 2012 and wrote a letter begging Apple to improve its bug-reporting system. They say little has changed.
Apple declined to comment for this story.
How Microsoft did it
Some of the best Apple hackers tell CNNMoney that Apple's bug-reporting system needs an overhaul, similar to the one Microsoft went through years ago.
Microsoft had to go through a long and painful awakening. Think back 15 years ago, when Windows products were the most used -- and hated. They were notoriously buggy. But then came a corporate turnaround.
In 2003, Microsoft introduced Patch Tuesday. Once a month, users would get a flood of updates to keep them safe. In 2005, Microsoft started hosting Blue Hat, an invitation-only security conference to meet face-to-face with curious (and often aggressive) researchers. Apple doesn't host a forum like that.
One of Microsoft's most successful strategies in improving security has been its "bug bounty" program, which was implemented in 2013. Microsoft stopped fighting the legion of hackers -- and turned them into a ragtag army of Microsoft guardians.
"Microsoft had worm after worm before meaningful security changes were made," said Katie Moussouris, Microsoft's former chief security strategist who implemented the bug bounty program. "Hopefully, Apple will adapt quickly."
Why the added pressure on Apple all of a sudden? The company is "a victim of its own success," Moussouris explained. Apple products are more popular than ever. More fingers on keyboards means more code is being explored. Inevitably, bugs will be found.
The good news: Apple is listening. And changes are coming.
Apple is aware of these issues, and the company is trying to improve how it communicates with researchers, according to a person familiar with the company's plans. Its main challenge now is dealing with its rapid growth. Apple gets inundated with reports about possible flaws, and its security team wants to do a better job of paying closer attention to the big security issues, separating the real bugs from the fake ones.
Dang auto correct!!!
Worth and with are mixed up and should be met not merry and unmatched should be unpatcged.
It's D-Day -- don't forget to take a few minutes off and remember the guys that gave their lives so that we could have these stupid arguments.
Even if you count the Trojans, for-q, the total number of Trojans that have affected OS X Macs is fifty-seven including variations in eight families. The number of infections of the worst of them (not counting the so called reports of the amazing disappearing Macbots claimed by Dr. Web that turned to be hoaxes to sell their products since not a single infected Mac was ever found in the wild) were, for each of these Trojans, in each instance, were from zero to under 100 Macs, and often were listed as zero to under 50. See what the numbers were for your vaunted Windows?
You don't know what you are talking about. Apple pushes updates for portions of OS X as they are available, they don't wait for any schedule or for major update and they are installed silently in the background for the majority of most users. Security updates are mostly handled this way. A user can opt to give permission for every update, but most don't. It is only when there is a major point upgrade that Apple requires permission.
Naw, I’m on vacation for my 66th birthday today. . . Going to the Reagan Library tomorrow at 2PM. I knew Reagan personally but this will be my first visit to the Library. My girlfriend arranged this trip as my present.
I always find it easy to remember D-Day..
I’m laying back in our luxury hotel suite before dressing for my birthday dinner. . . Later.
LOL
Sometimes I read to kearn something I need to know..I am happy with Windowa...My daughter has Mac and an I phone.
iBrute was simply a proof of concept - that didn’t mean other implementations didn’t exist secretly for months prior to the leaking. There have been no independent investigation results released dealing with the hacking that I can find. Only vague assumptions about how it could have been done - even from Apple. That Apple’s own internal investigation says “it wasn’t our fault!” means nothing, unless you also believe the current presidential administration when they say the same thing.
In fact, leaks show that Apple knew about the exploit 6 months prior to the release of photos, and did nothing about it:
http://www.dailydot.com/technology/apple-icloud-brute-force-attack-march/
“Analysis of the photos showed that many, in fact most, of the celebrity pictures were never on iCloud and had metadata that showed they came from Windows computers, Android phones, regular digital cameras (and some even digitized from film cameras images), movie clips, and other sources, which would not have been uploaded to iCloud from an Apple device.”
Link to this analysis? I’ve been unable to find anything of the sort.
I can’t tell if you’re unwilling to admit Apple was at fault, or simply unable. You have literally no evidence for any of your assertions, only your faith.
“iBrute would not have worked on iCloud except on those two words.”
Again, iBrute was a proof of concept. If a system allows you to guess passwords infinitely (as Apple’s system apparently did, through FindMyiPhone), a brute force method will always, eventually, work. Every CISSP knows this.
No, you are arguing with "facts" not at all in evidence and if such an exploit was in the wild it would be known. It simply was not. iBrute was the only one for this vulnerability and iBrute used the 500 most common passwords which was coded into it to link to it. In fact the testers had to add their passwords into that dictionary for it to be able break into their own accounts.
There have been independent investigations released and I am not going to repeat what was released again here to satisfy you. . . and they were not "vague assumptions" but factual conclusions.
I posted that artlcle you linked to in March of 2014, which was not related at that time with "FindMyiPhone" but with merely logging on to Apple accounts. In fact, Apple DID fix that vulnerability that Ibraham Balic wrote to them about shortly after being notified, and Apple gave him credit for finding it. Just because an email that The Daily Dot acquired mentions something similar does not mean it is the same vulnerability. Apple closed all of those vulnerabilities quickly after that, but missed the fact that FindMyiPhone somehow was not included in the fix. That was Apple's bad.
However, Echo4C, the FindMyiPhone vulnerability was NOT the source of the celebrity photos.
The facts are that the FindMyiPhone flaw was discovered only two days before the release of iBrute (which is a very simple script exploit) and as I mentioned the "fappenening" offer of the celebrity nudes were already being offered for sale on 4Chan.com and Reddit.com for three to four weeks BEFORE the discovery of the flaw in FindMyiPhone and the release of iBrute. That is a fact. Now add that the investigations, discoveries, revelations, and complaints from he people who HAD purchased the photos revealed on 4chan and reddit afterwards about the photos' real sources gained from examining the photos' metadata make it plain the majority did not come from Apple's iCloud. The seller also finally admitted he had not really "hacked" iCloud. . . but was merely selling his collection of several years from which he had been buying and trading with other members of a clandestine group of similar sellers and traders in a private newsgroup.
The FindMyiPhone vulnerability did exist and was revealed publicly on a Friday morning, but closed quickly by Apple by Tuesday. iBrute was released on Saturday evening to early Sunday morning, depending on where in the US you live. The "Fappening" hit the news on Monday after the seller announced he'd "hacked" Apple's "un-hackable" iCloud to steal the photos. It is a truism that if you add Apple to any headline, you will gain attention. He did.
I pointed out in my coverage that while the vulnerability existed, the time frames didn't work for the theft of the celebrity photos to be true. The download times did not jibe with the discovery times and the announcements. It just did not make sense. The seller would have to have a lot more resources at his beck and call than would be normally available to even start attempting it for what he seemed to be.
I explained that while the ability to try passwords did not cut out after five attempts as it did on all other log-in attempts on other Apple account log-ins, each attempt required a new log into the entire process and you have to know the user's Apple ID to even begin. Each time to even start, that ID has to be re-entered in a browser, and then a new passcode has to be attempted. . . and then you are taken back to square one if it fails to start over. It is not a quick process. Automating it cannot speed up the process by much because of the speed of the internet is the limiting factor. Apple also included an increasing time delay between each attempt. Therefore a high velocity brute force system cannot try multiple passwords as rapidly and takes much longer than you might think.
There are 223 characters accessible from the Apple keyboard and all of them are permitted in a password. An AppleID password can be 8 to as long as 256 characters. . . but lets just limit it to 8 characters. It must included at least one upper and one lower case letter, one number, and one keyboard accessible symbol, and it cannot have more than three consecutive identical characters. The potential number of passcodes is 8223 = 2.44944165532867 X 10201 possible passcodes. That number is astronomical. If we were to just limit it to upper and lower case letters and numbers, the number is 9.80797146154169 X 1055, but that is not Apple's requirement. No brute force method can possibly break into a passcode with that many possibilities using a dictionary means. . . they'd have to be extremely lucky to even get ONE in a weekend, much less hundreds of random celebrities, AND download thousands of nude photos.
I provided links at that time and I am not interested in searching all that out again.
Fixing the FindMyiPhone vulnerability was not a device level vulnerability or problem. It was a problem at the server level and involved only changing the code at the server to include the same code already being used for log-in for all other account access to iCloud. Problem solved.
iBrute was not a "proof of concept" but was actually released into the wild. Proof of concept exploits are sent to computer security companies or shown at white hat conferences. This was not. . . it was immediately made available for anyone to use. Sorry. You are just wrong on this.
As part of that coverage, I did the analysis of the passcodes in the dictionary that iBrute linked to and posted the results on Freerepublic. Twenty-two of the 500 most commonly used passwords were long enough and included numbers and only two of those included numbers and a symbol. That was all that met Apple's requirements to be accepted as a legitimate iCloud passcode. However, in the linked dictionary were two passcodes completely unlike all the rest of the passcodes in the dictionary (I cited both in my coverage). . . those that were the passwords apparently owned and tested by the author and his tester that they obviously added so that iBrute would work on their iCloud accounts.
The fact is, that some of the celebrities photos did indeed come from iCloud. . . but everyone of them had their iCloud passwords changed so that a hacker could get access. The hacker did NOT get access through a brute force trial-and-error attempt. Instead they broke in by answering the celebrities' too easy to answer self-selected security questions. Questions such as "What was the name of the elementary school you attended in third grade?" are facts that almost impossible to determine for John and Jane Doe nobodies, but for a celebrity, that data is easily learned from the biographies generally published in fanzines. The same for such questions as "What was the name of your first pet?" That's covered in the bio, too. The group that steals these photos stated they use this technique to get into celebrity accounts all the time. . . and that they also befriend the celebrities to gain the knowledge to do it. This was all uncovered in the investigation.
The records at Apple showed that the compromised celebrity accounts ALL had their passwords CHANGED by use of "I forgot my password" and the use of the "security question" means of password changing. The celebrity had to change them back, and frequently had to have help to do that because the hacker changed their security questions as well as the password!
Wow someone struck a nerve to get that much damage control from you!
So to meet this out Apple has an issue where it may or may not have been exploited. And if exploited by big govt jackets we provably will never know.
Oh BS, for-q-clinton! I just don't like FUD, which is what all of these articles leading up to the WWDC are. I just provided the proof as I usually do.
Lol. Like I said. Spin please.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.