"The Art of War is simple enough. Find out where your enemy is. Get at him as soon as you can. Strike him as hard as you can. Keep moving on"
- Ulysses S. Grant
A new Android Trojan has been found in the wild and its been found to have botnet-like capabilities
Named Geinimi, it's the most sophisticated Android malware to date. Its impact is apparently limited as to infected apps available only on Chinese Android app markets. That’s not to say it couldn’t be packaged into other geographic regions, but that it hasn’t been done as of yet.
The compromised list of applications includes Monkey Jump 2, President vs. Aliens, City Defense and Baseball Superstars 2010. The original versions in the official Android market are not affected. It's spread by being grafted onto repackaged versions of legitimate applications which are then distributed in Chinese Android applications markets. The compromised applications request extensive permissions and once installed on a android phone, Geinimi can send personal data off the phone and accept commands from the remote control server.
When the application is launched, the Trojan lurks deep in the background, collecting user information - location coordinates, the phone’s unique IMEI and SIM identifiers. At 5-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server. Geinimi communicates currently with 10 domain names, including widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com.
Based on the analysis of the malware code, the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and to send a list of installed apps to the server.
Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls. Users should also download applications only from reputable app markets, and check what permissions the app wants to ensure the request matches the app’s features.
The malware authors have definitely "raised the bar" Geinimi obfuscates its activities by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code, and encrypting significant chunks of command-and-control data to substantially increase the effort required to analyze it.
The Stuxnet Trojan may have knocked out as many as 1,000 centrifuges at Iran’s nuclear facility earlier this year. According to a Dec. 24 article in the Jerusalem Post, Stuxnet may have hit as many as 1,000 of the approximately 10,000 IR-1 centrifuges at Iran’s Natanz uranium enrichment facility. This is based on a paper from the Washington-based Institute for Science and International Security which analyzed the malware’s code. The virus caused the engines in Iran’s IR-1 centrifuges, which normally runs at 1,007 cycles per second, to speed up to as fast as 1,064 cycles per second, causing the vibrations to break the motors. Stuxnet was meant to be subtle and work slowly by causing "small amounts of damage" that would not make the system operators suspect malware.If you recall,
Stuxnet infected the machines via USB thumb drives, exploiting an AutoRun bug in the Windows operating system. Once on the machine, the malware checked for software programs that run Supervisor Control and Data Acquisition systems, often used to monitor automated industrial processes. If the infected machine happened to have logical controllers from Siemens, Stuxnet logged in using the software’s default password, which is the same for all Siemens controllers.
Future Stuxnet variants may be able to exploit critical physical infrastructure such as power grid controls or electronic voting systems. Enterprises have a number of systems and software that still have factory default passwords, or passwords that are so deeply embedded that they can’t be changed by the customer. Such was the case with Cisco’s Unified Video Conferencing 5100 series products, which had a hardcoded password for several accounts that can’t be changed or deleted. Cisco announced a free software upgrade to close the vulnerability in November, and also suggested a workaround where access to the Cisco UVC Web server was limited to only trusted hosts via access control lists on the network’s routers and switches.
Security analysts have speculated that Stuxnet used thumb drives to spread because many SCADA systems are not connected to the Internet, but have a USB port. Once on a device, it can replicate over the local network. The point of entry can be something as innocuous as programmable and network-ready coffee makers, many of which come with USB ports.While Stuxnet has hit computers in various countries, including the United States, Indonesia, Malyasia, United Kingdom, and Australia, Iran was perhaps the hardest hit, with over 62,000 infected machines.
I'm guessing Santa got his lumps of coal mixed up with a bag of exploits. This exploit has been discussed over the last day or so on full disclosure and a number of other sites. Metasploit already has a module available for it (just search for CSS & IE). Microsoft has put out an advisory 2488013 regarding the issue ( http://www.microsoft.com/technet/security/advisory/2488013.mspx). The issue manifests itself when a specially crafted web page is used and could result in remote code execution on the client.
It has been a milestone week in cyber-espionage developments . sounds like out of a spy movie, --a confession, a killing, and a leaked intelligence cable: Iranian President Mahmoud Ahmadinejad issued a statement that "enemies" of Iran had successfully used software to disrupt centrifuges in Iran's nuclear facility,
Iran's top nuclear scientist was assassinated, and a U.S. State Department cable obtained by WikiLeaks suggested the Chinese government had ordered the Aurora attack against Google.
While the attacks on Google, Adobe, Intel, and other U.S. companies earlier this year served as a big wake-up call to Corporate America, the Stuxnet worm shook the SCADA and critical infrastructure industry with a reality check that even physical equipment without Internet access isn't immune to attack.
Speculation that the Chinese government was somehow behind the Aurora attacks has been rampant since Google in January first revealed it had been hacked. And while Stuxnet was aimed specifically at Siemens' SIMATIC WinCC and PCS 7 systems and appeared to be focused on Iran's nuclear facility, there had been no solid indication whether Stuxnet had successfully executed its mission.
But both cases hit the headlines again this week in a big way: Ahmadinejad acknowledged publicly that "enemy" code disrupted a "limited" number of Iran's centrifuges. He didn't reference Stuxnet by name, but security experts believe he was referring to the now-infamous worm: "They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," he said in a press briefing. "They did a bad thing. Fortunately our experts discovered that and today they are not able [to do that] anymore."
Operation Aurora also re-emerged in the news, with reports that among the State Department cables leaked by WikiLeaks was one that implicates the Chinese government in the attacks on Google. According to a report in The New York Times, "China's Politburo directed the intrusion into Google's computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said."
Adding to the intrigue of the possible Iranian nuclear plant incident, a scientist described as Iran's top Stuxnet expert was killed this week either by a targeted bombing attack or a shooting ambush, according to news reports. Of course, plenty of unanswered questions still remain, and experts say these developments could ultimately be dead ends that can't easily be confirmed. Either way, the Aurora and Stuxnet attacks are classic espionage with a twist.
This sorta thing isn't particularly new, But the Qakbot Trojan recently has been causing plenty of ripples in the security pond. Qakbot is different in that it almost exclusively targets U.S. financial institutions. It also is the first Trojan to be exclusively targeting business and corporate accounts at these financial institutions. The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts. While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict 'preference' by design, and with no exceptions. How does Qakbot infect its prey? It doesn't appear to be HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms.
Qakbot is designed to spread like a worm -- infecting multiple machines at a time -- while also stealing data like an ordinary bank Trojan. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks. In addition, Qakbot is the first Trojan to separate targeted credentials from other stolen information. The targeted credentials are sent to Qakbot's drop server, while credentials stolen from entities that are not specifically targeted by Qakbot are uploaded to hijacked FTP accounts, located on legitimate FTP servers.
The sheer volume and detail of information stolen by Qakbot is astounding. Every time an infected user accesses an entity’s website, the Trojan organizes data transmitted from the victim’s machine into three separate files ... These files are organized per user and are complete with comprehensive system and user-account information. All this information is likely aggregated by Qakbot's authors to research future possible exploits.
Qakbot's most famous victim to date is the National Health Service (NHS), the U.K.'s publicly funded healthcare system. Qakbot infected more than 1,100 computers at NHS, and while there was no evidence that patient data was compromised, 4 GB of credentials from Facebook, Twitter, Hotmail, Gmail, and Yahoo were seen being funneled through NHS monitored servers. Qakbot also features a unique, self-developed compression format to compress credentials stolen by the Trojan -- the first such programming feat of its kind. The Qakbot authors proprietary archive format forces security researchers to dedicate a considerable amount of time and effort to write an appropriate decompressor.
Unlike some other Trojans, Qakbot's distribution is "quite limited, so it is likely privately owned and operated by a single cybercriminal or gang, as opposed to being commercially available in the underground.
WikiLeaks was hit by another blow from a denial-of-service attack today. Though the attack initially focused on cablegate.wikileaks.org, the site WikiLeaks is using to host its cache of diplomatic cables; the attackers eventually moved on to wikileaks.org. Earlier today, WikiLeaks posted a message on its Twitter feed that the attack had exceeded 10 Gigabits per second.
A similar situation arose Nov. 28, just hours before WikiLeaks began posting more than 250,000 U.S. embassy diplomatic cables online. In that case, a Twitter user going by the name th3j35t3r (“Jester”) claimed responsibility for the attack in a tweet, and listed a number of other sites along with the message “TANGO DOWN” to indicate they had been taken down as well. As of publishing, both the wikileaks.org and cablegate.wikileaks.org sites were back online.
Among the cables is a document accusing the Chinese government of directing the Aurora attack that impacted Google, Adobe Systems, Juniper Networks and numerous of other companies. China has denied any involvement in the attack in the past, and has reportedly blocked access to the WikiLeaks site from China since Monday. Another cable discussed the possible implications of a future collapse of North Korea. Hong Lei, a spokesman for China's Foreign Ministry, was quoted as saying at a Beijing news conference on Tuesday. "We hope the U.S. side will handle the relevant issues. As for the content of the documents, we will not comment on that."
Attackers have set their sights on holiday shoppers searching for leaked Black Friday ads, creating malicious sites that appear on search engine result pages, according to a Nov. 18 alert by SonicWall. The security warning comes as shoppers prepare for the 2010 holiday shopping season. Security experts discovered "polluted" results appearing in search engine results for holiday shopping-related terms in advance of Black Friday sales next week. These links take users to a malicious site that tricks users into downloading malware. The terms include "Walmart Black Friday Sales 2010," "Black Friday" and "Cyber Monday". Cyber-criminals view popular search terms as a lucrative target as the terms reflect what people are interested in. In the advent of the holiday shopping season, consumers are searching online for the best deals and discounts, so it goes without question that hackers are "going to try" to take advantage of the holiday traffic.
Criminals create pages that are highly search engine optimized with keywords reflecting currently popular search terms. They also seed keywords and links as comments to boost the malicious pages' search engine rankings. Even if it's for an hour or two, as they will be driving traffic to those pages.
Called SEO poisoning, hackers create these pages that Google and other search engines pick up thinking they are legitimate, and return them when users type in the search terms. Clicking on one of the malicious links redirects the user to another page with embedded JavaScript code that checks the user's Web browser. The next step varies by browser. Users with Internet Explorer are redirected to a fake antivirus landing page claiming the computer is infected by several Trojans. Firefox users are redirected to a fake update page suggesting the user's Flash player is out of date: "Firefox is outdated, also your current version of Flash Player can cause security and stability issues. Please install the free update as soon as possible."
The fake Flash update file downloads the fake antivirus onto the computer and modifies the user registry so that the Trojan runs during system start-up. It also posts confidential data back to remote servers and redirects the browser to open more pop-up windows.
The infected machines are sending encrypted data back to a specific site and "looks similar" to the InfoStealer Trojan activity. Mac OS X users using Firefox and Internet Explorer will encounter the same malware, and it can be downloaded on to the Mac if they click on those links. However, they are not likely to execute on the Mac.
Varying the malware attack based on the browser the user is using is a common tactic. The attacker is "maximizing the number of potential victims" by "customizing" the behavior to browser-specific vulnerabilities.
The returned search results have titles like "Walmart Black Friday 2010" and the same phrase embedded in the URL string. Since many of the sites are already known to be malicious, Firefox and Google are able to flag the links accordingly. Hackers are also using Best Buy-related search terms, such as "Best Buy Black Friday 2010 deals," to push a fake antivirus software called "Internet Security Suite,".
As the days draw closer to Black Friday, we will certainly see an increase in activity involving these tactics. Spammers and hackers often take advantage of current events, popular trends and holidays such as Halloweento target users. Before Shopping online, make sure that your operating system, browser and security software are up-to-date and enable secure browsing on the Web browser before going to unknown sites.
Drive-by Downloads have been a problem for a number of years now. This avenue of attack has become more popular as attackers have developed more techniques to direct visitors to their exploit websites. The three most common scenarios are: Search Engine poisoning, malicious forum posts, and malicious flash ads. These are complex, multi-step attacks that build upon each other to eventually install some sort of malware on the victim's machine. I call this series of steps the "Chain of Compromise" (I've also heard this described as the kill-chain.) It's our job as the defense to break that chain as early as possible. If we allow it to complete, then we have a real incident on our hands.
Countermeasures
There are a number of system countermeasures that you could use to defeat drive-by attacks. I've got an incomplete list below comparing their average cost to install, both monetarily and a vague measure of the amount of technical effort required.
Countermeasure
Cost
Tinker-Factor
Anti-Virus
Free to $80 USD
Low
Web-filter
Free to Thounsands
Medium to High
Alternative Browser
Free
Low to Medium
No-script
Free
Medium
Adblocker
Free
Low
Flashblock
Free
Low
OpenDNS
Free
Medium
Alternative Document Viewer
Free
Low to Medium
Executable Whitelist
Free to Hundreds
High
Full-proxied Environment
Hundreds to Thousands
Medium to High
IPS
Free to Thousands
Medium to High
Disable Administrator rights
Free
Low to Medium
Masqurade User-Agent
Free
Low
DEP/ASLR
Free
Low to Medium
Anti-Virus: not much to say about this, everyone has it now, and it's the countermeasure that gets the most attention by attackers. It's easily evaded with minimal effort.
Web-filter: this could be on the system itself, or injected through a web proxy. Free options include K9
Alternative Browser: something other than IE or Firefox. By moving to a less-popular browser you stepping out of the line of fire in most cases. At least is reduces your attack surface to your office/document viewers (e.g. Flash, Acrobat, etc.)
No-script: allows you to block execution of javascript on new/unknown sites.
Adblocker: typically used to avoid annoying advertisements, a bit controvertial since websites are supported by their ad revenue, but more often becoming a necessity due to poor quality-control/security-measures by ad-servers.
Flashblock: like no-script, but for flash. Allows you to run flash when you need it, and block it from unknown/unexpected sources.
OpenDNS: if you use OpenDNS for your domain name resolution, it can block requests to suspicious/malicious destinations.
Alternative Document Viewer: use an alternative PDF viewer to avoid a number of Adobe Acrobat vulnerabilities and avoid executing unnecessary code. You'll likely lose the ability to use interactive PDF forms, but you could always keep a copy of Acrobat Reader handy for the few times you need it.
Executable Whitelist: this is ideal defense against unknown code executing on your system. It's also extremely difficult to maintain over time.
Full-proxied Environment: don't let your systems have direct access to the Internet. Proxy all out-bound requests. This is extremely effective against most backdoors and infected systems reaching out to command and control servers via something other than HTTP/HTTPS (those ofen hijack the browser for this purpose and thus inherit the proxy settings.)
IPS: Either a host-based or network-based IPS system capable of blocking known exploits.
Disable Administrator Rights: is the victim account is not running as administrator some of the follow-on damage from a compromise can be limited. However, this does not prevent the compromise in most cases.
Masquerade User-Agent: some browsers and some add-ins allow you to alter the user-agent and other identifying information to thwart targeted attacks.
DEP/ASLR: Data Execution Prevention or Address Space Layout Randomization helps protect Internet Explorer from certain classes of exploits at the cost of some functionality.
Now we'll see how these countermeasures stack up against the attackers in a few scenarios.
Scenario 1: Search Engine Poisoning
In our first scenario, the attackers have set up a network of compromised websites that redirect the visitor to one of their exploit servers. The exploit server has some javascript on it that effectively scans the potential victim for the versions of the browser, java, flash, and PDF client. Based on the results of the scan and the geo-location of the victim's IP address the exploit server launches a targeted attack against any vulnerable browser, java, flash or PDF client on the system. If this attack is successful, the victims machine will download a payload from their payload server. This is exploit-as-a-service, where this criminal group offers the delivery of another criminal group's payload to a certain number of IP addresses in a certain geographical region. This is how they make their money: they build an maintain the infrastructure of redirect servers, exploit servers, and download servers, this infrastructure is then rented out to other groups. In addition to building the infrastructure, they also spend a lot of time promoting their redirect sites in common search engines.
So, in our scenario, our victim goes to their favorite search engine looking for "holiday cookie recipes" and in their search results are a number of links that lead to one of our attacker's redirect sites. Let's say the victim queues up a number of requests in their browser tabs.
The browser will open up a connection to one of the redirect sites, it will have a meta-refresh, or iframe, or return a 302 to direct the user to the exploit site.
The exploit-site delivers a set of javascript routines to the browser.
These routines identify version information for: the browser, java, flash and PDF reader.
The exploit server returns the exploit that is most likely to succeed.
The victim's application is exploited and commanded to pull down and execute the downloader code (either from the exploit site itself, or the downloader site)
The downloader code is executed on the system, this downloads additional payload and executes this on the victim's system.
Victim's system now needs to be re-imaged.
Use this table below to map out which countermeasures are effective at which stage in the attack. Keep in mind that the earlier you break the chain, the better it is for your environment. Compare this to the costs above and see if you can identify the best defense strategy for this scenario.
Key: "-" denotes no impact, Potential means that under the best conditions the countermeasure is effective, Likely means it's effective more often, and Complete is near-certain that it works.
Redirect Site
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
-
-
-
-
-
-
-
-
-
Flashblock
-
-
-
-
Complete
-
-
-
-
-
OpenDNS
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
Possible
-
-
-
-
-
-
Scenario 2: Malicious Forum Post
In our second scenario, our same attacker group is hosting an exploit infrastructure and getting paid to install malicious payloads. Instead of using search engine poisoning and redirect sites, they are exploiting vulnerabilities in common forum software to inject iframes into forum posts. Here our victim is reading up on solutions to a pesky automobile problem, and is search internet forums for advice. They happen upon a thread that one of the attackers has placed a malicious comment. This kicks off the series of events very similar to Scenario 1.
Forum iframe
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
-
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
-
-
-
-
-
-
-
-
-
Flashblock
-
-
-
-
Complete
-
-
-
-
-
OpenDNS
--
Potential
--
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
Possible
-
-
-
-
-
-
There's really not much different in this table, so an effective strategy targeting malicious search engine results is similarly effective against malicious forum posts
Scenario 3: Malicious Flash Ad
Much like the above two scenarios, but this one differs in how the victim reaches the exploit. In this case, during their lunch hour they browse over to their favorite news website. It's in your company's web-proxy whitelist because it's a "trusted site." Unfortunately, that website's advertisement broker didn't detect the redirect code hidden in the flash ad, so now your victim, who didn't click on the advertisement, is silently redirected to the exploit site.
Visit Exploited News Site
View Malicious Ad
Exploit Site
Java-script Recon
Browser Exploit
Flash Exploit
PDF Exploit
Download Site
Downloader code
Secondary Payload
Command and Control Established
Anti-Virus
-
-
-
-
-
-
-
-
Potential
Potential
-
Web-filter
-
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Browser
-
-
-
-
Likely
-
-
-
-
-
-
No-script
-
-
-
Complete
-
-
-
-
-
-
-
Adblocker
-
Likely
-
-
-
-
-
-
-
-
-
Flashblock
-
Complete
-
-
-
Complete
-
-
-
-
-
OpenDNS
-
Potential
Potential
-
-
-
-
Potential
-
-
Potential
Alternative Document Viewer
-
-
-
-
-
-
Potential
-
-
-
-
Executable Whitelist
-
-
-
-
-
-
-
-
Complete
Complete
-
Full-proxied Environment
-
-
-
-
-
-
-
-
-
-
Likely
IPS
-
-
-
Possible
Likely
Possible
Possible
-
Possible
Possible
Possible
Disable Administrator rights
-
-
-
-
-
-
-
-
-
-
-
Masquerade User-Agent
-
-
-
-
Possible
-
-
-
-
-
-
DEP/ASLR
-
-
-
-
Possible
-
-
-
-
-
-
Example Strategies
My home computer was compromised about a week ago by a FakeAV program. I was running an up-to-date patched version of Windows 7 running Internet Explorer and anti-virus. So, basically I really didn't stand a chance. The default strategy of: move to firefox, install no-script etc...wasn't a viable option at the time. My option was to focus more on OpenDNS and K9 to help from getting redirected to known malicious websites to begin with. Yes, that machine is likely to get popped again but it's a bit less likely.
If you look at the tables above, you'll note that the average user running Internet Explorer, Shockwave, and Acrobat Reader relying only on Anti-virus doesn't stand much of a chance. On the other end of the spectrum, an environment that relies only upon Executable Whitelist will certainly break the compromise chain, but very late within the event and at a likely-large cost of effort. When giving advice on which browser to use, I often recommend, firefox since it can support addons like adblock, flashblock, and no-script. When we make such recommendations it never fails that someone will complain how their environment and circumstances are different. This is the primary motivator behind the capabilities-matrix approach. You can evaluate what countermeasures are appropriate/affordable/possible in your situation and perhaps help determine if the payoff of a countermeasure is worth the investment.
The application, known as Tap Snake, is a version of a 1970s video game called ‘Snake.’ What u probably didn't know, was that Tap Snake is also a client for a commercial spying application known as GPS Spy. Tap Snake looks like an average game, but there are two hidden features. First, the game won't exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. And secondly, every 15 minutes the game secretly reports the GPS location of the phone to a server.
Once the game is installed, an attacker with physical access to the Android device can program the game to report the device’s location to another system running GPS Spy. While the game is free, GPS Spy costs $4.99, and install the Tap Snake game on whatever device u want to spy on. GPS Spy downloads the data from the device running Tap Snake and displays it as location points in Google Maps. For it to work, an email address and “key” must be typed into the phone running AndroidOS.Tapsnake, The same registration information must later be typed into the phone running GPS Spy.
Like all Android applications, Tap Snake requires users grant permission for it to do what it does so well.
The mind behind a new jailbreak for the iPhone released source code for his tool, which leverages two vulnerabilities in Apple’s iOS mobile operating system that can be used to take over iPhone, iPad and iPod touch devices. He posted source code attackers could use to compromise devices. "Comex," posted code for JailbreakMe 2.0 on the Web Aug. 11 after Apple released a pair of fixes for the iOS bugs the jailbreak leverages (patches). The first issue exploited is a FreeType CFF (Compact Font Format) handling issue, exploitable via Mobile Safari to gain access to affected devices. The second issue exploited is an IOSurface framework issue that allows for administrative privileges to be obtained. If the bugs are exploited successfully, they could allow an attacker to remotely compromise a device and take full control. According to an advisory from Apple, the patches–which came roughly a week after JailbreakMe 2.0 hit the street - are available for: iOS 2.0 through 4.0.1 on iPhone 3G and later, iOS 2.1 through 4.0 on the iPod touch (second generation) and later and iOS 3.2 and 3.2.1 for the iPad. See my earlier post on iPhone jailbreak (http://darkcell9.blogspot.com/2010/07/jailbreaking-apple-iphone-gets.html)
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me.. . Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.
