The Security Pub

Random Thoughts About Security

Apple Lied: Filed Patent for Mobile Device Tracking

Apple’s claim that the geolocation tracking of its customers via a stealth file maintained in devices running the iOS operating system are, well, “patently” false.

The stealth iOS file records geolocation information derived from triangulating the location of a device using the signals from the closest cell phone transmission towers and Wi-Fi access points. The data is continuously collected and recorded regardless of whether the user has chosen to disable location services features on their mobile device.

Apple released a statement earlier this week that claims the data collection is caused by a software bug that will be remediated in a soon to be issued update to the iOS. Apple admitted that the information was being sent to the company, but they maintain that they are unable to trace the data a particular phone or user.

Apple CEO Steve Jobs even stated directly that “We don’t track anyone. The info circulating around is false.”

Reports have now surfaced that demonstrate these assurances are false.

Apple filed for a patent in September of 2009 titled “Location Histories for Location Aware Devices” with the intent to develop services based around the company’s ability to locate and track mobile devices running the iOS operating system.

 

Check out the full article here at InfoSec Island

Location Tracking on Mobile Devices Introduce More Privacy Concerns

Last week it was brought to everyone’s attention that a hidden Apple IOS version 4 feature is secretly tracking and saving geolocation data on iphone and iPads. This data is also stored on any computer you are using iTunes to sync the device(s).

A video of Warden and Allan discussing their discovery is below, courtesy of O’Reilly and Where 2.0. The two have also published a FAQ that provides more details on the discovery and its implications.

Later that week there was the talks of this same type of information being collected and stored on droid mobile devices. According to new research by security analyst Samy Kamkar, an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

According to research firm Gartner, Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the market for location-based services.

And now today it has been reported that the Windows phone is also collecting and sending location data to Microsoft. Microsoft has said that when location services for Windows phones are switched on, the devices transmit a unique ID along with nearby wireless networks, their signal strength, and GPS-extracted location to the company’s servers. They are also claiming that Windows phones don’t store any of the locations on the device itself.

 

 

Sony Admits PlayStation Network Compromised

 

 

Sony has confirmed that a data breach was the cause for the PSN outage. In a vague letter to customers, the gaming giant warned that 70 million users’ personal information was compromised. In addition, it fears credit card details were also included in the loss.

On April 17, an unknown number of PSN and Qriocity accounts were compromised. As a result, Sony shut things down in an attempt to mitigate the situation, allowing it time to correct underlying issues and launch a full investigation. Initially, the service outage was blamed on Anonymous, considering the group’s past actions against the Japanese electronics giant.

“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained,” Sony’s letter explained [click here for the full letter].


 

 

Government To Issue Terror Alerts On Facebook

The U.S. Department of Homeland Security will begin issuing terror alerts via Facebook and Twitter starting the end of this month.
Color-coded alerts will be a thing of the past, and instead of five different warning levels, only two will remain — elevated and imminent — and the public will only hear about them some of the time.

These changes would all go into effect by April 27, according to the Associated Press.

To read more about this click here.

Microsoft Security Patches for April

Patch Tuesday a staggering 17 security bulletins (nine of which have been given Microsoft’s highest severity rating of “critical”), addressing 64 security vulnerabilities. Software including bugs which are said to be fixed by the patches include Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio and .NET Framework.

One of the vulnerabilities reportedly fixed will be the MHTML redering flaw that was discovered earlier this year. Internet Explorer was one the products found to be at risk from the zero-day vulnerability that could allow maliciously crafted webpages to execute code in any “zone” regardless of which zone is specified.

Bulletin Summary

Bulletin ID

Maximum Severity Rating

Vulnerability Impact

Restart Requirement

Affected Software*

Bulletin 1

Critical

Remote Code Execution

Requires restart

Internet Explorer on Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 2

Critical

Remote Code Execution

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 3

Critical

Remote Code Execution

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 4

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 5

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 6

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Office XP.

Bulletin 7

Critical

Remote Code Execution

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 8

Critical

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 9

Critical

Remote Code Execution

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 10

Important

Remote Code Execution

May require restart

Microsoft Excel 2002, Excel 2003, Excel 2007, Excel 2010, Office 2004 for Mac, Office 2008 for Mac, Office for Mac 2011, Open XML File Format Converter for Mac, Excel Viewer, and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats.

Bulletin 11

Important

Remote Code Execution

May require restart

Microsoft PowerPoint 2002, PowerPoint 2003, PowerPoint 2007; PowerPoint 2010, Office 2004 for Mac, Office 2008 for Mac, Office for Mac 2011, Open XML File Format Converter for Mac, PowerPoint Viewer, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, and PowerPoint Web App.

Bulletin 12

Important

Remote Code Execution

May require restart

Microsoft Office XP, Office 2003, Office 2007, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac.

Bulletin 13

Important

Remote Code Execution

May require restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 14

Important

Remote Code Execution

May require restart

Microsoft Visual Studio .NET 2003, Visual Studio 2005, Visual Studio 2008, Visual Studio 2010, Visual C++ 2005 SP1 Redistributable Package, Visual C++ 2008 Sp1 Redistributable Package, and Visual C++ 2010 Redistributable Package.

Bulletin 15

Important

Information Disclosure

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Bulletin 16

Important

Remote Code Execution

May require restart

Microsoft Windows XP and Windows Server 2003.

Bulletin 17

Important

Elevation of Privilege

Requires restart

Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

* The list of affected software in the summary table is an abstract. To see the full list of affected components please click on the “Advance Notification Webpage” link below and review the “Affected Software” section. 

 

Further information on the patches can be found in the advance notice that Microsoft has published on its website.

Facebook Scam – Facebook is Closing All Accounts Today

There is yet another viral scam being spread across Facebook by a rogue application, tricking users into believing that Facebook is closing all accounts today.

Many Facebook users have found that their profiles have been updated with a message which reads:

 

 

 

Facebook is closing all accounts today. They can’t handle so many accounts. Most of the old accounts are not active, so they are deleting everything. If you want your account alive please confirm your activity. This is the final notice! [LINK]

They may also see a message reading:

Final Notice – Confirm your activity today!
In order to keep your account alive you must verify your activity!
Your account will be permanently disabled if you don’t take this step.

The sad thing is that there are many Facebook users who can be fooled by a cunning piece of social engineering like this, as their addiction to the world’s most popular social network outweighs their skepticism about Facebook killing off accounts.

If you think you may have clicked on a link for a rouge application, check out my post on securing facebook profile.

Fake Facebook Application that Steals Login Information

Yet another fake application that is stealing Facebook users’ login credentials has recently been discovered by Symantec researchers.

This application lures in users with videos titled “Tornado Randomly Appears During Soccer Game” or “Video: This is the best April Fools’ prank ever!”, when the user clicks on the message an automatic download of a script that logs the user out of Facebook and then displays an Error message inviting him to log in in order to continue:

For more information regarding this “Fake” Facebook application click here.