Slashdot Mirror
iTunes Flaw Allowed Spying On Dissidents
Hugh Pickens writes writes "Democracy and free speech activists worldwide have something new to worry about — cyberwarfare via iTunes. The Telegraph reports that Gamma International sells computer hacking services to governments, offering 'zero day' security flaws that allow access to target computers 'with the ability to take control of the target systems functions to the point of capturing encrypted data and communications.' FinFisher spyware, known to be used by British agencies and offered to Egypt's feared secret police, takes advantage of an unencrypted HTTP request that is filed by iTunes when Apple Software Updater is inactive. It redirects users' web browsers to a customized web page that pretends Flash is not installed on the user's computer, then installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services. The latest iTunes software update, 10.5.1, released on November 14, appears to have fixed the exploit FinFisher used. A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet Apple 'waited more than 1,200 days to fix the flaw,' writes security researcher Brian Krebs."
An amazing way to exploit software that is ubiquitous on many computers. Let's start the conspiracy now that Apple are told by governments not to fix a bug until they find a better 0Day to exploit.
Why didn't he warn the rest of the world as well?
A company may have a problem closing a hole that is used by governments may be a thing that governments do not like.
You should always put all your music onto a £10 mp3 player and only listen to it on there!
I thought iTunes itself was the spyware?
There's really only one solution: hold software makers libel for security vulnerabilities. Until every exploit hits the vendor in the pocketbook, we'll never see real management attention paid to information security.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Wasnt Steve Jobs such a visionary?
Yet another proof that Flash is dangerous! /duck
The real answer is that dissidents need to start being more paranoid and more technically literate. A system that is used for personal entertainment should be kept physically separated from a system that is used to communicate with fellow dissidents.
Face it - against a determined powerful watcher even that is not enough:
Agent X: Drat, our target "Dissident-Man" is using a "throw-away" cell phone - we don't know who they are - and they never use it for personal things, so even if we continue to track it, it won't do any good!
Agent Y: Hey, did you notice in our records that it is almost always used by the same cell tower as the phone of "Pat Civilian"? Often just before or just after? Maybe we should have a "talk" with this "Pat"?
que scary music:
dun-dun-dunnnnnnnnn
Nice, I'm so glad I use Rhythmbox :-)
iTunes is not available on my platform.
Apple software that redirects you to a webpage where it requests to install Flash Player?
That's like Toyota's website sending you to a page about the Honda Civic.
The flaw may be with iTunes but the spying is done by trojan spyware that passes itself as Flash player. The title of this thing is obviously anti-Apple bashing at its finest.
And they haven't done anything about it for years, either.
http://blogs.oracle.com/malte/entry/evilgrade_and_openoffice_org
Apple 'waited more than 1,200 days to fix the flaw
It's even worse than that
The waited more than a HUNDRED MILLION seconds.
I guess "more than three years" does not cut it anymore.
OS X, Linux & *BSD are not affected.
Whoever uses Windows by it's own will it's asking for it.
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
Gamma International sells computer hacking services to governments, offering 'zero day' security flaws
These are the real blackhats - most 'hackers' don't sell their services to get people killed. Legalized blackhats, perhaps, but blackhats nonetheless.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
--never provide personal information that is not otherwise readily available
--never speak of anything illegal that you may have ever done
--never speak of anything illegal that others you know may have done
--do not get into speculative gossip e.g. about who does drugs or not
--do not leave personal papers lying around or unattended in public
--do not have strangers as overnight guests. They are poised to search your files
--do not write an email or a letter that you wouldn't publish in the New York Times
--do not discuss sensitive matters over the phone
--when speaking to someone you trust make sure you know who else is nearby
--break off any conversation in which a person is asking inappropriate questions
--do not fill out surveys re: anything but your political beliefs. They are not anonymous
--do not take strangers at face value. Do not be rude, of course, but take things slowly
--be transparent about your beliefs and your activities within the movement
--be suspicious of those too candid about their own illegal or financial dealings
--be suspicious of those who push to do questionable acts.
"installs a sophisticated piece of spyware that sends info on a user's activities directly to foreign intelligence services"
Nothing "foreign" about it!
I killed da wabbit -Elmer Fudd
Why the fuck was Pope modded troll? It's a totally valid comment in this case.
8 of 13 people found this answer helpful. Did you?
TO: All ....intelligent people couldn't figure that out for themselves.
RE: As If....
Over the years, I've noticed unusual behavior on my Mac computers. I'd call Apple about it and they told me it wasn't anything to be concerned about. Things like 43 users logged onto my limited access network...when there are only six machines with that sort of authority.
[NOTE: I ran that White Pages Comptuer Lab—cranking out all the white and government pages for the western third of the US, less California and Nevada—for USWest/Qwest for a number of years. 12 Mac running 24/7/365 and a tether at my hip to alert me when things didn't work right. And, with a 27 year background of experience in military intel, I learned how to recognize when things went 'interesting'.]
Apple IS 'Big Brother'. Or at least a 'player' in the field. I suspect Microsoft is even more so.
You want 'secure' communication? Use SNAIL MAIL. And don't trust the USPS either.
Regards,
Chuck(le)
[If you're not paranoid, you're not paying attention.]
Seriously, if I'm a software company, how do I tell the difference between
1) a prominent security researcher
2) a garden-variety hacker
Consider that the incoming notification will probably go to one of several public addresses, but probably to support, feedback, publicity or bugs. Now, do each of those people need to be trained to recognize certain names (which leads us back to original question). Or do they need to be trained to recognize a crank letter from a real letter (no objective means of doing so). Or possibly distinguish technical facts from technical blathering (not at all realistic)?
It's just not realistic that a software company can be on top of every possible vulnerability at all times, and yet this is what it seems all of you expect. There are just too many clever people with time on their hands and a single-focus mentality to be able to combat all of things they might come up with.
"My God...it's full of trolls!"