Tag Archives: iPod Touch

iPhones, Facebook, and malware friendliness

Being the conscientious security professional, I do the best to keep all my Computing devices current on OS and application patches. This goes for every server in the lab to the iPod Touch and everything in-between. Last Night while checking iStore for App updates, I was advised that Facebook released a new version of their app.

As a force of habit, I looked at what the update addressed. Rather interestingly it made the Application more “user friendly”. the first item on the list was to be able to synchronize my friends with my contacts. This allows me to import things such as contact information, and profile Photos from Facebook to my “Contacts” or address book. Not too bad as such, although some of my “friends” like to use their dog, or a comic character as their photo. Neat feature, now should David Phillips ever leave OU, well, when he updates his phone number and email, I won’t need to worry, my iPod will update automajically. However, I don’t get to pick and choose which Photos to sync, so when an old High School Chum update their Photo from a nice head-shot, to something less than professional, well, I’ll have no choice there.

Now that is rather nice and user friendly, but at the same time, suddenly, Facebook is also Pushing messages, wall posts, friends requests, friend confirmation, photo tags, events and comments. In fairness, I did have to approve Facebook access, and authorization.

So here’s the rub, as normal user, I would say yea sure, that’s what I want, I want to know when David Harley posts the next AVIEN Blog to Facebook. But suddenly, Facebook has access to my address book, (Contacts to be precise) AND is able to push to my always on device (iPhone and iPod Touch use same app). This disturbs me greatly, as now my email addresses are harvestable (and who’s to know), as well as potentially malicious information being pushed to my phone. Am I paranoid? I’m envisioning a compromise at FB, which is now using iPods and iPhones to send SPAM, emails and SMS messages

As we often said in the past, a more user friendly environment directly translates to a more Malware Friendly environment. I only hope more mobile device users take the steps I did and NOT allow pushes, and the like.

Ken Bechtel

Jailbreaking: not just an AppleJackHack

John Leyden has reported that the Motorola Droid has been rooted, so that users of the hack can install applications not offered by operators, in a manner not dissimilar to jailbreaking the iPhone and iPod Touch.

Here’s the link, , but watch that Shell rollover ad: it really gets in the way if you’re switching tabs!

http://www.theregister.co.uk/2009/12/11/hackers_jailbreak_droid/

See also the article by Stefanie Hoffman at CRN:

http://preview.tinyurl.com/ydm4fxb

No-one is saying that this issue  is 100% analogous to the iPhone issue, in that there is (as far as I know) no readymade vulnerability lying in wait for Droid users (unless you count the vulnerability in wetware that makes social engineering such an effective attack). However, it does point to the weakness of the whitelisting and restricted privilege models as a sole defence. If an end user is willing to forgo the legitimacy of a vanilla smartphone by “rooting” it, in order to get a wider choice of apps, there are people out there willing to share techniques for doing so. And plenty more ready to take advantage of the resulting exposure to risk, if they can.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iBotnet updates

Some updated information posted at http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go and  http://www.eset.com/threat-center/blog/2009/11/23/ibot-revisited-briefly.

Thanks to Mikko, Graham, Duck, and Henk for keeping the information flow going.

Is there still anyone out there with an iPhone or iPod Touch who hasn’t taken remedial action? I suppose so…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/