Threat Level Thursday: iOS Security, Tor Anonymity, HHS, the Navy, and Exploiting an Exploit
In this week's Threat Level Thursday we have iOS, Tor, and the U.S. Department of Health and Services all susceptible to ailments of some kind while a former Navy official recommends leniency in cybersecurity's infancy, and of course, something just plain ol' mean.
iOS and the NSA in Bed Together?
Last week brought some scary revelations to the table when forensics expert Jonathan Zdziarski spoke at the Hope X hacker conference in New York. The iPhone, he says, contains background programs that, while not that easy for hackers to tap into, are easy for Apple to access and share with such well-known eavesdroppers like the NSA.
"The documents state that it is possible for the NSA to tap most sensitive data held on these smartphones, including contact lists, SMS traffic, notes and location information about where a user has been," Zdziarski wrote in a presentation. "In the internal documents, experts boast about successful access to iPhone data in instances where the NSA is able to infiltrate the computer a person uses to sync their iPhone. Mini-programs, so-called "scripts," then enable additional access to at least 38 iPhone features."
Don't worry, though, most security experts are claiming the claim is outrageous, and that it's not as insidious as Zdziarski claims.
"Apple's position is that this functionality was intended for developers and requires explicit interactive permission of the user before being able to be maliciously exploited," Mark Curphey, founder and CEO of SourceClear, a security firm, told Computer World.
"The functionality highlighted here appears to be only ever accessible after you have connected your device physically and hit trust or you have jailbroken your device (in which case all bets are off anyways)."
Tor No Longer a Safe Mask?
Tor, a free software that anonymizes users on the Web (allowing for access to things like the Dark Web) against any kind of surveillance, was found to contain a serious flaw: turns out you can be tracked while using it. The exploit has many users worried, as many of Tor's users use it for the purpose of not being seen. There's no fix yet, but it's on the way.
"Based on our current plans, we'll be putting out a fix that relays can apply that should close the particular bug they found," Tor ringleader Roger Dingledine said in an e-mail to Tor users. "The bug is a nice bug, but it isn't the end of the world. And of course these things are never as simple as "close that one bug and you're 100% safe."
Health Services Not Up to Par
It's already come out that many health services in the United States severely lack the proper cybersecurity measures, but the repeated reminding of it is surely a bad sign. In a report aptly titled, "Security Controls Over The Implementation Of Personal Identity Verification Cards At The Department of Health And Human Services Were Inadequate Due To Lack Of Some Essential Information Security Requirements," (whew) Assistant Inspector General of Audit Services Thomas M. Salmon points out there still are kinks to be worked out, including the firewalls.
Let's Not Hog-Tie Ourselves Too Soon
As the debate over how to handle the influx of cybersecurity issues rages, former Clinton-era Secretary of the Navy Richard J. Danzig came out recently saying that we need not overburden ourselves with legislation immediately. Instead, it is more necessary to approach such an important issue without impulsive governance.
"A more stringent standard may later be in order, but this standard can now secure a consensus, illuminate the minimum that the United States needs to do and therefore provide an anvil against which the nation can hammer out programs and priorities," Danzig wrote in a report.
Exploiting an Exploit
And for our last bit, here's a bit of greedy digital mongering. Looks like some researchers over at VUPEN, a "defensive and offensive" security firm held their tongues about a critical Internet Explorer exploit Pwn2Own for three years. What finally got the story out to affected browsers? A nice cash sum of $300,000. Let's hope everybody is that cheap.
For more stories like this, follow us on Twitter!