‘Dangerous’ iPhone exploit code goes public – Computerworld

August 13, 2010

‘Dangerous’ iPhone exploit code goes public – Computerworld.

This was actually predictable.

A proof of concept demonstration demonstrated an ability to “Jailbreak” iPhones over the web, with no intervention of a computer,etc. but rather through surfing to a website directly on the iPhone. The reports are that this exploit is performed through a vulnerability within Adobe PDF handling on IOS platforms (the software that iPhones, iPads, etc. use to run).

The originator of the exploit, a software hacker named “Comex”, did not initially release the code.

Throngs of people proceeded to jailbreak their iPhones in this way.  Those of us in the security and forensics world knew that an exploit would not be far behind.

On Wednesday Apple released a patch to fix the issue that enables this to happen.  Minutes later Comex released his code to the internet-at-large.

What does this all mean?

I know a large number of attorneys that use iPhones- I do too.  I also know a large number of attorneys that use PDF documents (most, if not all, of them).

Because of the complexity of the code I would give this about two, maybe three, more days before there are active attempts to inject malicious code into iPhones.  This could hit attorneys that haven’t patched especially hard because of the PDF angle.

The answer is simple:  Patch your iPhone, iPad, etc.  The patch works. I have only done limited testing, but even Comex notes that the patch stops the exploit.  Comex sent a Tweet yesterday after apple released the patch that says it all:

That was fun while it lasted. Hope you saved your SHSH. Remember that 4.1 rhymes with fun.”

(4.1 is the vulnerable version of the iPhone IOS, 4.2 is the patched version)

A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.