It's time for Apple to allow users to install 3rd party browsers that run as regular sandboxed apps, so that browsing the web doesn't end up installing a root kit
Update your iPhones, iPads right now – govt spy tools exploit vulns
Apple has pushed out an emergency security update for iPhones, iPads and iPods after super sophisticated spyware was found exploiting three iOS vulnerabilities. The iOS 9.3.5 upgrade plugs three holes that, according to researchers, are being used right now by the Pegasus surveillance kit – a powerful commercial malware …
COMMENTS
-
-
-
Friday 26th August 2016 00:04 GMT Jordan Davenport
Re: 3rd party browsers
"iCab, Opera, Firefox, Chrome immediately spring to mind (plus a few obscure ones)."
Of those, only Opera can kinda sorta claim to be a different browser since it does most of its rendering on remote servers. All the rest you just named are just re-skins of Safari with different features and lacking the faster of the JavaScript engines.
-
Friday 26th August 2016 09:16 GMT Planty
Re: 3rd party browsers
I think you have been fooled by Apple's pathetic spin. All those browsers you mention are forced to use Apple's webkit (and slow JS engine), so you are still using Safari, but with a Chrome skin.
Essentially this is the downfall, the sample exploit will work on ANY iOS browser, as you aren't actually using any other browser...
-
-
Thursday 25th August 2016 20:19 GMT Anonymous Coward
We'll never be "safe, safe", so lets keep our freedoms instead.
People need to wake up and realise that no security in the world will make things "safe" from someone determined to cause physical harm (you need to look (and be interested) in the causes why these people want to cause you physical harm in the first place)
But it will definitely will instead, eventually control you and your life, to a point you're locked down in a dead end job, paying most of your disposable income away in (statistically head clipping) fines for parking/speeding etc because CCTV/ANPR Cameras supposedly in place to make you 'safe', are actually turned against you, to control you and more importantly, control the people/activists that speak against the grain, against such technology.
Technology supposedly used for "security" is today, eroding democracy, locking down people in the UK, rather than acting as an enabler for people to reach their true potential. Its been used for profiling, stereotyping and keeping people in their place.
We've passed the tipping point, its about time the UK population started been far more sceptical to Theresa May's motives regarding of all this extra "security to keep you safe" mantra. You'll wake up in virtual chains, and wondered why you didn't speak up earlier.
-
Thursday 25th August 2016 22:08 GMT if(i == alive) { live_free = true; government = NULL; }
Re: We'll never be "safe, safe", so lets keep our freedoms instead.
Absolutely spot on, although you can anonamise yourself to some degree by not registering your car, having a trader's policy and not putting it on the MID etc. Living in that grey area at the edge of the law really winds them up and is the best that people can do as individuals. Hopefully one day there will be enough individuals to form a big enough group and to fight back for our freedoms and our democracy (there are signs of fledgling ones now, but nothing near big enough).
I always said that leaving the EU is just the beginning and the walk to freedom is a very long one, but at least we now appear to be on the right path and every day will take us a step closer (whether we use peaceful or violent methods to get there will entirely depend on whether the politicians listen; so we will just have to wait and see).
If the worst comes to the worst then on the plus side we know that the government has a propensity to rely on youth as their cannon fodder, so we can be thankful that the vast majority are snowflakes.
-
Thursday 25th August 2016 23:31 GMT ZSn
Re: We'll never be "safe, safe", so lets keep our freedoms instead.
Leaving the EU is is just the beginning? So instead you want Theresa May unencumbered by anything like social justice? I must point out that in Germany and Austria they even fine you if you take pictures of people from the dashboard of your car.
-
Friday 26th August 2016 12:36 GMT tiggity
Re: We'll never be "safe, safe", so lets keep our freedoms instead.
Leaving the EU likely a road to *less* freedom, previously there was a chance of EU acting as some form of brake on the worst UK excesses of invading its citizens privacy.
Now May et al will not have to pay lip service to any pro privacy strictures (ditto workers rights, environment, anything resembling sensible long term strategy etc.).
I'm no fan of the EU (just like I'm no fan of the house of lords) but they at least meant some dubious govt legislation did not sail through quiet as easily / had to be amended
Disclosure: voted remain solely in hope of retaining a bit of sanity control on UK gov!
-
-
-
Thursday 25th August 2016 20:57 GMT Jerry G.
Phone Security
If you want to have privacy and security with a phone Blackberry is the way to go. With Blackberry we don't hear about these problems as like we are hearing about with the others. This is why governments, medical field where privacy is a concern, leaders of countries, and high position people in corporations only use Blackberry.
I myself and my family have been using Blackberry. I have no issues with this phone, and I feel very secure with it.
-
Thursday 25th August 2016 21:42 GMT Nick Collingridge
Re: Phone Security
Probably because no-one else buys Blackberrys, so no-one bothers to try and develop malware for it and no-one is looking for vulnerabilities. It is highly unlikely that Blackberry have some sort of secret technique that enables them to develop totally clean and attack-vector free code. You are probably safe, but not because of the technology - more safety through the fact no-one is interested.
Regarding this iOS security update - there will not be a vast rush of malware targeting it because not only have Apple quickly released an update to fix the vulns, but also because as is usual a very high percentage of iOS devices will quickly be updated. So no vast number of vulnerable devices out there for malware developers to target.
If this were Android, however, that would not be true, and it won't be until Google re-architect enough to be able to roll out generic updates to fix vulnerabilities. As a result the malware developers can jump on new zero day vulnerabilities in the knowledge that there will be a vast number of devices to attack.
-
Thursday 25th August 2016 22:14 GMT if(i == alive) { live_free = true; government = NULL; }
Re: Phone Security
I have a feeling that is the reason why Blackberry have pretended to abandon BB10. I think that BB10 will become a propriety OS sold only to high security organisations. I know that the uk police are looking for a replacement for BT Airwave (tetra) radios and have been considering 4g options. A hardened version of BB10 with BES would fit the criteria. Chen isn't as stupid as he sounds.
-
-
Friday 26th August 2016 11:31 GMT JetSetJim
Re: Phone Security
Blackberry has always allowed Legal Intercept into its consumer service - they weren't allowed to sell in India until they caved to the govmt
-
-
-
Friday 26th August 2016 09:53 GMT TheVogon
Re: Phone Security
" you want to have privacy and security with a phone Blackberry is the way to go. "
It really isn't. There have been well over 80 known security vulnerabilities so far in Blackberry OS 10 - versus ~ zero in Windows Phone 10. For instance the US government apparently had no issues in spying on the Germans when they were using Blackberry...
And now Blackberry are moving to a "secure" version of Android - that's going to be like trying to keep water in a colander with a sieve....
-
Friday 26th August 2016 10:04 GMT Anonymous Coward
Re: Phone Security
Um, there'll be no publicly known vulnerabilities in M$A's moribund WinPho platform, if that's actually the case, simply because no one has bothered to analyse one.
Why would anyone waste their time? Are you seriously suggesting the obvious fact that nobody's bothered to look for them is somehow proof that it isn't crammed full of exploitable errors and NSA backdoors RICHTO? How wonderfully quaint. Hope you get a big bonus this week.
"Security by obscurity" is no security at all.
-
Friday 26th August 2016 10:28 GMT Anonymous Coward
Re: Phone Security
>> simply because no one has one to analyse one.
Lots of companies are using them so they would interest hackers. For instance the FTSE 100 I currently work for recently replaced over 5000 BlackBerrys with Windows Phone (640)
If you search it, there has been some public analysis by recognised hackers / security experts that has concluded that WinPho is one of the most secure mobile platform options...
-
Friday 26th August 2016 11:57 GMT TheVogon
Re: Phone Security
"Um, there'll be no publicly known vulnerabilities in M$A's moribund WinPho platform, if that's actually the case, simply because no one has bothered to analyse one."
They have sold over 100 million of them I seem to recall. If they were trivial to exploit we would likely have seen evidence by now.
"somehow proof that it isn't crammed full of exploitable errors and NSA backdoors "
Nope, but less of a worry than other mobile platforms that WE KNOW have lots of security issues!
-
Friday 26th August 2016 12:55 GMT Anonymous Coward
Re: Phone Security
100000000/2000000000 = 5%
All time total winpho "sales" = ~5% of current smartphone ownership!??!?!!!
Hahahahahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhh ---->
I bet that "sales" figure of yours includes all the ones M$ wrote-off and dumped into landfill themselves too ("sales" to self) hahahahaha ahhha hah aahah ah ah hahha ah aha ahhhhahahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhhhahahahaha ahhha hah aahah ah ah hahha ah aha ah hahahahaha ahhha hah aahah ah ah hahha ah aha ah hhhahahahaha ahhha hah aahah ah ah hahha ah ahahaha ahhha hah aahah ah ah hahha ah aha ah a aahhhhhh
-
-
-
-
Sunday 28th August 2016 23:23 GMT JCitizen
Re: Phone Security
That's funny? Then why did Obama have to fight his staff, and government security enforcers, tooth and nail to keep his Blackberry? I would have thought it would be the other way around? I don't know what brand they were pushing, but I suppose they wanted conformity to help in security SOP. The other side of the coin would be kind of like having a Hillary private server in the office?
-
-
Friday 26th August 2016 03:35 GMT asdf
time to eat crow or shit I guess
Just going on the record non anon after flinging so much poop about stage fright to say this is almost as bad. Still requires visiting a booby trapped web site as opposed to just receiving a unsolicited text and granted the vast majority of iThings will be patched much quicker (hell probably half of Android devices in wild still vulnerable to stage fright) but it is still far from acceptable. Guess security by obscurity and lack of apps (best way to prevent malware is have a garbage app store nobody visits) is the way to go via WP or BB 10 if want high security.
-
Friday 26th August 2016 07:35 GMT David 132
The REAL story...
...is that apparently, countries including "United Arab Emirates... Saudi Arabia, Qatar, Turkey... and Bahrain" are buying software from an Israeli company.
Guess the need to spy on ones own citizens trumps their very public hatred of Israel, huh?
Now gentlemen, let's all link arms and sing "Kumbayah"....? No?
-
Friday 26th August 2016 08:00 GMT jzl
Zero Day
All these people saying "BlackBerry / Android / whatever is more secure" are missing the point.
A commenter above said that he was safe because he had a Google Nexus which was up to date with its patches.
This was a zero-day vulnerability. There was no patch for it until just now.
They are all but inevitable in all operating systems - it's the nature of software development that such vulnerabilities exist. These vulnerabilities won't be the only ones, and similar ones will exist in Android, Windows Phone, BB10 and BB Classic. That's the nature of the beast.
The reason to patch now isn't to stop governments spying. They will be keeping a load more vulnerabilities up their sleeves, so if they want you they can already own you. The reason for patching is that once the vulnerability has been published, the great horde of ordinary criminals will pounce on it.
-
Friday 26th August 2016 08:10 GMT Lord Elpuss
Re: Zero Day
I don't think the poster was saying he was safe per se because he had a Nexus, he was making the point that because it's a Nexus (and therefore running vanilla, Google-deployed Android) it's patched just as quickly as iPhones. Other Androids are dependent on the manufacturer to release patches; which they do either (a) slowly, (b) very slowly, or (c) not at all.
-
-
Friday 26th August 2016 08:48 GMT Planty
riddle me this
stagefright
quadroot
Pegasus
two of these get all the press coverage and have never been actively eploited in the wild, the other is without a doubt the most severe vulrability ever to have hit mobiles, and whilst now patched on some devices, the amount of data gathered by it is unknown.
Seems to me like when its Apple, problems are dowplayed (22 comments), when it's Android, even if its only a theoritical exploit, it's headline news for weeks.
The press need to start responsible reporting. BBC are the worst, they are in damage limitation mode on this, but the last few Android theoritical exploits have been major smug-fud mode.
-
Friday 26th August 2016 10:25 GMT Anonymous Coward
Re: riddle me this
What would you expect from an arts grad collective? This year's BBC AGM
-
Friday 26th August 2016 10:33 GMT TheVogon
Re: riddle me this
"the other is without a doubt the most severe vulrability ever to have hit mobiles, and whilst now patched on some devices, the amount of data gathered by it is unknown."
Yep, you could drive a bus through the quadrooter holes. And Android patching is abysmal from most manufacturers....
We do have some idea though as there have been hundreds of thousands of known Android malware deployments.
-
Friday 26th August 2016 11:00 GMT Anonymous Coward
Re: riddle me this
> ...major smug-fud mode.
You just had to say it, didn't you? Looks like you gone and invoked the RICHTO Vogon you tit. :(
> We do have some idea though as there have been hundreds of thousands of known Android malware deployments.
Do we RICHTO? How many times greater is that than known WinPhone deployments?
"Security" by obscurity again?! Haven't you got another pitch?
-
Friday 26th August 2016 11:57 GMT TheVogon
Re: riddle me this
"Do we RICHTO?"
We do:
http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/
"How many times greater is that than known WinPhone deployments?"
Windows Phone total retail sales are something over 100 million. I will let you do the maths...
-
Friday 26th August 2016 12:39 GMT Anonymous Coward
Re: riddle me this
> Windows Phone total retail sales are something over 100 million. I will let you do the maths...
No need!.. someone's already done it for us.
Gosh! Nearly 0.7% market share!... Who'd have known?! What is that... about a quarter of Linux's share of the imploding desktop sector?
Well keep plugging away RICHTO... maybe you'll get next year to be the year of M$ Windows on the phone. --->
-
-
-
-
-
Friday 26th August 2016 09:18 GMT Anonymous Coward
"The agreements signed with [NSO's] customers require that the company's products only be used in a lawful manner," said NSO spokesman Zamir Dahbash. "Specifically, the products may only be used for the prevention and investigation of crimes."
Ah yes, the eternal excuse. It's not our fault they don't read the contract and use it for unlawful purposes. TL;DR and all that.
Here's a simple question: how can you tell if it's NOT used lawfully?
Bonus question: if you discover that, are you really going to sue your customer?
No, I didn't think so either, so stop the excuses. You know damn well what is going to happen.
-
-
Friday 26th August 2016 11:27 GMT Emperor Zarg
Re: Freedom.
I've said this before, but I think it's worth repeating...
The motivation of a commercial enterprise is patently obvious. They want your money and want information about you in order to exploit you as a resource. I make judgements about which commercial enterprises I choose to engage with.
The motivation of state actors is considerably less transparent and offers no choice.
-
Friday 26th August 2016 17:16 GMT Anonymous Coward
Re: Freedom.
We seem to be talking about different freedoms:
If you are an anti-state actor (doughty freedom-fighter or terrorist subversive - only those who write the history will be able to report the difference) then yes, you need to worry about your state interfering with your computers (pocket or any other sort). You also need to worry about many other things.
Most of us are not anti-state actors. But it seems many have given what appears to be un-informed consent to the trans-nationals to control what's on their computers.
More people in the UK access Facebook every month than voted in the 2015 general election.
Yes, worry about freedom. Worry about the influence of the trans-nationals.
-
-
-
Friday 26th August 2016 10:51 GMT Bob Gateaux
This will be the problem when you have the iOs based on Linux. We can always see this problem kind when the open source is in use because of the easy way of seeing the codes and working them out. This is why we always never use the free Linux at our professional software company. We all have the Windows phones for best safety.
-
Friday 26th August 2016 12:01 GMT TheVogon
"the open source is in use because of the easy way of seeing the codes and working them out"
You know you can look at the Windows source code too via Microsoft? Publically available code might be of marginal assistance to a hacker, but they are able to quite happily find holes in closed source code too. I would also note that available source code doesn't seem to make software more secure as is often claimed - see the recent many years old holes on Open SSL, BASH, etc.
"We all have the Windows phones for best safety."
Don't disagree there, but it's got little to do with availability of the source code imo...
-
-
Friday 26th August 2016 14:13 GMT Aodhhan
The SKY IS FALLING
Don't you just love those who over do worrying in an above and beyond means to display drama?
Lets say the NSA is using this, do you really think they are looking at YOU? Or... perhaps using it against terrorists and not so friendly nation states?
Let's face it, you're not really THAT important.