AMP Reviews
  • You asked and we delivered! AMPReviews now provides the option to upgrade to VIP access via paid subscription as an alternative to writing your own reviews. VIP Access allows you to read all the hidden content within member-submitted reviews AND gives access to private VIP-only forums in each city. You can upgrade your account INSTANTLY by visiting the Account Upgrades page in your own user profile and using a valid credit card to purchase a subscription. You can get to this page by clicking the link in any review, by clicking the red "See the Details Now" banner on the home page, and by clicking the Purchase Private Details link in the navbar at the top of every page

Apple and Security

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#21
Ask Jeff Bezos about that. Taken out by a chicken shit rudimentary attack.
Deprnds on how you define "rudimentary". So far the only thing made public is that the email contained "code". We don't know how those codes were installed, or if he had anything to do with the code being installed. Either way, it would need to be a bit sophisticated it tricked someone as tech conscious as Bezos.
 

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#22
Deprnds on how you define "rudimentary". So far the only thing made public is that the email contained "code". We don't know how those codes were installed, or if he had anything to do with the code being installed. Either way, it would need to be a bit sophisticated it tricked someone as tech conscious as Bezos.
No, it wasn’t email. He got a wechat link to a 4 meg video file, with embedded malware. Easy stuff to detect on an android, not impossible on a iPhone. But still he should have recognized he’d done something stupid and had his phone checked out.
https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#23
No, it wasn’t email. He got a wechat link to a 4 meg video file, with embedded malware. Easy stuff to detect on an android, not impossible on a iPhone. But still he should have recognized he’d done something stupid and had his phone checked out.
https://www.nytimes.com/2020/01/22/technology/jeff-bezos-hack-iphone.html
Again, and for the last time; you can't auto-install code on an iPhone. That embedded code needs admin authorization to install. The iOS worked as designed. Bezos realized he may have actively installed the malware. He was effectively tricked.
 

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#25
Again, and for the last time; you can't auto-install code on an iPhone. That embedded code needs admin authorization to install. The iOS worked as designed. Bezos realized he may have actively installed the malware. He was effectively tricked.
yes, I know. what I'm saying is that as security people on an android its easier to stop people from doing stupid things. Its fine with me if you feel safer on an iphone. I sure would never trust one.

this kind of attack is interesting, but not too relevant yet to people like us. but eventually someone will come along and scoop up everything on your phone and send it to this guy in china...

I dont know FTI. I'm assuming though Bezos hired someone who knows what they are doing, and that they just havent told everyone what they know yet. Certainly the first thing I would do would be to decrypt the file and see what it does, and then to sandbox it on a virtual phone. I'm guessing they did that, and the device is talking to a very very bad place, and its been turned over to the government.
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#26
yes, I know. what I'm saying is that as security people on an android its easier to stop people from doing stupid things. Its fine with me if you feel safer on an iphone. I sure would never trust one.
That's very different than saying the iPhone was defeated by a rudimentary attack. If anything, everything points to this being a very sophisticated targeted attack. And yes, Android is abled to be managed at the Enterprise level, with more customized security. But I won't fault the platform for something the user did. I consider that as part and parcel of IT security for Apple users.

I dont know FTI. I'm assuming though Bezos hired someone who knows what they are doing, and that they just havent told everyone what they know yet. Certainly the first thing I would do would be to decrypt the file and see what it does, and then to sandbox it on a virtual phone. I'm guessing they did that, and the device is talking to a very very bad place, and its been turned over to the government.
That's part of the problem. They could be withholding details that are considered vital to National Security. Which they could have easily said, and that would have been that. The lack of confirmation is what caused many Apple Security experts to question the validity of the report.
 

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#28
That's very different than saying the iPhone was defeated by a rudimentary attack. If anything, everything points to this being a very sophisticated targeted attack. And yes, Android is abled to be managed at the Enterprise level, with more customized security. But I won't fault the platform for something the user did. I consider that as part and parcel of IT security for Apple users.

That's part of the problem. They could be withholding details that are considered vital to National Security. Which they could have easily said, and that would have been that. The lack of confirmation is what caused many Apple Security experts to question the validity of the report.
it is pretty rudimentary to me. how many of those little new years greetings did you get this week from your honeys? Any one of them could have had a bomb in it. Its just that your data would be in china instead of saudi arabia. Yes, Bezos was foolish. But you just made my point. If your a smart person, you use an android and layer on a crap ton of security on your phone these days. Or you use a burner, and only talk to these girls.

I'll wait on the apple security guys for the whole story. its not like they dont have some turf to protect.
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#29
it is pretty rudimentary to me. how many of those little new years greetings did you get this week from your honeys? Any one of them could have had a bomb in it. Its just that your data would be in china instead of saudi arabia. Yes, Bezos was foolish. But you just made my point. If your a smart person, you use an android and layer on a crap ton of security on your phone these days. Or you use a burner, and only talk to these girls.

I'll wait on the apple security guys for the whole story. its not like they dont have some turf to protect.
Well, I know the difference in the install procedure, so if any bombs were in there, they won't get installed. I disagree with the rudimentary part in that this was using a specific sender that Bezos would have dropped his guard for. That part takes some level of planning. Doesn't matter if it's China or Saudi Arabia, it's a targeted spoof, not a wide dispersible malware bomb.

FTI isn't an Apple specific firm. Of course the Apple guys, both Apple and security companies, are on edge. Because it means it's either a vulnerability that's not known. Or it could just be user error as everyone suspects. If it's a vulnerability. it should be shared, and not kept secret.
 

Bit

Bit
Messages: 1,361
Reviews: 51
Joined
#31
If anything it sounds like iPhone itself is still very secure. It’s the iCloud backups that are unsecure.
You need to think about Apple's ecosystem as an extension of the phone. The backup is a broad attack surface that Apple chose not to secure that contains phone data.

If you can't secure the end to end connection (data in motion) and the storage (data at rest), then there is an exploit to be had.
 

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#32
Well, I know the difference in the install procedure, so if any bombs were in there, they won't get installed. I disagree with the rudimentary part in that this was using a specific sender that Bezos would have dropped his guard for. That part takes some level of planning. Doesn't matter if it's China or Saudi Arabia, it's a targeted spoof, not a wide dispersible malware bomb.

FTI isn't an Apple specific firm. Of course the Apple guys, both Apple and security companies, are on edge. Because it means it's either a vulnerability that's not known. Or it could just be user error as everyone suspects. If it's a vulnerability. it should be shared, and not kept secret.
Well if it’s like ones I’ve worked on, they’ll never solve it this way. But I assume they know that, and they’re just pandering to the crowd. Everybody normally overwrites their loaders as first step once they are up and running. What I get from this is that Bezos or his people were really stupid. They had plenty of signs things had gone wonky.
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#33
Well if it’s like ones I’ve worked on, they’ll never solve it this way. But I assume they know that, and they’re just pandering to the crowd. Everybody normally overwrites their loaders as first step once they are up and running. What I get from this is that Bezos or his people were really stupid. They had plenty of signs things had gone wonky.
What worries me is the what's inside that encrypted downloader. It had to have code to mimic admin authorization, which then was smart enough to link back to a server with small dumps of the phone's data. That's Gov't/military level hacking software.
 

Bit

Bit
Messages: 1,361
Reviews: 51
Joined
#34
it's either a vulnerability that's not known. Or it could just be user error as everyone suspects. If it's a vulnerability. it should be shared, and not kept secret.
If it was a government sponsored exploit, it was likely kept out of the wild until they could find a worthy target. In this case, Bezos.

After it hits the wild, the DoD coordinates with the software company that has the flaw and DoD approved security researchers and companies to find and distribute a tested fix among themselves. The public is not notified until after the fix to avoid others figuring out how to use the exploit.

This clearly was not a broad attack, but one used to gather specific intelligence.
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#35
This clearly was not a broad attack, but one used to gather specific intelligence.
This was the conclusion I came to after reading the report, and why I disagreed with Srhsrh's assertion that it was a "rudimentary" attack. And is a very bad example to use to try and demonstrate iOS security weaknesses.
 

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#36
This was the conclusion I came to after reading the report, and why I disagreed with Srhsrh's assertion that it was a "rudimentary" attack. And is a very bad example to use to try and demonstrate iOS security weaknesses.
It’s rudimentary to me, because it apparently did everything just by clicking on the video. Time will tell, but I don’t agree on how difficult it will be for someone to modify this to drop it on anyone. It kinda depends on who has the source code. I’m not saying iOS is inherently weaker than android anyway. I’m saying you can layer on more security on an android easily.
 

krideynyc

Registered Member
Messages: 3,231
Reviews: 9
Joined
#37
It’s rudimentary to me, because it apparently did everything just by clicking on the video. Time will tell, but I don’t agree on how difficult it will be for someone to modify this to drop it on anyone. It kinda depends on who has the source code. I’m not saying iOS is inherently weaker than android anyway. I’m saying you can layer on more security on an android easily.
The execution may seem rudimentary, but that seriously discounts the amount of sophistication it took on the back end. Especially if all it took was for Bezos to play the video. Which also makes the platform irrelevant as they would have succeeded in gen if he was on an Android.
 

Bricktop

Review Contributor
Messages: 1,393
Reviews: 8
Joined
#39

Srhsrh

Registered Member
Messages: 1,200
Reviews: 3
Joined
#40
Correction: they would have gotten in even if he was using an Android phone.
Gotten in, executed, detected, shut down, cleaned. with readily available tools. Been there, done that.
What puzzles me is how it pushed out that much data, but nothing got alerted. He must have not considered himself a target and had nobody or nothing watching. It’s odd given his financial status, visibility, and the ownership of a far left newspaper. Phones are where it’s at these days for stealing info. People stick everything on them, and pay little attention to locking them down because irs so inconvenient.
 
Top