[HN Gopher] iOS zero-day let SolarWinds hackers compromise fully...
___________________________________________________________________
iOS zero-day let SolarWinds hackers compromise fully updated
iPhones
Author : wil421
Score : 109 points
Date : 2021-07-14 20:22 UTC (2 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| lancemurdock wrote:
| I am both terrified and in awe at the technical prowess it takes
| to discover these vulnerabilities, let alone exploit them.
| Meanwhile I sit here fumbling with writing custom hooks
| booi wrote:
| If I can write 4 lines of code without an error it's a good
| day.
| stevewodil wrote:
| Thank you for making me feel okay with myself
| andrew_ wrote:
| I'm a 10x engineer.
|
| Guaranteed to be 10x bugs to lines written.
| BitwiseFool wrote:
| Heck, if I can get existing code to build properly on my
| local machine before I even modify it, it's a good day.
| LouisSayers wrote:
| This made me laugh - I'm setting up some projects on a new
| machine and going through this process atm. Tried to get
| one going on Window Subsystem for Linux and had some issues
| so putting it on my old Mac just to get it to run. I will
| be happy when it does!
| arthurcolle wrote:
| There are so many layers of abstractions that interoperate to
| some degree that these vulnerabilities will only continue to be
| found/exploited, forever, in the end of time.
| ukeepbelieving wrote:
| Status Quo: yes
|
| Nonexistent ideal: No way, Jose. Your infotech is owned
| because it is fundamentally unsound.
|
| There's a huge gap between cutting edge security research at
| the hardware level and the implementation of consumer
| hardware/os's
|
| Fuchsia is a good start.
| ukeepbelieving wrote:
| Lots of interesting stuff going on here:
|
| https://spectrum.ieee.org/tech-talk/computing/embedded-
| syste...
|
| Microsoft IoT for Azure has some interesting hardware
| developments pertinent to separation of public facing
| hardware and out of band control mesh
| TechBro8615 wrote:
| It's a dichotomy - they rely on people like us to create the
| bugs they can exploit :)
| er4hn wrote:
| The big takeaway I have here is that security is a balance
| between usability and safety. In this case by having malicious
| links that were obfuscated (behind HTML?) to appear as legitimate
| LinkedIn links, the target clicking them was compromised.
|
| If mail clients were to open a modal for each link and say "Are
| you sure you want to go to https://LinkMeIn.com/totally-
| legit?email=victim123@gmail.com" would this cut down on these
| attacks?
|
| Taking the idea too far: A system like this would probably link
| to some sort of cloud database eventually to catch "emerging
| threats" (novel URLs that look malicious) but then would that in
| turn threaten end-to-end encryption of email by sending links in
| emails to a cloud tracker?
| millerm wrote:
| I just wish all email clients would stop allowing HTML to hide
| an actual link. It needs to stop. Anchor tags and any type of
| onClick/onTouch event in an email should not do anything. Just
| stop letting them obfuscate the freaking address, it's that
| simple. Tell the marketing people to go to hell, and no they
| cannot have their silly nicely printed link. :-)
| Goety wrote:
| That would be nice :)
| tshaddox wrote:
| Why do you want this specifically for HTML emails and not on
| actual web sites? Surely it's just as much of a threat in
| either place.
| syrrim wrote:
| Email is push, websites are pull. If you never choose to
| visit a website, then you'll never see a link on it. Most
| of the websites you do visit already prevent obfuscating
| links. Emails just show up in your inbox when an attacker
| wants them to. We could of course change that, and have
| people only see emails from known contacts or that they
| have requested. However, this destroys a major value
| proposition of email. Instead, it makes sense to limit the
| ability for senders to obfuscate the contents of email.
| tshaddox wrote:
| An attacker could email you an unobfuscated link to a
| website which contains obfuscated links and the threat
| model is exactly the same. Both require only that the
| victim 1) trust an email enough to click a link and then
| 2) trust the destination of that link enough to do the
| unsafe thing. Unless your computer propagates the
| "untrustworthiness" of the link from the email client to
| the browser and continues to prevent unobfuscated links,
| it seems like you've gained very little.
| tinus_hn wrote:
| You can't run Javascript in an email.
| NikolaNovak wrote:
| This. On phones especially it's getting increasingly hard, as
| a nerd desiring to do so, to figure out what the sender's
| email address and link's HTML target are :<
| _trampeltier wrote:
| Have you seen an link in outlook? This safelink feature? You
| have almost no idea where you will go.
| nijave wrote:
| You shouldn't get compromised just clicking a link. There's
| generally multiple levels of isolation to allow running
| untrusted code (websites) on your machine/device and being able
| to break through this is a serious failing
| Veserv wrote:
| Security is largely not a balance between usability and safety
| at the levels most companies operate at. Both usability and
| safety could have been achieved in this case by just not being
| vulnerable to the attack as was the case for many other
| browsers. Then you could click the link and still be safe
| without any usability tradeoff in this specific case.
|
| Obviously, there are ways to sacrifice usability to gain
| security, but it is by no means required or sufficient to do
| so. There are plenty of ways to completely demolish usability
| without gaining any safety. And even in cases where it is
| necessary to tradeoff, most problems are so far from the actual
| edge of what is possible that you only need to sacrifice a
| negligible amount of usability to gain order of magnitude
| improvements in safety if you are working with someone who
| knows what they are doing.
| dboreham wrote:
| For regular users, the answer to any question "Are you sure..."
| is always yes.
| ASalazarMX wrote:
| Sigh. We had to disable Windows Scripting Engine company-wide
| because someone complained that his invoice won't download no
| matter how many times he tried. His invoice in this case was
| a ransomware payload that the browser was fortunately
| stopping. Some people care, some care some of the time, and
| some just don't care.
| wruza wrote:
| Few years ago I almost self-signed Transmission-bt app
| bundle via Xcode CLI tools because OSX falsely detected
| some KeRanger malware in it and tried to remove the app.
| And I was committed to run it by any means, cause I was
| tired of uTorrent.
|
| Turned out it wasn't a false positive, their dist site got
| pwned. Other than that, I'm very careful with pc security.
| tester756 wrote:
| so, why was it disabled then?
| ASalazarMX wrote:
| Chrome identified the ZIP download as malicious. It was
| sheer luck, otherwise the user would have opened the ZIP
| and executed the obfuscated VBS inside.
| ineedasername wrote:
| Everyone is always sure. If they aren't the first few times
| then they quickly get in the habit of just clicking "okay".
| eli wrote:
| This would generate a ton of "false positives" (go look at a
| link in a random email newsletter and see what the actual URL
| is). People who do a lot of email stuff on their phone would be
| trained to click Yes a hundred times a day.
|
| Meanwhile it seems very unlikely to stop such a determined
| attacker. They just need to compromise a site that you might
| plausibly want to visit, or create a convincing enough
| lookalike. The URL need not look suspicious.
|
| IMHO expecting users to be able to discern "safe" from "unsafe"
| links by just looking at them represents a failure of our
| infosec systems.
| milkytron wrote:
| Could this be used as an argument for allowing iOS to support
| other browser engines?
| jmull wrote:
| Not a lot. It's almost a wash. Let's say another engine takes
| half the market. Now you've got twice the attack surface , but
| the vulnerable population is half as large for each.
|
| But some attacks are only worth it if the pool of vulnerable
| devices is large enough. So the fragmentation helps, bust
| mostly for lower stakes attacks.
| 1e-9 wrote:
| The Project Zero stats imply three times the rate of detected
| zero-days versus last year. Apparently, this is largely due to
| the increasing output of private companies finding and selling
| exploits. Three of the four exploits discussed in this article
| were developed by the same private company and sold to two
| different government-backed actors.
| TechBro8615 wrote:
| The current title might be slightly misleading - the SolarWinds
| hack did not include an iOS compromise, as I initially thought
| when reading the headline. To quote the article:
|
| > These are two different campaigns, but based on our visibility,
| we consider the actors behind the WebKit 0-day and the USAID
| campaign to be the same group of actors
|
| Same group, but different campaign.
| [deleted]
| miles wrote:
| Use plaintext email
|
| https://useplaintext.email
|
| https://news.ycombinator.com/item?id=20513987
| sbuk wrote:
| Doesn't help if the mail client detects URLs and presents them
| as links, like a majority of mail apps do. Seeing the link
| won't stop end users from clicking it if it's blue and
| underlined, and the slightly cleverer copy and paste.
|
| The best bet it to rewrite links and parse the through a proxy
| that scans them on click. It's a shame free mail services don't
| do this. The only one I think offers this is Outlook.
| eli wrote:
| Would that have helped here? Wasn't the problem in clicking the
| link?
| miles wrote:
| Assuming the messages were delivered via email, plain text
| offers the distinct advantage of non-obfuscated links.
|
| More on the same theme:
|
| The only safe email is text-only email
|
| https://theconversation.com/the-only-safe-email-is-text-
| only...
|
| https://news.ycombinator.com/item?id=15224199
| hsbauauvhabzb wrote:
| What if the link contains a spelling mistake your brain is
| trained to overlook naturallly?
| eli wrote:
| Or it's a legitimate link apparently from someone you
| trust to a site you haven't visited before? Or to a site
| you trust but was compromised? These were very
| sophisticated attackers.
___________________________________________________________________
(page generated 2021-07-14 23:00 UTC)