RSA Says SecurID Hack Based On Phishing With Flash 0-Day 153
Trailrunner7 writes "RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."
And ActiveX (Score:5, Insightful)
Or OCX (OLE, etc) lets another wolf into the flock. Embed by default is broken, and well terrifying.
Re:And ActiveX (Score:4, Informative)
Ok, this gets on my nerves. ActiveX is a plugin framework. It is *exactly* the same as Mozilla's XPCOM. Both XPCOM and ActiveX carry the exact same set of vulnerabilities. There are only two differences between ActiveX controls and NPAPI plugins:
1) NPAPI plugins are typically only hosted on mozilla.com. ActiveX controls can be hosted on any site.
2) ActiveX controls are required to be digitally signed. NPAPI plugins aren't.
The Wikipedia page on NPAPI [wikipedia.org] does a good job of describing the similarities.
So don't blame ActiveX - blame the plugins. This attack could have been mounted against Firefox (after all it used a *flash* vulnerability and last I heard, flash was available for firefox).
Re: (Score:2)
I wasn't trashing ActiveX per se; but rather the idea the label represents, binary embedding in (an expected) document; or binary embedding period. I hope most people read that I dislike the idea, not the brand name.
Re: (Score:2)
That's fair 'nuf and makes a lot of sense.
Actually *any* architecture that runs plugins with full trust is fundimentally broken. This means ActiveX, NPAPI/XPCOM, Mozilla's XUL extensions (JS running with full trust that can interact with the DOM == scary). At least IE runs plugins in its sandbox (as does Chrome for some plugins like Flash).
Re: (Score:2)
Not exactly the same. The differences are the key. Look at Security [wikipedia.org].
Another difference for the NPAPI is that implementations (prior to Mozilla Firefox, see below) did not automatically download or install missing plugins. A missing plugin caused the browser to display a jigsaw piece representing the plugin. If the user clicked on that they were directed to Netscape's plugin finder service where they could manually download and install the plugin for themselves. While this is inconvenient to the user, it is also an important security measure since it prevented the content using the browser as a vector for malware.
and
Mozilla Firefox attempts to present a middle ground. If a plugin is missing, it will notify the user that the plugin is missing and initiate a secure connection to a plugin finder service hosted on mozilla.org. The user can permit Firefox to download and install the plugin. This model prevents content specifying where a plugin should be downloaded from – the plugin finder service does. This enables Firefox to present a fairly seamless installation mechanism but limit the service to trusted and compatible plugins from reliable sources. This model implicitly trusts the plugin finder service to return "good" plugins, increasing the security required on the host site.
The devil is in the details as usual.
That's all moot here since it was a flash object embedded into an Excel spreadsheet sent as an email attachment that did the damage.
Re: (Score:2)
I 100% agree with the analysis in the Security section (that's actually why I included the wikipedia link).
However the core threats between NPAPI/XPCOM and ActiveX are identical. The two mechanism have different mitigation schemes (FF redirects the user to a secure download location that presumably holds up-to-date versions of the plugins, IE requires that all plugins be digitally signed, checks a CRL and has a blacklist of known bad plugins (and a phoenix list to redirect to a known good plugin)).
Given th
Re: (Score:2)
Funny - most of the sites I visit require an NPAPI plugin to work.
That's because most of the sites I use require flash. And guess what: Flash is an NPAPI plugin.
Re: (Score:2)
You're fixing the thing at the wrong level. Try the element sitting behind the keyboard.
(Hint: No matter how hardened your OS/browser is, there will always be unpatched security issues in them, and therefore 0-day exploits -- and yes, even in bare sans-Flash Linux or Firefox. The common element, the thing that always works for the attacker, is social-engineering, like in this case.)
Thanks again ADOBE (Score:3, Insightful)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
Re:Thanks again ADOBE (Score:4, Insightful)
Sad part is trying to live without Flush [sic] and MS, is darned near impossible.
100 million iPhone users and 20 million iPad users disagree.
Re: (Score:2)
Sad part is trying to live without Flush [sic] and MS, is darned near impossible.
100 million iPhone users and 20 million iPad users disagree.
** Lightbulb Illuminates ***
Great Scott! They're all zombies! It's a giant army of undead customers animated with Steve Jobs' unholy juju! Aaargh!
Re: (Score:2)
You mean the 80 million iPhone and 16 million iPad users that also have a Windows PC, laptop, and/or netbook?
Re:Thanks again ADOBE (Score:5, Insightful)
.. for the all-present loophole known as FLUSH (and as Flash in your HQ) and also to MicroSoft for their mega-secure OLE, etc, etc
Sad part is trying to live without Flush and MS, is darned near impossible. The other massive and all-present loophole, also (hmm, note this) from ADOBE if PDF..... they should stick to writing PhotoShop and can all the other stuff they have tried and messed up.
You're kidding right? The attack did not succeed because of Flash or Microsoft. It succeeded because social engineering (phishing being the kind thereof) simply works. And it will work even if the employee is running Linux without Flash. Why? Because (wait for the suprrise here) -- drumrolls -- Linux has 0-day exploits too.
THIS one barely counts as social engineering (Score:5, Insightful)
The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.
RSA's blog about this is sickening. They act like this is a new type of attack, comparing to having your radar-defended country attacked by stealth bombers. Yet in real life, everybody has known about this risk and been talking about it for 15-20 years. Yes, even the fact that the attacker should send the "document" to the right person (if for no other reason, to get that person's permissions, rather than to exploit anything special about their behavior, other than their willingness to execute untrusted "documents"). The only thing new about this, is that this is the first time it ever happened to RSA themselves (that they know of).
Re: (Score:2)
The social engineering actually happened years before the "attack." Someone has been going around to businesses and telling them that it's ok for non-experts (i.e. people who don't know that loading a "document" into MS Word or MS excel is equivalent to "chmod u+x document; ./document") to run MS Office on computers that have email or other internet access.
You might as well argue that folks need to go back to the days of paper filing and abandon computers because viruses exist. How do you suppose an office will collaborate if none of the computers with network access can open network hosted documents? How are the computers with the word processor supposed to access those documents? How are they supposed to mail out the finished proposal?
Just because there are attacks that can be mounted, doesnt mean there arent countermeasures. GPOs that disable embedding
Re:Thanks again ADOBE (Score:5, Insightful)
Combined with the fact that they still don't have a stable 64-bit release of Flash for any OS makes me feel like they are a bunch of no-talent ass clowns without a sound development process in place.
Oh, and in the Linux world, we use tools like SELinux or Apparmor so a hijacked spreadsheet can't go accessing parts of the system where it doesn't belong.
Re: (Score:2)
>Or don't, but provide a citation for this obvious nonsense.
Where's yours? Show your list of Linux zero day exploits. Just declaring they're out there doesn't conjure them. And make sure that they're automated with super user privileges.
Re: (Score:2)
*you're
Doh!
Re: (Score:2)
This is all Microsoft. It never would have worked, if Excel spreadsheets were actually "documents" (as we think of that word) rather than executable programs. It is fucking insane that people email that kind of thing around. If someone emails you an Excel spreadsheet, you should consider that equivalent to someone emailing you a program with the subject line, "Here, run this. I want your computer."
Note to self: (Score:2)
Wait wait hold up (Score:5, Interesting)
Re:Wait wait hold up (Score:5, Funny)
You don't put background music in the spreadsheets you email to people? Weird. Numbers are so boring without some Slipknot playing.
Re: (Score:1)
to give people infections?
Re: (Score:1)
2. Some manager probably got a bonus for innovation for implementing the feature.
3. You should use Microsoft products as much as possible. Not being able to embed flash into an Excel file might, someday, make someone not use Excel. This would be bad.
4. Because it's technically possible. Why do web browsers store a list of every website you ever visited? Same reason, it's technically possible an
Re: (Score:2)
Excel Embeds: Turning Excel files into MySpace pages one sheet at a time.
Re: (Score:2)
The real question is "why would you open an Excel file from an unknown sender?"
Re: (Score:2)
I think the real question is "why do you have to be afraid to open a spreadsheet?".
I know FLASH is just the easiest way to get in - but does excel really need a way to run arbitrary code?
Re: (Score:2)
... after retrieving it from the spam folder, no less.
"Goddammit, there's gotta be pics of Anna Kournikova one of these times..."
Re: (Score:3)
Re: (Score:2)
Simple question: securid seeds? (Score:5, Interesting)
has the securid seeds database been compromised?
anything else you announce is fluff.
Re:Simple question: securid seeds? (Score:5, Informative)
Dear RSA; speaking as a customer; we need a simple answer to the question [zdnet.com.au]:
has the securid seeds database been compromised?
anything else you announce is fluff.
We use a LOT of SecurID tokens at our university, and the group that manages them has been way too quiet since this happened. But today they sent an email out - no mention of the RSA breach, just that they have decided to "retire the SecurID tokens early to save money" and are replacing them with a different product.
So I'm guessing they think the seeds database has been compromised.
Re: (Score:3)
Ditto (Score:4, Interesting)
At my work we used to use the RSA token and a 4 number PIN that never changed to log into the network (as well as the regular username and password). Five failures to log in would get your account locked out.
Now we have to use our RSA token and an 8 letter/number PIN that changes every 30 days(!) to log into the network (as well as the regular username and password), and the system locks out accounts after only 3 failed log-ins.
They are obviously relying _much_ more heavily on the user selected PIN than before, almost to the point that the token output is irrelevant.
Re:Simple question: securid seeds? (Score:5, Interesting)
And just to amplify this with a bit of Wikipedia manipulation; have a look at this edit [wikipedia.org] which comes from 128-221-197-57.emc.com, Where EMC is RSA's parent company, which I found from this article [wordpress.com] which also includes an RSA letter which they are supposedly sending out to customers.
Full disclosure to all affected users; it shouldn't be a matter of dispute. It should be the law.
Re: (Score:3)
The first of the removed paragraphs could be considered "original research" (banned on Wikipedia). I'm of the opinion that linear deductions are not research, but automatically follow. However, I've had a few entries edited out as "original research" myself and know that Wikipedia takes the rule extremely seriously even if it is to the point of absurdity.
The rest of the paragraphs are more inflamatory/op-ed and don't belong in an encyclopedia setting. They may be technically correct (only RSA knows) but the
Re: (Score:2)
The edit was incorrect in any case. There are pretty clear Wikipedia policies limiting editing of your right to edit articles about yourself. The edit didn't clearly state who it was from. The editor should have copied the text to the talk page for discussion. There were facts which have been referred to elsewhere on news sites (e.g. the existence of an RSA letter to customers) which were simply deleted. Most importantly, all of the speculation referred to in the edit does exist in widely known sourc
Re: (Score:2)
Those in-the-known, i.e. government agencies, have or are adding 3-factor authentication. That is.. In addition to the RSA token and a passcode, they are adding a second passcode, most often the user's intranet password (Windows Domain).
So until they tell me the truth, I will draw my own conclusions from what I know.
Re: (Score:3)
I think real question is why doesn't the customer initialize the token. There are lots of interface options to initialize a small token: I2C, USB, even IR.
Re:Simple question: securid seeds? (Score:4, Insightful)
Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.
This is going to cost RSA a lot more than sales of its SecureID product. People buy this product, not because they have analyzed the system and decided it is architecturally secure; they bought it because they trusted RSA. RSA was founded by the most illustrious minds in the field. I was looking at some RSA job postings recently, and they don't appear to hire anybody who doesn't have a PhD. RSA is supposed to be the company that knows how to do things right. That means they knowingly produced a system that violated stuff you learn in Chapter 1 of a basic crypto text, and then induced customers to rely on that system for security.
RSA reputation, meet porcelain bowl.
I want to be clear I'm not criticizing RSA for the security breach. I'm criticizing them for inducing customers to rely on a system that becomes irreparably untrustworthy after a single event that was bound to happen sooner or later.
Re: (Score:2)
Y'know, one of the first things experts tell you when you're trying to educate yourself about crypto is not to rely too much on secrets that are baked into a product or system. This situation is a vindication of that principle. The whole house of cards has fallen down in an irreparable way because of a single security breach.
The token system isn't anything like DRM in Sony playstations. Each token is unique, and the only way to break the system was the access RSA's database. The system still works though, because RSA doesn't keep a database of which "something you have" goes with which "something you know". It can be narrowed down per company, but there's still a lot of guesswork and lockouts involved.
Re: (Score:2)
Never said it was like DRM. The point is: they lost the secret, and the *system* is irretrievably compromised. It doesn't matter where the secret was stored, it was still baked in.
Re: (Score:2)
The underlying problem, though, is that you can never know if something is secret, you can only know if something is not secret. Thus, you have a paradox - the only way to know if something was secret is to share it and see if anyone else already knew.
As such, any system based on secrets of any kind whatsoever is inherently flawed because it is dependent on an assumption that is provably unprovable.
This is why you will see the phrase "security through obscurity is no security at all".
The catch is that publi
Re: (Score:2)
If I was writing a trojan to hack RSA I wouldn't send the CEO an email saying exactly what was compromised.
In fact I'd try to leave as few traces and as many doubts as possible.
Comment removed (Score:4, Funny)
Re: (Score:2)
Good Lord, do you mean she is pregnant !? You should buy better condoms, so the Trojan doesn't break.
btw. she is ;)
Re: (Score:1)
Re: (Score:2)
And I think to myself... (Score:2)
... would I have fallen for such a phishing attack? And the answer is - yes, quite probably
and I wonder, how would I protect against it? And I come up with very few practical ideas.
Anyone?
Re:And I think to myself... (Score:5, Insightful)
Re: (Score:2)
Usually as employee you cannot decide that.
Re:And I think to myself... (Score:4, Funny)
Not running the most insecure OS on the planet would help too.
Where in the article they say that OSX is being used?
Re: (Score:2)
Um, not opening Excel or Flash files on computers that access the database
What if the "database" is an Excel file?
Re: (Score:2)
What if the "database" is an Excel file?
Then RSA needs to be nuked from orbit, as it's the only way to be sure....
Re: (Score:2)
I do agree with sandboxing: many companies still take a "walled garden" approach
Re: (Score:2, Interesting)
They haven't stated how the hackers progressed from the low value employee workstations to higher value systems...
Although this is just a guess, based on my experience of other organisations they typically use active directory to manage everything from low level employee workstations, to high value servers... Elevating yourself from a low value workstation to domain admin using tools such as incognito, lsadump or hash passing is relatively easy and from there you have a very good chance of getting access to
Re:And I think to myself... (Score:4, Insightful)
Corporate IT security is like a slot machine that costs 25 cents to play, with a payout schedule that pays $1 on average, but one out of every 1M pulls you lose $10M.
The IT manager who ultra-secures their systems gets tons of complaints, and the company becomes less nimble than their competition who don't bother to secure (there is a real cost when you make it harder for your employees to communicate and work together).
So, if you're an IT manager who promotes strong security you quickly lose your job to somebody who doesn't.
Then every once in a while one of these insecure managers pulls the lever and loses the company a lot of money. The manager is blamed for lax security and fired. The replacement will start out being more secure, and once the spotlight is off they'll go back to doing exactly what their predecessor did, and they'll get bonuses because there isn't a repeat of the huge loss and things are just as efficient as before. That must mean he is doing his job right, right?
I've been finding that successful executives these days really are just lucky. They enact risky policies that have short term gains, pocket bonuses from these gains, and try to move on before it comes back to hurt them. Many get terminated, but those who don't shoot way up the ladder. What passes for due diligence at the CxO level isn't about preventing problems, but instead punishing whoever was left standing without a chair when the music stopped.
Re: (Score:2)
How about opening an Excel file on a computer that can access a computer that can access a computer that can access the database?
Re: (Score:2)
Friends don't ask Friends to "open" programs that pretend to be documents, that are run by interpreters that pretend to be office productivity applications, that have full access with administrative privileges, let alone on machines that have any data that anybody actually cares about...
Microsoft... Where do you think your data _didn't_ go _today_?
Re: (Score:2)
Microsoft... Where do you think your data _didn't_ go _today_?
You are really dating yourself there.
Dammit, I just dated myself by getting the reference.
Re: (Score:2)
Well... no one else will date me...
8-)
Re: (Score:2)
And I'm sure the people at RSA are doing the same thing that every other large institution/business is doing: Cutting costs. Those imaginary people at RSA you speak of cost money to train and retain. This was bound to happen, as soon as the primary focus switched from providing secure products to maximizing profits. I'm imagining a scenario like this:
Executive 1: Q2 close is coming up. Are we going to make our numbers?
Accountant 1: No sir, it doesn't look like it
Executive 1: Let's cut costs. Lay off some fo
Re: (Score:1)
Well, if it ends up in your junk folder, you simply should ask yourself why it went there. And take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.
Of course if they have a collaborator inside the company network (or maybe can send the mail from another compromised company computer) that precaution measure probably won't help.
Re: (Score:2)
take a closer look at the email before opening any attachments. I'm pretty sure that a quick look at the headers would have revealed that the originator isn't part of the company.
I noticed a couple of things about windows: users inside the company compulsively send attachments to the point where people open them without thinking. Outlook adds external users to its address book, then hides domain name information when it displays that user. It can be hard to tell what is internal mail and what is not.
Re: (Score:2)
Avoid Excel?
Re: (Score:2)
Don't use Excel as your first option when reading e-mail attachments?
Run off of a read-only file system?
Convert every excel file to CSV before opening?
View using Google Docs or one of its clones? (Not that I advocate using Google's tools in general...)
Open nonessentials on a different computer with restrictive security settings? Don't use Windows?
The possibilities are endless.
Realistically, it's not possible to stop an attacke
Re: (Score:1)
Yeah, your employer will love it if you open internal company documents (and the document posed as internal company document) through a server of another company ...
</sarcasm>
Re: (Score:1)
Again, I'm not a fan of using Google Docs, but I'd much rather let their servers clobber a zero-day than let it in through t
Re: (Score:2)
I am reminded of a line from the comedy series "Twenty Twelve". "Is it just me, or is the common thread running though these possibilities that they aren't actually possibilities?"
"Sorry boss, can you pop that spreadsheet onto a floppy for me, so that I can open it on a quarantine machine".
Re: (Score:1)
Re: (Score:2)
You would think that Microsoft could stop this (Score:1)
If they were to add a .nexls (non executables or something similar) file type that companies needing a bit of security could use that only had stuff a normal spread sheet has values, borders, charts, formulas ... (and something similar for word).
Of course it would be hard to add new features to these versions and therefore sell updates and completing products would be able implement the standard pretty quickly.
The epitome of a good attack (Score:2)
Microsoft, Adobe, e-mail and stupid people. Seriously, the internal security is just as important as external - too bad almost no large organization heeds these warnings and continues to trust all their users and their computers as being safe and secure. My organization thinks because you're on the internal network, you don't need encryption necessarily for passwords and the like, they actually call it the Secure Network whereas the unencrypted wireless and the network that links up to external providers ar
RSA "information" policy reminds me of TEPCO. (Score:2)
And this "event" does too.
In a week or so they will admit that "some seeds" were stolen, a week or two later, it will be a "significant number of seeds" and some more weeks later it will be "all seeds".
The real question is however this: Why the hell were the seeds accessible over the network? Are these people totally and utterly incompetent? Even the mere possibility of a seed database compromise over the net (and they have indirectly, but conclusively confirmed this, as it is the only part of the system th
and the solution is .. (Score:2)
> RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file." ..
Don't open email attachments on a Windows computer that is used to control your SecurID product ...
Re: (Score:2)
RSA is using WIndows for the Desktop??!!! (Score:2)
I mean, it's not like there are no known Linux exploits, but -- when you've got average users using windows for day-to-day work, it's just a matter of time....
Security by obscurity, but -- among other things -- the attacker would, have to figure out that you're not using Windows.
Re: (Score:2, Insightful)
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
Re:And then people wonder (Score:4, Insightful)
Why jobs doesn't want that POS on Iphones or Ipads!
Easily turned around. Considering it was phishing based attack, you could quite as easily say its no wonder that Jobs doesn't want people actually using iPhones or iPads as anything other than toys.
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
The only thing you got correct in your post is that this was a phishing attack.
Re: (Score:3)
Not being able to run something is a curious criterion for invulnerability.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.
Re: (Score:1)
Including not being vulnerable to Flash exploits?
Not being able to run something is a curious criterion for invulnerability.
No, it's actually quite logically sound. You can't be infected by something you can't run.
If we were to think like this, why not migrate to Multics. It's "not vulnerable" to almost anything under the sky.
No need to go to extremes. Simply avoiding significant security risks, like Flash and ActiveX, is a good start.
Re: (Score:2)
Re: (Score:1)
Well, I suppose that's one way to recover from saying something that doesn't make any sense...
Care to clarify the actual purpose of your original reply?
Re: (Score:2)
But don't take that as something personal. Of course the real thing to do is to avoid significant security risks. (Such as, just to try and stay on topic, fishing a message out of junk and open whatever attachment it comes with.)
Re: (Score:2)
Just for the hell of it: if You can't be infected by something you can't run, the logical consequence would be to never run anything.
That's not the logical consequence. That's an absurd consequence. There's nothing inherent in my statement that suggests taking absurd measures. Security isn't binary. You cull the severe risks, and manage the lesser ones.
I did misinterpret your original reply, though. When you said you weren't being serious, I thought you were referring to your argument as a whole (which I got quite clearly, you were trying to dismiss my claim that iOS is more secure for not running Flash by pretending it must be taken to
Re: (Score:2)
ITT: node 3 getting trolled hard.
Re: (Score:2)
Sar-chasm: n: The gulf between a speaker of a sarcastic comment, and those who don't get it...
Re: (Score:1)
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
Just because iPhone is a cool phone doesn't make it the best at everything.
You can hack an iPhone by visiting a webpage [everythingicafe.com], it also got hacked the 2nd day of pwn2own. iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.
Re: (Score:2, Troll)
How does that even make any sense? iOS is quite secure, including not being vulnerable to Flash exploits, and if Steve Jobs only wants people to use iOS as "toys", why does Apple sell five creative and business apps for it?
Just because iPhone is a cool phone doesn't make it the best at everything.
I wonder where you got the idea that anyone is claiming that it is.
You can hack an iPhone by visiting a webpage [everythingicafe.com],
Not anymore.
it also got hacked the 2nd day of pwn2own.
Everything gets hacked at pwn2own.
iPhone is a lot like Windows when it comes to people trying to PWN it, so I would say it is probably one of the riskiest phones you can use.
You would say that, but that doesn't make it true. Risk requires actual malicious code. Android is many orders of magnitude more risky than iOS, due to the simple fact that there has been plenty of malware for Android (some of which distributed on the Android Market). The only iOS malware that has ever existed has been for jailbroken devices--which is to say, for devices which the user has delib
Re: (Score:2)
You can hack an iPhone by visiting a webpage [everythingicafe.com],
Not anymore.
Same is true of the Flash vuln -- it was patched by Adobe on March 21.
Re: (Score:2)
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
What system is invulnerable to the user itself? Once an iOS device is jailbroken, it's essentially a standard UNIX system. The security system that can be jailbroken is a significant security enhancement beyond any other consumer OS.
Re: (Score:1)
iOS is quite secure,
Which explains why the iOS is never jailbroken ever.
What system is invulnerable to the user itself?
Node, you just answered your original question and now should understand the satirical post about using Apple products.
Re: (Score:2)
You're not being very clear. What OS, including iOS, is invulnerable to users deliberately hacking their own device?
Re: (Score:2)
No, you can't.
Re: (Score:2)
Re: (Score:2)
What OS has never had remote exploits? iOS has had exactly one. And it was never turned into a malicious exploit. And it has long been patched. What other OS would you possibly label as being notably insecure for having had one remote exploit in five years, which has long since been patched? I assume this sort of scrutiny and aversion applies only to OS's from fruit-themed companies, since that's the only thing consistent on this topic around here.
After all, there have been multiple remote exploits for Andr
Re: (Score:2)
This isn't a remote exploit. It's a Flash file that was embedded in an Excel file that was emailed and opened on a local system.
Re: (Score:2)
Err... how did parent get modded "offtopic"? It's precisely ON topic in terms of a reply; a vulnerability that allows a jailbreak is no less a vulnerability that allows an exploit. They're both an "own the system" gambit.
Re: (Score:2)
Yes.
It's called sneakernet.
The "x" comes from computer "B", which is shown on a display. A human operator types "x" into server "A", which has no network connection at all. Server "A" then displays f(x), which the human operator types into a different keyboard connected to computer "B".
In order for this to work truly securely, though, several things have to be true:
- The operator has to have no chance to enter incorrect information by accident, or enter the information in the wrong place. That means this
Re: (Score:2)
Wouldn't work. If the hacker can gain control of B, the hacker has the ability to generate enough points of data for x and f(x) to figure out what the function is.
The way RSA does it is better. B doesn't send X, it sends a User ID, which is static. A then looks up in a secure hash what salt User ID corresponds to, and uses that along with system time to figure out what X is, so that it can return f(x) to B. (in other words, to figure out what your secure token is displaying) It's a much more secure way of d