HACK APPLE 10/11

Brief
By Schuyler Dorsey, eLearnSecurity i ID Theft Protect
As usual specialists from companies eLearn Security and ID Theft protect will share with us latest news from IT security world. Read it to up-date yourself.

Hacking Tools on iOS
By Alexandre Lacan
One day I was asked if the iPhone is a good phone. I said, it’s not a phone, but a real computer with a telephony function. Its portability and discretion make a very good tool pentest in certain situations where discretion is important (…) When Defcon17, in 2009, Thomas Wilhelm proposed to transform an iPod Touch into a pentest tool. Even if some tools are not available in iOS, many utilities can play with an iPhone or iPad. In this article you will learn how to install the most useful tools for hacker.

Apple Memory Tricks
By Israel Torres
As a researcher it is always fun to run into things while playing with unexpected behavior. Recently while implementing a crypto challenge in C on my Mac running Lion I noticed that some of the resultant output was not matching the expected test input. Figuring it was a fluke I didn’t think about it too much more until curiosity got the best of me a few days later… In this article our regular contributor will describe his experience with using C to passively play with live Apple Memory in Terminal Shell. He will show you how using osxmem you can safely experiment on your system to see what is floating around outside of the expected boundaries. Get some practical knowledge during the reading.

As Apple Devices Gain Popularity Do They Become More Vulnerable to Exploitation?
By Gary S. Milefsky
The answer is yes. A few years back before the iPod, iPad and iTouch, there were very few CVEs listed in the National Vulnerability Database at https://nvd.nist.gov but today you can find over 2,700. Most recently, if you search for CVEs discovered in Apple hardware and software over the last three months alone, you’ll find at least 80 CVEs (holes) of which most are of a serious, easily exploitable nature. Read this article to discover the Apple holes and find out how to tunning up your Apple Software.Thanks to MITRE’s CVE program, the NVD at NIST.gov, Apple.com, Google, and Wikipedia for some of the information and content used in my research for this article.

Import Hooks For Encrypted Python Modules
By Jesus Rivero
Every now and again, somebody comes up and ask this question: How can I hide/encrypt/obfuscate my Python code? And the answers may be different, ranging from things like: Python is not the Tool; rewrite it in Perl; distribute only your .pyc or .pyo files; and other creative solutions. Well, the answer is Yes! There are ways, and one such way is through the use of Import Hooks. This text will will give you some good piece of knowledge on Python’s import mechanism and hooks. You will also find out how to import encrypted Python modules. So, if you have some gaps here, you should definitly read it to get rid of them once for all. Inside you can expect a lot of code lines…

Apple OS X and iOS Hacking News
By Julian Evans
This month’s article focuses on Apple technology hacking that has been identified thus far in 2011. Here you will find a compilation of some high profile media reports and research from the Web on the hacking of Apple technology. There are two sections – Mac OS X and iOS (iPad; iPod & iPhone). There are many contributors, so we’d like to thank all of them for the use of their research material in this article. From this text you will learn what is the current state of apple security. The information comes as well from apple oficiall releases as from hacker communities. In the end, you will also get some iOS security hints and tips.

Interception with Paros Proxy
By Bharath Siva Kumar
When we talk about Man-in-the-Middle attacks, we come across two modes in it; one is passive and the other is active. Passive is the one in which the attacker regularly monitors the conversation between two persons without modifying the data or contents affecting confidentiality. Whereas the active is more dangerous compared to passive in which the attacker modifies the whole data between the two parties affecting integrity of data. Now we will look after a powerful tool known as Paros which acts a proxy between client and server intercepting the data between them (…) Paros is a freeware and easy to use tool, there are so many other HTTP proxies available which you can use with the knowledge possessed by using Paros. Besides HTTP proxy, Paros can also be used as spider and scanner. You can also edit cookies which are sent to the browser. By examining the browser requests for GET and POST methods, we can obtain sensitive information like passwords and usernames in the URL. Also it can trap HTTPS requests send from your browser. This article is for learning and should not be used for any non-ethical purposes.

Prey: From Praying to Preying
By Mervyn Heng
Since the issue 7/2010 article Prey: A New Hope, there have been developments in the device tracking tool. It has been enhanced to now be able to monitor lost Android smartphones and tablets when activated. There was a reported case in May 2011 where a Californian harnessed evidence collected from a similar tool, Hidden, to recover his stolen Macbook. The trend in mobile computing is the increasing popularity and adoption of smartphones as well as tablets which are compact compared to laptops and netbooks. This is an ideal segment for Prey to aid whilst permitting you to have peace of mind in tracking your laptops (Windows, Ubuntu, Mac OS, Linux) too. (…) Prey is not yet available on iPhones or iPads but could be added to the stable in the near future. There has been criticism and scepticism with regards to this service but they can be easily be overcome by opting for the commercial license. Install Prey on your portable devices now to have peace of mind and hope in recovering them.

Facebook and the Fuzz
By Drake
Mobile telecoms is a very, very hot topic in Britain this year. Much of the year saw the investigation playing out around mobile phone “hacking” by journalist – this apparently touched everyone from the Queen to various minor celebrities. In reality, the hacking in question was nothing more than some journalist being aware of how to access voicemail for which default PIN codes were in use. Nonetheless, the scandal involved politicians on all sides, and led to calls for the resignation of the Prime Minister. Perhaps, more important, however, is the role of the Blackberry in the wave of riots and looting that burned across the UK in August. Read the essay column in which the author deals with different current legislation issues and curiosities.

Interview with David Harley
David Harley BA CITP FBCS CISSP is an IT security researcher, author and consultant to the security industry living in the United Kingdom, known for his books on and research into malware, Mac security, anti-malware product testing, and management of email abuse. He is a director of the Anti-Malware Testing Standards Organization, a Fellow of the BCS Institute, and runs the Mac Virus website. Lately he agreed to answer some questions prapared by Hakin9 Team specially for this issue. Get know the great and experenced specialist and find out something more about the issues he is dealing with in his professional life.