09-05-16 04:43 PM
100 1234
tools
  1. tipplex's Avatar
    This backdoor existed 3 years

    Posted via CB10
    08-27-16 02:56 AM
  2. muindor's Avatar
    Apple released an OS update yesterday that addresses this bug. ~10 days from the bug being discovered to world-wide release of an OS update.

    Meanwhile BB10.3.3 (which is supposed to contain 'security fixes') is almost 5 months overdue from it's original 'scheduled' date.
    In BlackBerrys face!

    08-27-16 03:16 AM
  3. anon(9742832)'s Avatar
    Which OS is most at risk? Windows, Android or iOS?

    All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Androids usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If its over a network or I have to attack via email or message, Androids usually the softest target.

    Source: Under Attack: An interview with a hacker - What Mobile

    Posted via CB10
    Please no logic here, hysteria is much more fun....Wooof!
    08-27-16 07:02 AM
  4. kvndoom's Avatar
    But 10.3.x doesn't contain a big leak like this iOS leak, so it's apples to oranges.

    Posted via CB10 using my amazing BlackBerry Passport (OG Red) <3
    How do you know, though? Just because there hasn't been an exploit doesn't mean that a vulnerability doesn't exist.

    Hackers, like app developers, must have something to gain to make it worth their while (financially, politically, etc)


    Blackberry Poptart SE - Cricket Wireless
    08-27-16 07:07 AM
  5. morlock_man's Avatar
    How do you know, though? Just because there hasn't been an exploit doesn't mean that a vulnerability doesn't exist.

    Hackers, like app developers, must have something to gain to make it worth their while (financially, politically, etc)
    The microkernel design makes it more of a science. To seize control of the system, there would have to be a very glaring flaw in the architecture of a very small and streamlined piece of code that would allow someone to assume control. These methods exist all over the place in monolithic kernel systems and hybrid systems because of the shared memory pool. The microkernel design demands robust and trusted security simply by the way it operates.
    Vistaus likes this.
    08-27-16 07:53 AM
  6. Richard Buckley's Avatar
    How do you know, though? Just because there hasn't been an exploit doesn't mean that a vulnerability doesn't exist.

    Hackers, like app developers, must have something to gain to make it worth their while (financially, politically, etc)


    Blackberry Poptart SE - Cricket Wireless
    I keep hearing this argument, but it doesn't make any more sense now than it did the first time I heard it.

    First it assumes that vulnerabilities being found and patched close the majority (some people talk like it closes all) vulnerabilities. But if you are going to argue that the lack of vulnerabilities found in BlackBerry doesn't mean that there are none, you have to also accept that when vulnerabilities are found only a small percentage of the existing vulnerabilities have been found.

    There are many groups looking for bugs that make vulnerabilities, but they can be divided into two main ones: those who will disclose, responsibly or not; and those who won't disclose. We can't know what the ratio of one to the other is but given the amount of money being offered by companies like Apple we can assume that there are more who will not disclose if there is more money to be made.

    The only reliable metric we have is the number and severity of vulnerabilities disclosed. The number for BlackBerry is not zero, so people are looking at the OS, but the numbers are smaller and severity when mitigation is considered is less for BlackBerry than for others. Except perhaps the for BlackBerry powered by Android. I haven't seen any hard data on the efficacy of their hardening yet.

    But in the end trying to make a distinction based on random news reporting doesn't get anyone anywhere. If you want something to ponder look at the patch lists for Android month by month. Examine how many consecutive months there have been severe or critical vulnerabilities in code libraries 10 years old or older. Use that to extrapolate how many undisclosed vulnerabilities may be known and in use. Then do the same thing for iOS, Windows Phone and BB10. Then consider all the other libraries.

    LeapSTR100-2/10.3.2.2876
    La Emperor likes this.
    08-27-16 10:34 AM
  7. canuckvoip's Avatar
    Apple released an OS update yesterday that addresses this bug. ~10 days from the bug being discovered to world-wide release of an OS update.

    Meanwhile BB10.3.3 (which is supposed to contain 'security fixes') is almost 5 months overdue from it's original 'scheduled' date.
    Secondly, calling that gaping hole in Apple's iOS a "bug" is hilarious! That nightmare of a vulnerability has been there since iPhone 5 and iOS 7. The governments and companies using the tools that easily exploit that vulnerability have been using it for YEARS.
    If you think that Apple never knew about it until 2 weeks ago I have a bridge in Vancouver to sell you. Lots of choices here.
    The only reason they put a Band-Aid on the gaping vulnerability is because it was exposed, not because they actually care.
    Vistaus and PatrickMJS like this.
    08-27-16 01:48 PM
  8. LazyEvul's Avatar
    If you're foolish enough to believe that BlackBerry has a magic formula to writing vulnerability-free code that no one else has figured out, then it looks like BlackBerry's marketing department has been doing a much better job than we all thought.

    The goal of security has never been to eliminate all vulnerabilities - this is an accepted impossibility when the code is as complex as an operating system. The goal is to make exploits difficult and expensive to deploy, and easy to quickly patch. We know that:

    A) This exploit required 3 separate vulnerabilities to work, signaling that mitigations are in place and doing their job.
    B) A similar iOS exploit sold for $1 million earlier this year, which is about as expensive as they come.
    C) It took 10 days for Apple to go from vulnerability report to a patch that rolled out to devices as old as the iPhone 4s.

    Given those factors, it's clear that Apple is doing their job just fine.
    Uzi likes this.
    08-27-16 02:06 PM
  9. Joao Oliveira's Avatar
    Apple released an OS update yesterday that addresses this bug. ~10 days from the bug being discovered to world-wide release of an OS update.

    Meanwhile BB10.3.3 (which is supposed to contain 'security fixes') is almost 5 months overdue from it's original 'scheduled' date.
    So its WebOS... because it's dead like BB10
    08-27-16 02:57 PM
  10. bobshine's Avatar
    It's a giving that there's vulnerabilities in any OS. The issue is how many of them are uncovered and exploited... and that part there's no real way to know. Who knows? There might be a vulnerability in BB10 that is exploited right now... but no one had uncovered it yet.

    But the real question for everyone here is: is the phone secure enough for you??? Unless your a head of state or director of the CIA, I am pretty sure the answer is yes
    melander likes this.
    08-27-16 02:58 PM
  11. canuckvoip's Avatar
    Listing of vulnerabilities:
    Apple 924
    Apple Iphone Os : CVE security vulnerabilities, versions and detailed reports

    Android 514
    Google Android : CVE security vulnerabilities, versions and detailed reports

    BlackBerry 21
    https://www.cvedetails.com/vendor/8356/Blackberry.html

    If you are foolish enough to believe that vulnerabilities don't matter to security overall...
    I agree that you're pretty much only as safe as what you do with your own device (for the most part), but I'm not going to start out with the Swiss cheese of security and vulnerabilities that is Apple. They are the worst by a long shot.
    But... it's your life, so whatever helps you sleep at night.
    08-27-16 03:19 PM
  12. LazyEvul's Avatar
    Listing of vulnerabilities:
    Apple 924
    Apple Iphone Os : CVE security vulnerabilities, versions and detailed reports

    Android 514
    Google Android : CVE security vulnerabilities, versions and detailed reports

    BlackBerry 21
    https://www.cvedetails.com/vendor/8356/Blackberry.html

    If you are foolish enough to believe that vulnerabilities don't matter to security overall...
    The count of publicly-known vulnerabilities is an utterly useless security metric. It fails to account for differences in system popularity, research incentives like bug bounties, incentives from the grey market to keep vulnerabilities secret, and the mixture of manpower, luck, skill and experience that is necessary to successfully recognize a vulnerability.
    Vistaus and Jerry A like this.
    08-27-16 03:33 PM
  13. canuckvoip's Avatar
    The count of publicly-known vulnerabilities is an utterly useless security metric. It fails to account for differences in system popularity, research incentives like bug bounties, incentives from the grey market to keep vulnerabilities secret, and the mixture of luck, skill and experience that is sometimes necessary to successfully recognize a vulnerability.
    Utterly useless? Why is Android half the number of Apple vulnerabilities if you take system popularity into account? Android has 83% or so of the market.
    Apple has not put bounties out until this month, yet their count is double.
    08-27-16 03:44 PM
  14. LazyEvul's Avatar
    Utterly useless? Why is Android half the number of Apple vulnerabilities if you take system popularity into account? Android has 83% or so of the market.
    Apple has not put bounties out until this month, yet their count is double.
    You're missing the point. You've accounted for just two of the factors I've listed. Can you account for the rest? Or the ones that I haven't even mentioned yet?

    Take a look at the random spike of iOS vulnerabilities in 2015, for instance. Or the spike for Android in 2016. There's no explanation for either of those - it's not like Android Marshmallow or iOS 8 took some kind of sudden security risks that prior versions hadn't. They both improved upon prior versions, in fact.

    And then look at Android in 2014 - 13 vulnerabilities? Really? If that's everything that was patched that year, that's not because Android was secure - it's because Google was doing an awful job. There's no statistical reliability with these listings whatsoever.
    Jerry A likes this.
    08-27-16 04:04 PM
  15. canuckvoip's Avatar
    I'm not missing your point, I just fundamentally disagree with you, but neither of us is going to change the mind of the other so let's forget it.
    But Apple still sucks. Bwahahahaha!!!

    :>)
    Vistaus likes this.
    08-27-16 04:29 PM
  16. tipplex's Avatar
    In the hacked docs of the hackingteam you can read internal communication quoted

    "that only the smart ppl are useing a BlackBerry and that they should have a exploit for it"


    Hahhaha that part is very good pr stuff for BlackBerry.

    Posted via CB10
    canuckvoip and Vistaus like this.
    08-27-16 07:19 PM
  17. Richard Buckley's Avatar
    If you're foolish enough to believe that BlackBerry has a magic formula to writing vulnerability-free code that no one else has figured out, then it looks like BlackBerry's marketing department has been doing a much better job than we all thought.

    The goal of security has never been to eliminate all vulnerabilities - this is an accepted impossibility when the code is as complex as an operating system. The goal is to make exploits difficult and expensive to deploy, and easy to quickly patch. We know that:

    A) This exploit required 3 separate vulnerabilities to work, signaling that mitigations are in place and doing their job.
    B) A similar iOS exploit sold for $1 million earlier this year, which is about as expensive as they come.
    C) It took 10 days for Apple to go from vulnerability report to a patch that rolled out to devices as old as the iPhone 4s.

    Given those factors, it's clear that Apple is doing their job just fine.
    There are many programming disciplines which require error free code. Each vulnerability usually starts with a crash. So, think about complex software systems that you don't want to crash, airplane flight management system, nuclear power stations, rocket control software, car breaking or steering control systems. Do you want to be flying on an airline which has software with as many bugs as smartphones? Vulnerability free software can be written, but not if you want changes every few months because you are getting bored with the current UI.

    LeapSTR100-2/10.3.2.2876
    canuckvoip, Vistaus and byex like this.
    08-27-16 08:01 PM
  18. LazyEvul's Avatar
    There are many programming disciplines which require error free code. Each vulnerability usually starts with a crash. So, think about complex software systems that you don't want to crash, airplane flight management system, nuclear power stations, rocket control software, car breaking or steering control systems. Do you want to be flying on an airline which has software with as many bugs as smartphones? Vulnerability free software can be written, but not if you want changes every few months because you are getting bored with the current UI.

    LeapSTR100-2/10.3.2.2876
    Out of the examples you've just cited, only rocket control software hasn't been publicly known to have bugs - but that's also the piece of software that's least likely to be discussed publicly.

    Airplanes have had bugs: https://www.theguardian.com/business...oss-of-control

    Nuclear power plants have been hacked - fortunately, air gapping prevented any harm from being done: German nuclear plant suffers cyber attack designed to give hackers remote access

    And cars have most certainly been hacked: https://www.wired.com/2015/07/hacker...-jeep-highway/

    Even software written for the space shuttle, with some of the most careful and meticulous processes in the world, had bugs. Now mind you, they had a phenomenally low error rate, but it wasn't 0. https://www.fastcompany.com/28121/th...te-right-stuff

    And all of this software is still likely made up of less code than a typical smartphone OS.

    If you operate in an environment that can't survive a software vulnerability, you have to build in additional protections, like physical overrides or air gapping. You most definitely do not rely on the code to be error free, because even in the most meticulous of environments, you ultimately have imperfect beings writing & reviewing the code.

    And yes, the pressures of the smartphone industry make it harder to write secure software, no doubt. But that's the reality of it, and anyone working security has to adapt accordingly. Aiming for zero-vulnerability code is a futile goal pretty much anywhere that isn't the shuttle program. You have to work with it and find smarter ways to manage security, rather than chasing the impossible.
    Last edited by LazyEvul; 08-27-16 at 11:19 PM.
    Uzi and JeepBB like this.
    08-27-16 09:44 PM
  19. guygardner73's Avatar
    Apple's patch is only to prevent phones being infected. Those with pegasus already installed however are immune to the benefits of the security patch. It doesn't remove pegasus. There is also no way for the user to determine if their phone has been infected.

    PassportSQW100-1/10.3.2.2876
    securityboy and Vistaus like this.
    08-28-16 05:21 AM
  20. kvndoom's Avatar
    Utterly useless? Why is Android half the number of Apple vulnerabilities if you take system popularity into account? Android has 83% or so of the market.
    Apple has not put bounties out until this month, yet their count is double.
    For one thing, Apple customers skew much more affluent than Android buyers. There are no 75 dollar iphones. If your motivation is financial, you will target wealthier customers.

    Android has 83% mainly because of the pricing disparity caused by OS fragmentation. I can still go into a local store and buy a brand new phone for less than $50 running jellybean. The cheapest iPhone is 400.

    I'm just saying... if I were the Russian or Chinese government, or a criminal organization... I know who I'd be targeting to get the most bang for my buck.

    Blackberry Poptart SE - Cricket Wireless
    LazyEvul likes this.
    08-28-16 06:10 AM
  21. Akure4Life's Avatar
    http://www.wsj.com/articles/mobile-b...19200?mod=mktw

    Posted Via CB10 from Z30 OS 10.3.2.2836 
    08-28-16 06:49 AM
  22. securityboy's Avatar
    BlackBerry 10.3.3 is just not a priority for Chen right now.

    Posted via CB10
    08-28-16 07:38 AM
  23. Elephant_Canyon's Avatar
    The full article is hidden behind a paywall, and the headline is typical alarmist clickbait. I'm guessing the whole story boils down to not very much at all, and not even particularly specific to iOS.
    08-28-16 09:28 AM
  24. Richard Buckley's Avatar
    Out of the examples you've just cited, only rocket control software hasn't been publicly known to have bugs - but that's also the piece of software that's least likely to be discussed publicly.

    Airplanes have had bugs: https://www.theguardian.com/business...oss-of-control

    Nuclear power plants have been hacked - fortunately, air gapping prevented any harm from being done: German nuclear plant suffers cyber attack designed to give hackers remote access

    And cars have most certainly been hacked: https://www.wired.com/2015/07/hacker...-jeep-highway/

    Even software written for the space shuttle, with some of the most careful and meticulous processes in the world, had bugs. Now mind you, they had a phenomenally low error rate, but it wasn't 0. https://www.fastcompany.com/28121/th...te-right-stuff

    And all of this software is still likely made up of less code than a typical smartphone OS.

    If you operate in an environment that can't survive a software vulnerability, you have to build in additional protections, like physical overrides or air gapping. You most definitely do not rely on the code to be error free, because even in the most meticulous of environments, you ultimately have imperfect beings writing & reviewing the code.

    And yes, the pressures of the smartphone industry make it harder to write secure software, no doubt. But that's the reality of it, and anyone working security has to adapt accordingly. Aiming for zero-vulnerability code is a futile goal pretty much anywhere that isn't the shuttle program. You have to work with it and find smarter ways to manage security, rather than chasing the impossible.
    Using press articles, written by people who aren't necessarily subject matter experts and are writing to sell news papers or attract clicks is not the best way to assess security.

    For example even a cursory glance at the nuclear power plant article is enough to realise that the maleware was to ancillary Windows machines. Not a good thing to have happen but Windows is a example of software not written to be bug free.

    The FAA is correct that having all four generators turn off at the same time is not a good thing to have happen. On the other hand leaving the control systems running for 248 days may not be a good thing either. To determine if this is a bug or an incorrect design decision one would have to look at the documentation for the system. Unfortunately to the press any time software is involved in what turns out to be the wrong thing to to do it must be a bug. However if the design called for the software to do that then it is not a software bug in the classic sense, but a system design flaw.

    Along these same lines the infamous kill the jeep on the highway is an example of mixing high reliability code with low, just like your nuclear reactor example. The jeep wasn't killed by hacking into the engine control software. It was killed by hacking into a poorly written layer product that had access to the command and control channels so the hackers were able to send instructions to the vehicle control systems. This is just evidence that if you build a secure, bug free system, but five control ti software not written to the same standards the security of the whole system is compromised.

    Just because you find examples of software that has flaws doesn't mean that all software must have flaws any more than finding a bridge that was badly designed means that all bridges must have design flaws.

    Not all airplane flight management systems are written by the same organisations, not all the software running on at a nuclear power plant will be written by the same people, and not all smartphone software is written by the same companies or to the same standards. The sheer number of vulnerabilities to remote exploitation in smartphones versus a few operational issues really says it all. I've been working in high reliability software development for 30 years and my team has systems that have been running in high threat environments for decades without the need for patching due to bugs. But smartphone software doesn't have to be bug free, although that would be nice. Many of the worst vulnerabilities have been found by simple review of the source code, which means that even that simple best practice was never done. So many people claim open source software is better because anyone can look at the code, but it often turns out no one has, for decades. I have never worked for an organisation writing proprietary closed source where that would be acceptable.

    LeapSTR100-2/10.3.2.2876
    Vistaus likes this.
    08-28-16 12:01 PM
  25. Vistaus's Avatar
    For one thing, Apple customers skew much more affluent than Android buyers. There are no 75 dollar iphones. If your motivation is financial, you will target wealthier customers.

    Android has 83% mainly because of the pricing disparity caused by OS fragmentation. I can still go into a local store and buy a brand new phone for less than $50 running jellybean. The cheapest iPhone is 400.

    I'm just saying... if I were the Russian or Chinese government, or a criminal organization... I know who I'd be targeting to get the most bang for my buck.

    Blackberry Poptart SE - Cricket Wireless
    Price is not a factor at all. If it was, then Windows Phone would have way more marketshare by now with Microsoft's 49 phones (not to mention the familiarity given its desktop marketshare). But it hasn't, which proves that price isn't the only factor in play.

    Btw, more and more government officials and celebrities are walking around with iPhones now so there's a big catch if said hackers succeed.

    Posted via CB10 using my amazing BlackBerry Passport (OG Red)
    08-28-16 12:45 PM
100 1234

Similar Threads

  1. iMessage for Android on BB10?
    By The_Passporter in forum BlackBerry 10 OS
    Replies: 15
    Last Post: 08-25-16, 08:52 PM
  2. Transferring MMS from BB10 to Android
    By Lapwolf in forum Android Apps
    Replies: 1
    Last Post: 08-25-16, 01:01 PM
  3. BB10 google account errror : cannot communicate with google servers
    By CrackBerry Question in forum Ask a Question
    Replies: 4
    Last Post: 08-25-16, 09:44 AM
  4. Clean Install BB10
    By CrackBerry Question in forum Ask a Question
    Replies: 2
    Last Post: 08-23-16, 01:16 PM
  5. BES 10.2 and iOS 10
    By dpeters11 in forum BES 10
    Replies: 0
    Last Post: 08-23-16, 10:10 AM
LINK TO POST COPIED TO CLIPBOARD