IBM has claimed that sophisticated criminals are responsible for 80 percent of cyber attacks, and that there are probably a lot of kids and amateurs accounting for the remaining 20 percent.
The IBM X-Force Threat Intelligence Quarterly 4Q 2015 (PDF) described this 20 percent as “script kiddies”, claiming that the attacks reveal their amateurishness. However, when people are not messing about they are able to carry out some catastrophic and expensive hacktrocities.
“The script kiddies scour the internet for ‘low hanging fruit’, the servers that can be compromised quickly and easily, and they use them for a limited time to send spam and scan other servers on the internet,” said the report.
“Or they deface the website and move on to other targets once they are discovered. These script kiddies give little thought to covering their tracks.
“In contrast, stealthy attackers might gain access to a system by exploiting the same vulnerability as the script kiddies, but they use a far more sophisticated combination of commercial tools, malware/rootkits and backdoors to increase their access level on the client’s network and compromise additional systems over several weeks of expansion.”
There is plenty to worry about, naturally, and IBM has plenty of things to spook us with. The report starts with saying that 2015 has been the year of ransomware. The FBI has already reported that such exploits have bagged attackers $18m over the period, and that it expects the problem to extend into 2016.
Take a look around your office before you read alert number two. This is the insider danger. The report said that this trend has played out since 2014, and that 55 percent of all attacks in 2015 were down to insiders, or at least people with inside information.
Perhaps as a result of this – we are not data analysts – IBM has also seen an increase in boardroom involvement and spending. Some 88 percent of respondents to a survey said that their relevant budgets had increased over the period.
Swiss bank Swedbank has had its website taken offline by hackers after suffering a distributed denial of service (DDoS) attack on Friday.
Details remain thin on the ground, but the attack means that customers are unable to to carry out online transactions or contact the bank through its website.
The site is still down, and the bank admitted to CBR that, while it probably knows who is behind the attack, “our method to cope with it hasn’t really succeeded yet”.
There’s no word as to when the website will be back up and running, but the bank has confirmed that its mobile applications are still working.
This isn’t the first time that Swedbank has fallen victim to hackers. The company admitted in a statement given to Reuters that this was the second attack in as many months, and – clearly not very confident in its own security – that it will probably happen again.
“The website was also hit by a hacker attack in October. It is not the first time and it will probably not be the last,” a spokesperson said.
News of the attack on Swedbank, which also operates in Estonia, Latvia and Lithuania, comes just hours after encrypted email company ProtonMail admitted that it had also been struck by a major DDoS attack.
ProtonMail said that, in a bid to get back to business, the company “grudgingly agreed” to pay 15 bitcoins, or $6,000, to the hackers in a bid to get them to stop the attack.
However, after handing over the cash, ProtonMail said that the DDoS attack, which was “unprecedented in size and scope”, continued, although it appears to have now stopped.
ProtonMail warned that the costs involved in avoiding another such attack are crippling and could put the firm out of business.
The attackers had potentially gained access to the victims’ bank sort codes and the last four numbers of their bank accounts, along with their names and mobile telephone numbers, a Vodafone spokesman said.
“This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone,” he added in a statement.
Only a handful of those affected in the Thursday morning attack had seen any attempts to use their data for fraudulent activity on their Vodafone accounts.
“No credit or debit card numbers or details were obtained. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts,” the spokesman said.
The company was contacting all those involved and that other customers need not be concerned, he said.
Last week broadband, TV, mobile and fixed-line service provider TalkTalk said it had been hacked, potentially putting the private details of its 4 million customers into the hands of criminals.
Less than 21,000 unique bank account numbers and sort codes had been accessed. Two teenagers have been arrested in connection with that attack.
A spate of hacking attacks on U.S. companies over the past two years has caused insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover.
On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.
“Some companies are struggling to find the money to buy the coverage they want,” said Tom Reagan, a cyber insurance executive with Marsh & McLennan Co’s Marsh broker unit.
The price of cyber coverage – which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements – varies widely, depending on the strength of a company’s security. But the overall trend is sharply up.
Retailers and health insurers have been especially hard hit by the squeeze after high-profile breaches at Home Depot Inc , Target Corp, Anthem Inc and Premera Blue Cross.
Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time, said Bob Wice, a leader of Beazley Plc’s cyber insurance practice.
Average rates for retailers surged 32 percent in the first half of this year, after staying flat in 2014, according to previously unreported figures from Marsh.
Higher deductibles are also now common for retailers and health insurers. And even the biggest insurers will not write policies for more than $100 million for risky customers. That leave companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.
No. 2 U.S. health insurer Anthem ran into difficulties renewing its coverage after an attack early this year that compromised some 79 million customer records, according to testimony from Anthem General Counsel Thomas Zielinski at an August hearing of the National Association of Insurance Commissioners.
Renewal rates were “prohibitively expensive,” according to minutes of that session seen by Reuters. The company managed to get $100 million in coverage, Zielinski said, but only after agreeing to pay the first $25 million in costs for any future attacks. The company would not say what that figure was before, but it was likely much smaller.
Eight months after admitting a major data breach, ride service Uber is focusing its legal efforts on obtaining more information about an internet address that it has persuaded a court could lead to identifying the hacker. That address, two sources familiar with the matter say, can be traced to the chief of technology at its main U.S. rival, Lyft.
In February, Uber revealed that as many as 50,000 of its drivers’ names and license numbers had been improperly downloaded, and the company filed a lawsuit in San Francisco federal court in an attempt to unmask the perpetrator.
Uber’s court papers claim that an unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources said the address was assigned to Lyft’s technology chief, Chris Lambert.
The court papers draw no direct connection between the Comcast IP address and the hacker. In fact, the IP address was not the one from which the data breach was launched.
However, U.S. Magistrate Judge Laurel Beeler ruled that the information sought by Uber in a subpoena of Comcast records was “reasonably likely” to help reveal the “bad actor” responsible for the hack.
On Monday, Lyft spokesman Brandon McCormick said the company had investigated the matter “long ago” and concluded “there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”
McCormick declined to comment on whether the Comcast IP address belongs to Lambert. He also declined to describe the scope of Lyft’s internal investigation or say who directed it.
Lambert declined to comment in person or over email.
Data hacked from Experian is already on sale on the dark web and is available for grabbing by bad actors, phishers, malware writers and ID thieves.
Security firm Trustev is credited with the dark web discovery, although is it very possible that the underworld got to it first. Trustev and the internet are calling the dump a fullz, which means that it contains a lot of personal information.
T-Mobile customers make up a chunk of the potentially affected 15 million victims. The firm’s CEO, John Legere, went ballistic about what happened.
“We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach,” he said in a statement.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously.”
Experian has also gone public on this with a statement on its website, and has, perhaps ironically, offered to help victims sort their credit lives out.
“Experian North America today announced that one of its business units, notably not its consumer credit bureau, experienced an unauthorised acquisition of information from a server that contained data on behalf of one of its clients, T-Mobile USA,” the statement said.
“The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from 1 September 2013 through 16 September 2015, based on Experian’s investigation to date. This incident did not impact Experian’s consumer credit database.”
The agency said that it acted quickly to fix the problem once it was discovered, and immediately told the authorities and began an investigation into the hows and the whys.
It is the crown jewels of data that has been lost. Experian fessed to a breach of “names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver’s licence number, as well as additional information used in T-Mobile’s own credit assessment”.
Experian added that no payment card or banking information was lost to the hackers.
Affected punters are being contacted and will be offered credit services, including two years of credit monitoring (although this may have lost some of its shine), and some identity protection services through its own ProtectMyID service.
Experian recommended that these services are embraced. “Although there is no evidence to-date that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services,” the firm said.
Craig Boundy, CEO of Experian North America, took the opportunity to apologise and remind people that the company takes privacy very seriously.
The Hilton organization is reportedly trying to work out whether it has been hacked and, if so, what it should do about it.
We say reportedly as we have not been able to contact Hilton ourselves and can rely only on reports. They are pretty solid reports, however, and they concern a problem at the company that happened between 21 April and 27 July.
Brian Krebs, of KrebsOnSecurity, started this off with a report about a payment card breach. Krebs said that he had heard about the breach from various sources, and that Visa – the card provider – has mailed potentially affected parties with a warning, and the news that it is the fault of a bricks and mortar company.
Visa did not name the company, but affected parties, or banks to be more precise, have uttered it to Krebs. Its name is Hilton.
“Sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: they were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts,” he wrote.
“It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.”
Krebs has a statement from the Hilton organisation in which the firm defended its security practices, and revealed that it is aware of the potential problem and is looking into it. This is a common theme among the breached, and should soon become part of mission statements.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” said the company in the statement to Krebs.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
We have asked Visa and Hilton for their comments.
Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.
The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm – which reported on it just two weeks ago – hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.
“We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the effects on more compromised sites,” explained Sucuri CTO Daniel Cid in a blog post.
“This post should serve as a resource to help WordPress administrators (i.e. webmasters) in the WordPress community.”
It may well do. The information suggests an evolving and interesting malware system that Cid said could be used to trick web users into trusting the most devious of webpages.
“This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors,” he said.
“If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.”
Sucuri added that it is trying to trace down an access point, but that it might be one of any of the many plugins that are released for the platform.
“We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins,” the firm said.
“Out of all the sites we detected to be compromised, 17 percent of them already got blacklisted by Google and other popular blacklists.”
Hackers have penetrated the IT systems of U.S. health insurer Excellus BlueCross BlueShield and gained access to personal, financial and medical information of more than 10 million people, the company has disclosed.
The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.
The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.
Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.
The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.
No evidence has been found yet that the data was copied or misused by the attackers.
Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.
The company will not contact affected individuals via email or telephone, so any emails or phone calls claiming to be from the company in regard to this attack should be ignored as they are probably scams.
The incident comes after three other Blue Cross Blue Shield health insurers — Anthem, Premera and CareFirst — announced large data breaches this year as a result of cyberattacks.
Excellus said that it doesn’t have sufficient information about the Anthem, Premera and CareFirst investigations in order to comment about possible connections between those attacks and the one against its own systems.
IBM security research has found that people are using the so-called dark net to launch cyber attacks, force ransomware demands on punters and make distributed denial-of-service (DoS) attacks.
The dark net, accessed via Tor, is often tagged as a threat. The IBM X-Force Threat Intelligence Quarterly 3Q 2015 report identifies a spike in bad traffic and leads with a warning.
The report introduces Tor as the network that takes people to the dark net. We might start calling it the ferryman and the passage across the river Styx, but things are complicated enough.
IBM said that Tor is used by “non-malicious government officials, journalists, law enforcement officials” and bad people alike. It is the latter that should concern us.
“This latest report reveals that more than 150,000 malicious events have originated from Tor in the US alone thus far in 2015,” the report said.
“Tor has also played a role in the growing ransomware attack trend. Attackers have evolved the use of encryption to hold data hostage and demand payment/ransom for the decryption code.”
We have been here before, and ransomware has been a feature of many a security alert this year already. We heard, courtesy of Bitdefender, that ransomware charges start at £320, and are a real pain to deal with. We also heard that it is Android mobile users in the UK who get the worst of the hackers’ grabbing-for-money treatment.
Back at the IBM report, and we find IBM X-Force on the issue. X-Force, which is nothing like X-Men, said that hackers push internet users who are easily fooled by flashy online advertisements into installing the new cyber nightmare. Ransomware, it warns, will separate you from your cash.
“A surprising number of users are fooled by fake/rogue antivirus [AV] messages that are nothing more than animated web ads that look like actual products. The fake AV scam tricks users into installing or updating an AV product they may never have had,” it explains, adding that in some cases people pay the money without thinking.
“Afterward, the fake AV keeps popping up fake malware detection notices until the user pays some amount of money, typically something in the range of what an AV product would cost.”
This establishes the subject as a mark, and the hackers will exploit the opportunity. “Do not assume that if you are infected with encryption-based ransomware you can simply pay the ransom and reliably get your data back,” said IBM.
“The best way to avoid loss is to back up your data. Regardless of whether your backup is local or cloud-based, you must ensure that you have at least one copy that is not directly mapped visibly as a drive on your computer.”
Tor nodes in the US spewed out the most bad traffic in the first half of this year, according to the report, adding up to about 180,000 attacks. The Netherlands is second with around 150,000, and Romania is third with about 80,000.
The bulk of this negative attention lands at technology and communications companies. You might have assumed the financial markets, but you were wrong. IBM said that ICT gets over 300,000 Tor thwacks every six months, manufacturing gets about 245,000, and finance gets about 170,000.
IBM said that the old enemy, SQL injection attacks, is the most common Tor-led threat to come at its customers. Vulnerability scanning attacks are also a problem, and IBM said that the use of the network as a means for distributed DoS attacks should “Come as no surprise”. It doesn’t.
“These attacks combine Tor-commanded botnets with a sheaf of Tor exit nodes. In particular, some of the US-based exit nodes provide huge bandwidth,” explained the report.
“Employing a handful of the exit nodes in a distributed DoS orchestrated by the botnet controller and originating at dozens or hundreds of bot hosts can impose a large burden on the targeted system with a small outlay of attacker resources, and generally effective anonymity.”
There is a lot more. The bottom line is that bad things happen on the dark net and that they come to people and businesses through Tor. IBM said that concerned outfits should just block it and move on, which is along the lines of something that Akamai said recently.
“Corporate networks really have little choice but to block communications to these stealthy networks. The networks contain significant amounts of illegal and malicious activity,” said Akamai.
“Allowing access between corporate networks and stealth networks can open the corporation to the risk of theft or compromise, and to legal liability in some cases and jurisdictions.”
That sounds fine to us, but won’t someone give a thought to those non-malicious government officials out there?
A U.S. appeals court has ruled that the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information.
The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.
The FTC wants to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from more than 619,000 consumers, leading to over $10.6 million in fraudulent charges.
Noting the FTC’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, Circuit Judge Thomas Ambro said Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.’”
Wyndham brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge.
A company spokesman, Michael Valentino, said “safeguarding personal information remains a top priority” for the Parsippany, New Jersey-based company. “We believe the facts will show the FTC’s allegations are unfounded,” he added.
FTC Chairwoman Edith Ramirez welcomed the decision.
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.
Congress has not adopted wide-ranging legislation governing data security, a growing concern after high-profile breaches such as at retailer Target Corp, infidelity website Ashley Madison, and even U.S. government databases.
In a test of its power to fill the void, the FTC sued Wyndham in June 2012, claiming its computers “unreasonably and unnecessarily” exposed consumer data to the risk of theft.
Wyndham accused the FTC of overreaching, but U.S. District Judge Esther Salas in Newark, New Jersey, let the case proceed.
Affirming that ruling, Ambro rejected Wyndham’s argument that it lacked “fair notice” about what the FTC could require.
He also rejected what he called Wyndham’s “alarmist” argument that letting the FTC regulate its conduct could give the agency effective authority to regulate hotel room door locks, or sue supermarkets that fail to sweep up banana peels.
Volkswagen (VW) has watched as a security vulnerability in a key system on a range of vehicles has been released from the garage and put on the news road.
VW was first notified about the problem two years ago, but has worked to keep it under the bonnet. Well, not all of it, just a single line – not a yellow line – has been contentious. The line is still controversial, and has been redacted from the full, now released, report.
VW secured an injunction in the UK high court two years ago. The firm argued at the time that the information would make it easy to steal vehicles that come from its factories and forecourts. That might be true, but that is often the case with vulnerabilities.
The news that VW has suppressed the report for this amount of time is interesting, but it does remind us that not everyone in the industry appreciates third-party information about weaknesses.
VW has a lot of cars under its hood and, according to the report, a lot of different vehicles are affected. These run from Alfa Romeo through to Volvo, and take in midlife crisis mobility vehicles like the Maserati and Porsche.
The report is entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer (PDF), and is authored by Roel Verdult from Radbound university in the Netherlands and Flavio Garcia from the University of Birmingham in the UK.
Megamos Crypto sounds like a sci-fi bad guy, maybe a rogue Transformer, but it is actually designed to be a good thing. The security paper said that it is a widely deployed “electronic vehicle immobiliser” that prevents a car starting without the close association of its key and included RFID tag.
The researchers described how they were able to reverse engineer the system and carry out three attacks on systems wirelessly. They mention several weaknesses in the design of the cipher and in the key-update mechanisms. Attacks, they said, can take as little as 30 minutes to carry out, and recovering a 96-bit encryption key is a relatively simple process.
This could be considered bad news if you are a car driver. It may even be worse news for pedestrians. Concerned car owners should find their keys (try down the back of the sofa cushion) and assess whether they have keyless ignition. The researchers said that they told VW about the findings in 2012, and that they understand that measures have been taken to prevent attacks.
We have asked VW for an official statement on the news, but so far it isn’t coughing. Ready to talk, though, is the security industry, and it is giving the revelation the sort of disapproving look that people give cats when they forget what that sand tray is for.
Nicko Van Someren, CTO at Good Technology, suggested that this is another example of what happens when you go from first gear to fourth while going up a hill (this is our analogy). He described it in terms of the Internet of Things (IoT), and in respect of extending systems before they are ready to be extended.
“This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet,” he said.
“Increasingly, in the rush to connect ‘things’ for the IoT, we find devices that were designed with the expectation of physical access control being connected to the internet, the cloud and beyond. If the security of that connection fails, the knock-on effects can be dire and potentially even fatal.”
Cyber thieves are using Yahoo’s advertising network to make money in a bad way. Today’s tinned food and bottled water warning is that the Yahoo system that we have come to love and let inform our purchasing decisions has a sickness, and that sickness is ruddy people and their tinkering with security.
People, specifically hackers, are exploiting the Yahoo advertising system with a poison, a poison known as malvertizing, according to a blog post by security firm Malwarebytes.
Malvertizing, a portmanteau of malware and advertising, is what you would expect.
Jérôme Segura, a senior security researcher at Malwarebytes, said that it is a rather significant threat, and a rather recent one.
“June and July have set new records for malvertizing attacks. We have just uncovered a large-scale attack abusing Yahoo’s own ad network,” he said.
“As soon as we detected the malicious activity, we notified Yahoo and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at this time.”
Segura said that the Yahoo network has a lot of traffic, he quoted monthly visits of 6.9 billion a month, and that the threat presented to users is a sneaky and silent one.
“Malvertizing is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” he added.
“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.”
Segura explained that the firm had worked closely with Yahoo on nixing the problem and Yahoo confirmed this in a statement.
“Yahoo is committed to ensuring that our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue,” it said.
“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”
The social security numbers and credit card information of up to 6,000 University of Connecticut students, faculty and others may have been stolen by cyberhackers from China, the university said on Friday.
Officials detected a potential breach of the School of Engineering’s network in March and an investigation uncovered that hackers may have gained access to it as early as September, 2013, spokesman Tom Breen said.
He said 6,000 students, faculty, alumni and research partners of the school were notified that their personal information may have been compromised.
“The breach is far more extensive, could impact many more accounts and started much earlier than we originally believed,” said Breen. “There is no way at the present time to determine the exact number of accounts hacked,” he added.
Breen said the hack has been traced to China ”based on the type of cyber-attack that was launched, and the software used.” He added the FBI and several state agencies have been notified. The university said it was also taking steps to secure its systems.
The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.
Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.
The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.
Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.
The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.
This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.
The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.
An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.