Posts tagged need

New Free Dynamic Sitelinks on Google AdWords Ads – Everything You Need to Know

Dynamic sitelinks are automatically generated and appear below your Google AdWords ad text. They cost nothing if they’re clicked and provide more space on the search results. Here’s everything advertisers need to know about dynamic sitelinks.

View full post on Search Engine Watch – Latest

Google AdWords Debuts Dynamic Sitelinks Globally: What You Need To Know

Meet Dynamic Sitelinks, the latest ad snippet from Google AdWords. Dynamic sitelinks are another one of those add-ons — like seller ratings and consumer ratings annotations — in which advertisers don’t have control over what displays or when the content is triggered. Here’s…

Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Those “Backdoors” in Apple’s iOS: What You Need To Know

Security researcher Jonathan Zdziarski started a firestorm over the weekend when he presented findings that Apple has—apparently deliberately—created undocumented “backdoors” in its iOS operating system that third parties could use to siphon personal data from iPhones and iPads under certain circumstances without notice, much less consent of the user.

Apple, meanwhile, has taken issue with Zdziarski’s analysis, although its response—such as it is—falls short of a complete denial.

It’s a complicated issue, so here’s a quick FAQ to help you sort through it all.

Should I panic?

No. In a blog post summarizing his work, Zdziarski includes this helpful note: “DON’T PANIC.”

The backdoors he describes aren’t the sort of thing your average cybercriminal can easily exploit. There’s no evidence that they’ve been used for identity theft or any sort of related criminal attack on iPhone or iPad data. At least so far, that is.

See also: The Bugs Are Piling Up In Apple’s iOS 7

On the other hand, if you think the NSA or regular law enforcement might be tracking you, then Zdziarski might have described some of the backdoors by which their agents could be delving into your digital life.

Beyond that, they’re an intriguing mystery—one that Apple has yet to explain.

Hold on a moment. What’s a backdoor?

Like the word suggests, a backdoor is a simple or unguarded route into an otherwise secure system. Think Matthew Broderick’s character in War Games sussing out a way to access WOPR by guessing a backdoor password specific to the system’s creator (his dead son’s name—a classically terrible password, by the way).

How would the NSA (or whoever) make use of these backdoors?

Zdziarski, a forensics expert and one-time iOS jailbreaker who’s written several books about iPhone development, described three iOS services that appear to have an unusual degree of access to raw and potentially sensitive data gathered by or stored on the phone. These services are also apparently designed to collect that information, package it and dump it out upon request, either via USB or wirelessly over Wi-Fi.

These features are undocumented, meaning that they’re not described by Apple in the sort of detail it normally provides to third-party developers who might make use of them. According to Zdziarski, however, they are installed and active on roughly 600 million iOS devices. They provide no indication that they’re operating, and there’s no way for users to turn them off.

Perhaps most ominous, these services can send out unencrypted information even if users have chosen to encrypt the data they back up through iTunes. Zdziarski calls this behavior “bypassing backup encryption” and considers it deceptive at best.

That all sounds pretty panic-worthy. Isn’t it?

Turns out there’s a catch. These services only work when an iPhone or iPad is “paired” to a trusted device, such as the computer you run iTunes on. (Bluetooth pairing with, say, a set of headphones doesn’t count.) That greatly limits the ability of any attacker to exploit these services and rifle through your iPhone.

It is, however, possible to spoof that pairing. Every pairing generates a set of cryptographic keys and certificates designed to identify trusted devices to one another—and on the iPhone side, those keys and certificates are never deleted unless the user does a full restore or a factory reset on the device. Prior to iOS 7—the version used by most iPhones—pairing happened automatically without any user intervention. (iOS 7 now requires the user to approve pairing with a “trusted” device.)

As Zdziarski put it in a March 2014 technical journal article describing his findings: “[E]very desktop that a phone has been plugged into (especially prior to iOS 7) is given a skeleton key to the phone.” And that skeleton key is transportable, because a sufficiently motivated attacker can copy pairing keys and certificates from one computer to another. 

Who would go to all the trouble of tracking down those keys and copying them?

Well, the police might, if they thought you were involved with organized crime. So might the NSA, the FBI or a number of other intelligence agencies. And of course some of these outfits could also create seemingly innocuous “paired” devices such as an alarm clock or charging station that would run malicious code once connected to your phone.

As noted above, though, it’s not the sort of thing your average Belarusan hacker is likely to use to take over your phone any time soon.  

OK, tell me more about these undocumented services. What are they and what do they do?

In a presentation he made at the Hope X hacker conference in New York this past weekend, Zdziarski focused on three particular services known by the technical names, and (You can see the slides from Zdziarski’s talk—all 58 of them—here.)

The pcapd service starts what security professionals call a “packet sniffer” on an iOS device—basically, software that records all data traffic to and from your iPhone. It’s installed by default on all iOS devices, and operates whether a phone is in “developer mode” or not, suggesting that it’s not a developer-specific feature. And it gives the user no warning when it’s activated.

“This means anyone with a pairing record can connect to a target device via USB or Wi-Fi and listen in on the target’s network traffic,” Zdziarski wrote in his March paper.

The file_relay service, according to Zdziarski, exists to vacuum up large volumes of raw data from particular sources on an iPhone and then to dump it out in unencrypted form. Several years back, file_relay appeared fairly innocuous. In iPhoneOS 2.0 (an early predecessor to iOS), it was only able to access six data sources, including “Apple Support,” “network,” and “CrashReporter.”

By iOS 7, however, file_relay‘s reach had expanded to include 44 data sources, many of which specifically address the owner’s personal information. These include the address book, accounts, GPS logs, maps of the phone’s entire file system, a collection of all words typed into the phone, photos, notes, calendar files, call history, voicemail and other records of personal activity that have been cached in temporary files.

Small wonder Zdziarski calls file_relay “the biggest forensic trove of intelligence on a device’s owner” and a “key ‘backdoor’ service” that provides a significant amount of data that “would only be relevant to law enforcement or spying agencies.”

The third service, house_arrest, originally allowed iTunes to copy documents to and from third-party apps. Now, however, house_arrest has access to a much broader array of app-related data, including photos, databases, screenshots and temporary “cached” information.

Couldn’t these services have legitimate functions?

Maybe, although it’s difficult to understand why they they’d have such apparently untrammeled access to so much information. That’s a pretty major security failing under any circumstance.

Zdziarski also runs through a number of possible explanations—that they might be used in iTunes or Xcode (Apple’s iOS app-development environment), or in developer debugging, or by Apple support, or in Apple engineering debugging—and shoots each one down in turn. 

It’s very difficult to construct an explanation for legitimate, non-surveillance uses of services that aren’t documented, that bypass backup encryption, that have access to otherwise inaccessible user data and that give the user no notification that they’re accessing and dumping out information. Oh, and whose code Apple has maintained and updated across several versions of iOS.

Given Apple’s historical issues with lack of cooperation and infighting between technical teams, it’s also conceivable that these services grew without much direction at all, almost by accident, as engineers struggled to solve other technical problems without writing a whole bunch of new code. Call this the it-ain’t-pretty-but-it-works explanation.

Is it plausible? Your guess is as good as mine. And it’s still a major security fail.

What does Apple have to say about all this?

In classic fashion, not very much. Apple didn’t get back to me when I emailed it for comment, although I’ll keep trying.

Apparently, however, it did email a statement to Tim Bradshaw, a reporter for the Financial Times, who tweeted it:

The statement, of course, is rife with ambiguity. Is Apple referring specifically to pcapd, file_relay and house_arrest here, or just issuing a general statement about its diagnostic functions? 

And it fails to address most of Zdziarski’s basic questions. If these services are diagnostic functions, why aren’t they documented? Why do they operate even if users haven’t agreed to send diagnostic information to Apple? Why can’t users deny their consent to having information taken off their devices this way? Why can’t users turn these services off?

It is certainly interesting that Apple feels compelled to deny that it has even “worked with any government agency from any country” to engineer backdoors into its products or services. Especially since Zdziarski hadn’t accused them of such.

Does Zdziarski have thoughts about Apple’s statement?

Does he ever. In a new blog post Monday night, he summed up his reaction this way:

I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.

I also contacted Zdziarski for comment, but haven’t heard back.

Lead image by Flickr user Mooganic; swan image by Flickr user blinking idiot, CC 2.0

View full post on ReadWrite

SEO Questions Franchise Owners Need to Ask – Huffington Post

SEO Questions Franchise Owners Need to Ask
Huffington Post
When it comes to SEO and franchises, the same standard rules apply, but the way you go about SEO is different. You have different problems and responsibilities as a franchise company that other companies don't see–multiple managers and locations, …

and more »

View full post on SEO – Google News

BLOG: Your website SEO may need a check-up – Healio

BLOG: Your website SEO may need a check-up
Recently I received an email from a practice in New York that had let its search engine optimization, or SEO, slip very dramatically during the last few years. I asked if they were still using the same SEO Company and they said they were not because a …

View full post on SEO – Google News

Bing Admits They Need To Do Better With Webmaster Communication

In a blog post today on the Bing Webmaster Blog, Bing’s Igor Rondel, Principal Development Manager of the Index Quality team, said you can expect Bing to do more proactive communication on the Bing Webmaster Blog in the future. Igor said Bing needs “to do a better job of proactively…

Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

International SEO, What Global Companies Need to Know – Business 2 Community

Business 2 Community
International SEO, What Global Companies Need to Know
Business 2 Community
International SEO, What Global Companies Need to Know image seo globe sxch 300×240 If your company does business across borders this post about international SEO (search engine optimization) is an important read. Naturally, a global company will …

View full post on SEO – Google News

New AdWords Quality Score Info: What You Need To Know

By now, you’ve probably seen (or at least heard about) Google’s recent video and new white paper about Quality Score in AdWords. In fact, when I first heard about the updated Hal Varian video, I was a bit surprised, given that Google hasn’t bothered to update it for about five years!…

Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Everything You Need to Know About @BlogHer ’14: An Interview with BlogHer Founder Elisa Camahort Page by @thebigdebowski

At Search Engine Journal, we take a lot of pride in having a predominantly female team. So, we jumped at the chance to speak with Elisa Camahort Page, one of the founders of BlogHer, Inc., the premium cross-platform media network and publisher for women. We love us some girl power, especially in the tech space, and Elisa has helped pave the way for women in the industry. Elisa is one of the three BlogHer co-founders, along with Lisa Stone and Jory Des Jardins. As COO of the company, Elisa leads the BlogHer conference business, including the BlogHer annual conference, which […]

The post Everything You Need to Know About @BlogHer ’14: An Interview with BlogHer Founder Elisa Camahort Page by @thebigdebowski appeared first on Search Engine Journal.

View full post on Search Engine Journal

SEO Website Audits: Everything You Need to Know Part II – Search Engine Watch

Search Engine Watch
SEO Website Audits: Everything You Need to Know Part II
Search Engine Watch
The term website SEO audit is a very general one that means anything that the auditor wants it to mean. This means I could be spending hours laboring over every detail of your site looking for issues, challenges, and areas of improvement or I could be …

and more »

View full post on SEO – Google News

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved