Security Breaches: IPhones And Saudi Aramco Hacking Essay.

Overview of iPhone Security Breach

iPhones, manufactured by Apple, an American corporation, suffered a major security breach in September of 2015 in which over 225000 personal iPhone user cloud accounts were compromised. The attack involved the theft of more than 225000 iPhone users’ iCloud accounts by hackers; iCloud is a cloud storage facility for iPhone users where they back their data plus other personal information ('Trend Micro', 2015). Luckily, the attack only targeted ‘jail broken’ iPhones, which are iPhones that users have access to certain file systems in their phones that are usually restricted for security reasons. The attack that hacked users’ iCloud account login credentials happened because of an on-line based MalWare (named KeyRaider) which specifically targeted jail broken iPhones where some security features have been over ridden by users to access secured files (Xiao, 2015). The malware was distributed through Cydia, a software repository in China. The attack affected users of iPhones with iCloud accounts in over 18 countries, including the UK, China, France, Russia, the United States, Israel, Australia, Spain, Germany, Singapore, Canada, Italy, South Korea and Japan. The countries affected demonstrates the virile nature of the attack because its footprint is global (Xiao, 2015).

The attack happened through the malware hooking system processes via MobileSubstrate; the Mobile Substrate is the De-facto platform that makes it possible for third party developers to offer run time patches or substrate extensions for Cydia, to system functions (Xiao, 2015). The Mobile/ Cydia Substrate works similar to Applications Enhancer in the Apple OS X. the Cydia Substrate is made up of three major components namely MobileLoader, MobileHooker, and safe mode. System functions in the iPhone running Cydia can be replaced through the MobileHooker in a process known as hooking using two main API’s. When third party developers make applications to run on Apple devices, they use the Cydia framework to run them and this posed the problem (Zdziarski, 2012). The Chinese applications that Apple’s App Store hosted were infected by the KeyRaider malware that siphoned off user information, especially when accessing their iCloud accounts. To manage users’ music files while eliminating the risk for illegal downloads and sharing of proprietary music and media content, Apple enables users’ to access and play their music direct from the iTunes account stored in the cloud. Jail broken iPhones can have third party software installed on them using the Cydia platform; with these applications being infected with the KeyRaider malware, the jail broken iPhones give up the users’ private information including information on their iTunes App Store to hackers, courtesy of the malware. The KeyRaider malware also extracts and gives away personal information stored in the users’ iTunes, including the Apple stock (AAPL, Tech30) account information where the password, user-name, as well as the unique ID of the phone (Xiao, 2015).

Overview of Saudi Aramco Hacking Case

The malware was also able to steal other information on the user, including purchases made at the App Store, while also preventing the users’ from being able to recover their mobile phone devices after they have been hijacked. So essentially, the Key Raider malware was able to hijack users’ phones and steal information via third party Apple software applications found at the App Store repository. Further, the hackers went ahead to allow other parties and entities to access this stolen information and take advantage of them. Using this information, hackers’ further uploaded software that enables other users (possibly of jail broken iPhones) to purchase software and other applications through the hijacked users’ iCloud credentials for free. Other users can download the software uploaded by the hackers and steal from the affected jail broken iPhone owners.  While the bona fide iPhone owners continued to use their devices, they reported seeing purchase histories from their iCloud accounts at the App Store that they knew nothing about. So basically, a person can download the hacker-uploaded software and use any of the 225000 hacked iCloud accounts belonging to other users’ and purchase software at the bona fide owners’ cost. Other users’ (victims) reported having their phones locked and to unlock them, the hackers or other third parties demanded a ransom (Xiao, 2015).

The affected persons were all iPhone users with jail broken devices. The reason the attack was possible is because iPhone owners’ seeking further and increased customization for their devices jailbreak their phones by removing software restrictions imposed by the manufacturer for security reasons through software exploits (Sutter, 2010). 

This is a classical case of user-initiated vulnerability; the IOS operating system restricts access to certain files for security reasons. However, the desire by some users to customize their phones more lead them to perform jail breaking which involves using software exploits to enable the iPhone download applications and software that can perform functions that were otherwise not possible in iOS. So most use Cydia, a platform for  third party developers to access some of these software and then use (Aguilar, 2017). By adhering to the manufacturer specifications and not jail breaking their iPhones, the 225000 affected users could not have become victims of the KeyRaider malware attack. Further, Apple should implement greater security and scrutiny of any third party software applications it hosts on its App Store by having all applications regularly scanned and implementing better security to detect malware, especially those bundled within third party software (Fong, 2013).

Causes and Analysis of Security Breaches

This is considered one of the biggest hacking cases in history targeting Saudi Aramco, among the largest oil companies in the world. Within hours of the attack, the company had about 35000 of its computers totally or partially wiped out, with all data and files gone. The company (Saudi Aramco) is responsible for a tenth of th global oil supplies and is a producer, refiner, manufacturer, and marketer of crude oil, petroleum, and gas products. The attack happened courtesy of a destructive virus named Shamoon (or Disttrack), a modular computer virus targeting Windows based computers (Pagliery, 2017). Specifically, the virus targets the NT kernel based Windows versions and is an espionage virus. The virus worked in a strange way compared to other malwares used for espionage in that after attacking a computer through the network or any other means, it spreads very quickly to other computers within the network. After infecting a system, the virus collects and compiles information and files from specific locations within the system, for instance a local area or wide area network. The virus then uploads these files to the attacker and then systematically erases these files from the system so that the users cannot access them. After erasing the files, the virus goes ahead and overwrites the MBR (master boot record) of the computers it has infected, rendering the computer un bootable.

The MBR refers to information in the primary (first) sector of any hard disk (or a diskette) that is responsible for identifying where and how the computers’ operating system is located so that it can be loaded (booted) into the main storage or RAM (random access memory) of the computer during computer start up (Bronk, & Tikk-Ringas, 2013). The MBR contains a table of all the partitions in the formatted disk and also has a program for reading the boot sector record of the OS to be loaded onto RAM. Therefore when overwritten, it basically implies the computer cannot be started. The Shamoon virus affected personal computers using Windows at Saudi Aramco and was likely sent by either a competitor or a malicious person intent on spying and getting data from Saudi Aramco. While Aramco is not a well known company, being responsible for more than a tenth of the global oil production makes it a highly important company. After getting and uploading files to the attacker, the virus went ahead to delete all the files from the hard drives of the company, basically rendering the firm non-operational with regard to its IT systems. By overwriting the MBR, the computers were not able to bot and data recovery would not be possible.  The attack started with computers acting in a weird manner; screens flickering and files started disappearing with computers shutting down unexpectedly and without reason (Pagliery, 2017).

Impact of Security Breaches

The biggest affected entity is of course Saudi Aramco as the company could not run its daily operations ranging from manufacture, refinery processing,, and marketing of various petroleum products. While there was no reported physical effects such as explosions or oil spills, the attack greatly and negatively impacted production and marketing, essentially crippling the company’s operations. Affected persons is the management and staff of Aramco who relied on the system for their daily operations. The other affected group are the customers and clients of Aramco, who are most likely other traders and distributors. They could not be served because their entire system and files had been erased; reports indicate that when the attack occurred, trucks had to be turned away since the entire system was not available for daily operations. Production was affected, also affecting service providers to the drilling, manufacturing, and refinery of oil by the company (Bronk, & Tikk-Ringas, 2013). The government was also affected due to loss in revenue when the system was not working as sales had to be stopped or interrupted, reportedly for two weeks until when the company had restored its system. Greatly affected were the company’s customers and customers of the company’s dealers and distributors because of the disruption in their regular supplies of oil; note that the customers and distributors are worldwide, from Asia to the Americas.

The attack was a major ‘school boy’ error because it was due to human error by one of the IT people at Saudi Aramco. The technician at the Saudi Aramco IT team received a scam e-mail and opened it; the e-mail had a link and he clicked on it; a very bad but common mistake (Bronk, & Tikk-Ringas, 2013). By clicking the link, the attackers had gained  entry into the company’s IT system; the attack began during the holy month of Ramadan when most employees, including in IT were away on holiday. A group calling itself the ‘Cutting Sword of Justice’ claimed responsibility with their reasons being the support of Saudi Aramco for the Saudi Royal Family’s authoritarian regime. The company’s IT technicians panicked, ripping cables off computer servers connected to the company’s data centers all over the world. They disconnected Internet and network cables to stop a further spread of the virus; while production was not affected, other aspects of trade and marketing were in limbo; for two weeks, the company relied on type writers and manual documentation and fax to conduct business and continue operations ('Reuters', 2012).

The company should have implemented tighter security controls and educated all staff about opening and clicking on links from unknown e-mail sources. There should have been tighter account privilege controls and enforcing password policies to access the Internet from an e-mail link (Mimoso, Mimoso, Mimoso, & Brook, 2017), (Weiss, & Solomon, 2016). Critical networks should have been isolated from business networks and regular backups and log monitoring done, along with patch management. Workstations and enterprise servers, for instance, those holding CRM and business software should be kept off the Internet. The company should have implemented a firewall and content filters as well as physical threat protection, such as Cisco ASA 5500 Series ('Cisco', 2017). The virus requires an administrator account to gain a foothold, so privileges should have been greatly restricted.

References

Aguilar, N. (2017). How to Protect Yourself from the Biggest Jailbreak Hack in History. Gadget hacks. Retrieved 31 March 2017, from https://ios.gadgethacks.com/how-to/protect-yourself- from-biggest-jailbreak-hack-history-0164226/

Bronk, C., & Tikk-Ringas, E. (2013). Hack or Attack: Shamoon and the Evolution of Cyber Conflict. Baker Institute. Retrieved 31 March 2017, from https://www.bakerinstitute.org/media/files/Research/dd3345ce/ITP-pub-WorkingPaper- ShamoonCyberConflict-020113.pdf

'Cisco',. (2017). Cisco Email Security Appliance Data Sheet. Cisco. Retrieved 31 March 2017, from https://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data- sheet-c78-729751.html

Fong, N. (2013). Is Your Smartphone Responsible for Identity Theft?. Insights.wired.com. Retrieved 31 March 2017, from https://insights.wired.com/profiles/blogs/is-your-smartphone- responsible-for-identity-theft

Mimoso, M., Mimoso, M., Mimoso, M., & Brook, C. (2017). ICS-CERT Revises Recommendations to Avoid Shamoon Infections. Threatpost | The first stop for security news. Retrieved 31    March 2017, from https://threatpost.com/ics-cert-revises-recommendations-to-avoid-shamoon-infections/100204/

Pagliery, J. (2017). The inside story of the biggest hack in history. CNNMoney. Retrieved 31 March 2017, from https://money.cnn.com/2015/08/05/technology/aramco-hack/

'Reuters',. (2012). Saudi Aramco Says Hackers Took Aim at Its Production. Nytimes.com. Retrieved 31 March 2017, from https://www.nytimes.com/2012/12/10/business/global/saudi-aramco-  says-hackers-took-aim-at-its-production.html

Sutter, J. (2010). Why people 'jailbreak' their iPhones - CNN.com. Edition.cnn.com. Retrieved 31 March 2017, from https://edition.cnn.com/2010/TECH/mobile/07/27/why.jailbreak.iphone/

'Trend Micro',. (2015). Key Raider Malware Steals 225,000 Apple Credentials from Jailbroken  iPhones - Security News - Trend Micro USA. Trendmicro.com. Retrieved 31 March 2017,    from https://www.trendmicro.com/vinfo/us/security/news/mobile-safety/key-raider-malware-steals-225-00-apple-credentials-from-jailbroken-iphones

Weiss, M., & Solomon, M. (2016). Auditing IT infrastructures for compliance (1st ed., p. 74). Burlington, Mass.: Jones et Bartlett Learning.

Xiao, C. (2015). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia - Palo Alto Networks Blog. Palo Alto Networks Blog. Retrieved 31 March 2017, from https://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-   over-225000-apple-accounts-to-create-free-app-utopia/

Zdziarski, J. (2012). Hacking and securing iOS applications (1st ed.). Sebastopol, Calif.: O'Reilly.