Category Archives: Apple

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Trump Bans 8 More Chinese Apps

Donald Trump has signed an executive order banning the use of eight Chinese apps, namely Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.

The EO says that the apps can track users and capture personal data –

Just like, say, Facebook or Fox News or any other American app.

But Trump doesn’t like it that China is collecting that data because, basically, China bad. And, realistically, that is hard to argue with.

Part of the problem is that users “over share”.

Another part of the problem is that users opt for convenience over security and that means that these apps – including all of the American apps – can vacuum up an amazing amount of data that lives on most user’s phones.

Consider this. The last time YOU installed an app on your phone it probably asked for some permissions. Did you consider whether that app really needed those permissions? Almost no one else does either.

Some how Trump ties what these apps are doing to the Anthem and Office of Personnel Management breaches. I guess in the sense that all of those desire to collect your data – just like Twitter does – that is true. I am sure that even though Trump hates Twitter, he would hate it even more if it was not financially viable and disappeared. Therefore, if they have to harvest your data without any real permission – yes you can disagree, but if you do, they will delete your account, that is okay.

The basic difference here is not WHAT is being done, but rather WHO is doing it. All apps collect, use and monetize your data. Who are the good guys is a little less clear.

The order doesn’t take effect for 45 days, so likely it will be up to the next administration to figure out what to do.

Personally, I would be fine if half of the apps on the Apple and Android stores just went poof. No, actually 90% would be a good number to banish. I would not miss them at all. Just my opinion. Credit: The Register

Security News for the Week Ending December 11, 2020

Researchers Hack Apple Successfully

Between July and October, good-guy hackers worked on a side project to hack Apple. The results were impressive – if you are not Apple. 55 vulnerabilities found, 11 critical and 29 high. Apple paid the team a bug bounty of $288,000. The compromise would have exposed a lot of Apple’s internal systems and data. Several of the reported bugs were fixed by Apple in hours. Credit: Sam Curry

Hackers offer 250,000 MySQL Databases For Sale on the Dark Web

A hacker set up a dark web site to offer 250,000 MySQL databases stolen from 83,000 breached servers. He wants 0.03 Bitcoin for each database (about $500). The data comes from brute force attacks that resulted in the hacker stealing the data and then deleting off the victim’s server, just leaving a ransom note. Credit: bleepingcomputer.com

Now That Google has Won the Browser War, they Are Working to Kill Off Privacy

Now that all major browsers are based on Chromium, except for Firefox, Google doesn’t have to worry about competition. Google currently allows browser extensions to do way too many things, many of which are dangerous. As a result, they are redesigning the interface that extensions use, called Manifest, which, in concept, is not a bad idea. Purely coincidentally, these changes kill the ad blockers in all Chromium based browsers. Pure coincidence. It has nothing to do with the fact that Google makes most of its money selling ads. There is one ad blocker that will continue to work, Adblock Plus. Adblock Plus is paid by Google to allow their ads to pass freely through their ad blocker. Credit: The Register

Deadline for Sale of TikTok Passed and. Nothing

Trump issued an executive order months ago requiring the sale of TikTok or it would be shut down in the United States. But politics makes people make strange choices. Politicians do not relish ticking off 100 million voters by shutting down their entertainment during a pandemic, so they have kept moving the goal posts. But after moving the “deadline” time after time with no results to show, they just let the last deadline pass. Of course that doesn’t mean this is over, but it does question the government’s intentions. Credit: MSN

Apple Joins Intel and Others in the Buggy Silicon Club

Intel and, to a lesser extent, AMD and ARM have been collecting a lot of attention in the last year or so for bugs in their silicon. As everyone tries to tweak every last drop of performance out of their systems or do new and creative things, the risk of a problem increases.

But Apple has been a member of the club before and now it is being reintroduced as a club member.

Apple’s T2 security chip, a repurposed Apple A10 processor, is used in all Macs between 2018 and now. The chip controls the Touch ID and also provides the basis for encrypted storage and secure boot. Not something that you want to be buggy.

The good news is that the attacker needs physical access (think evil maid attack) to the Mac for the attack to work. Given that, the attacker could gain root access and allow the hacker to wreak havoc. The hacker could brute force the Mac’s encrypted file system, FileVault 2 and load arbitrary code.

The researcher contacted Apple multiple times with no response. He also reached out to some Apple pubs, but again no one bit.

I assume that if the claim was bogus, Apple would have stomped all over him quickly.

Alternatively, if there is no fix to this, like there is no fix to the earlier Apple silicon issue called Checkm8, then they might hope it goes away.

JTAG, the industry standard debug port that most hardware has, appears to be the problem here. Many times vendors leave it enabled when they ship devices, hoping no one notices but making it easier to troubleshoot problems. Security says it should be functionally destroyed prior to ship so that there is no way to re-enable it.

This bug is very unlikely to be exploited except in targeted attacks because in addition to requiring physical access to exploit the JTAG “feature” and using the Checkm8 bug, it also loops in another bug called Blackbird.

My guess is that like Checkm8, this bug is unpatchable.

Unlike my PC. I just got shiny new microcode this week for mine. Apple’s design does not allow for that.

Right now, until someone figures out how to exploit this remotely, the risk is low, but keep your eye on your devices. Credit: Threatpost

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read