Category Archives: Apple

Security News for the Week Ending April 8, 2022

Hackers Hack Russia’s Largest State Owned Media Corporation

Hackers stole 20 years of communications including almost a million emails from the All-Russia State Television and Radio Broadcasting Company (VGTRK). Those emails were published by DDoSecrets. VGTRK runs 5 national TV stations, 5 radio stations and numerous propaganda outlets. The data is available for download as an almost 1 terabyte torrent. The hackers say they did this because of Russia’s attack on Ukraine. This is part of the ongoing cyber war between Ukraine and Russia. Credit: Daily Dot

Apple AirTags Are Useful for Stalking

Motherboard asked dozens of police departments for reports that included Apple Airtags. They received 150 reports that mentioned Airtags. Remember that they asked for reports from something like less than one half of one percent of the departments. In 50 cases women called the police because they were being notified by THEIR iPhones that they were being stalked. Many of these women thought that either former or current intimate partners were to blame. Only one report came from a man. A few of the reports talked about robbery or theft as the potential reason. In any case, Apple has a challenge for which there is no easy fix. Credit: Motherboard

Russia’s Great Firewall has Some Holes in It

Russian citizens are turning to a variety of tools to bypass Russia’s attempt to block citizens from accessing western media. From VPN tools, to Telegram to Cloudflare’s WARP, they are effectively bypassing Russian controls and accessing French, British and U.S. newspapers. Credit: Bleeping Computer

Hotels Are Now Prime Targets for Hackers

As hotels use more tech and create more apps, they have more data for crooks to steal. And, since data is king, the crooks go after it. The Marriott/Starwood hack, back in the old days of 2014, netted the hackers information on a half billion people. With new laws like state privacy laws in the U.S. and GDPR in Europe, the stakes for breaches are just going to get a lot more expensive. Luxury hotels are particular targets as London’s Ritz recently found out. If you have to give information to a hotel, do what you can to minimize it. Credit: Financial Times of London

Government Sponsored Hacks not Limited to Russia-Ukraine

China continues to target India’s power grid, a year after the start of the attack campaign. Security researchers say the purpose right now is to gather intelligence to enable future attacks. They say the attackers would attempt to compromise the grid’s load management system. If it succeeds, it could cause cascading blackouts with no way to stop the dominoes until the country is dark. The FBI says that hundreds of U.S. critical infrastructure companies have been attacked as well, so this is not limited to India. Credit: The Hacker News

Cybersecurity News for the Week Ending April 1, 2022

How Many Times Do I Need to Say – Crypto is Software, Software Has Bugs, Your Money is at Risk

Decentralized Finance platform (DeFi) Revest Finance said that it lost $2 million due to a software bug and, oh yeah, (a) the can’t recover the funds, (b) they do not have the money to cover the losses and(c) they don’t have insurance to cover the hack. Unless we eliminate the software, we cannot eliminate all bugs. Credit: The Record

Russia Faces Internet Outages Due to Equipment Shortages

One of Russia’s tech unions says that Russian ISPs run the risk of Internet outages as the value of the Ruble goes down and foreign companies won’t sell them parts or new equipment. Right now the government is saying that is the Internet providers’ problem, but if it turns into widespread outages, they are likely to change their tune. Credit: Bleeping Computer

Cryptocurrency was Fun While it Lasted

EU Parliament committees have voted to require crypto exchanges to verify the identity of self-hosted wallets, meaning the end of anonymity for crypto transactions. The US Treasury (FinCEN) has also suggested that we do that, but it has not yet appeared in a bill. That means that the bad guys will need to do peer to peer crypto, minus the exchanges to deal in criminal activities. While this is harder than using exchanges, it is far from impossible. Given that the whole purpose (beside speculating) of crypto is to commit fraud, identifying yourself is probably not high on user’s wish lists. Credit: Vice

Senate Asks Companies About Hackers Creating Fake Warrants

Recently I wrote that hackers have figured out the the government’s search warrant process is as secure as, say, a screen door. Now that the facts have been outed and likely even more hackers will use that fact to steal even more data, a couple of Senators have started asked questions. That is a long way from Congress actually doing anything useful about it, but at least it is a start. Don’t expect anything to happen because it is a hard problem to fix. Credit: Brian Krebs

Apple Fixes More Mac, iPhone Zero Days

In case you haven’t noticed, the last 12 months have not been Apple’s friends when it comes to zero-day bugs. This week Apple patched two more that are actively being exploited in the wild and affect iPhones, iPads, iWatches and Macs. The versions you are looking for are iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively. Credit: Bleeping Computer

EU Proposes Major New Rules for Big Tech

The Digital Markets Act is designed to reign in big companies like Amazon, Facebook and Apple. Alternatively, those companies could choose not to do business in Europe, fearing the requirements could be too expensive or too risky. My guess is that none of the platforms will have the guts to do that, but who knows.

Fines could be up to 10% of a company’s annual revenue or 20% for repeat offenders.

The EU thinks the law could be passed and in effect by the fall. Companies would have from three months to four years to interoperate with smaller platforms, depending on the complexity.

Right now the bill is only targeting messaging apps like Whatsapp and iMessage and the EU would like those to be able to talk to each other and other apps.

Some vendors, like Apple, choose to not allow their apps to interoperate because they think it sells more hardware.

It will be interesting to see who is smarter – the tech companies or the lawyers. I could see a situation where an iMessage user could talk to a Whatsapp user, but using the least common denominator – no security. While that technically works, that is probably not what either community wants. Will that meet the requirements of the bill? No one knows because the sausage is not done being made.

Apple commented about the bill saying that it will create unnecessary privacy and security holes and will stop us from being able to charge for our intellectual property. We believe in competition, they say (as long as they win, I say). Credit: The Verge

Security News for the Week Ending March 4, 2022

Apple Scrambles to Try and Figure Out How to Stop Stalkers From Using AirTags

Their newest idea is, when you initialize a new AirTag, it will tell you that Stalking may be illegal in your country. I really, really, doubt that will have any effect. They are also shortening the time window for notifying you that you are being stalked. Users of newer Apple devices will be able to find out how far away Apple thinks that rogue AirTag is. They are trying, but there is no simple fix. Credit: Yahoo

China Outs NSA Hacking Tool

Just like the U.S. outs foreign hacking tools when it suits our purposes, China is now doing the same thing. Likely this is for internal consumption, but it does give us a little bit of insight into their thinking and for sure, that certain hacking tools are no longer secret. Credit: Vice

Anonymous Hacks High Profile Russian Leaning Websites

First Anonymous hacks the Russian Ministry of Defense and posted the stolen data online for free. The data includes officials passwords, phone numbers and emails (Credit: Cyber News) and then they claim to have broken into Belarusian weapons maker Tetraedr and stole a couple hundred gigabytes. The data stolen included emails and they even, conveniently indexed all of them and handed the data to DDoS Secrets. They call this Operation Cyber Bully Putin. (Credit: Cyber News). It sounds like there will be more web sites hacked. Stay tuned.

Apple Responds to Russian Invasion of Ukraine

Each company is doing its own thing. In Apple’s case, they have paused all product sales in Russia. Apple pay and other services have been limited. Apple maps have stopped live update and Russian propaganda apps have been taken off the Apple store (why were they there in the first place?). Credit ZDNet

FCC to Review Border Gateway Protocol Security

In 1989 an engineer from Cisco and one from IBM wrote down an idea on two napkins (that have been preserved). That was the basis of Border Gateway Protocol or BGP. Needless to say, they did not think about security. BGP has been hacked by China and North Korea, among many others, so many times that we have all lost count. But BGP is a critical part of the Internet’s routing system. Finally, twenty five years too late, the FCC is “looking into” BGP security. We shall see what happens. Change on the Internet goes slowly. IPv6 was approved 10 years ago and still, it is the minority of traffic on the Internet (it is used a LOT on the backbone, just not at the edge). Credit: Data Breach Today

Apple iOS in the Doghouse Again

iOS devices running 14.7 through 15.2 – basically all devices – are subject to a denial of service attack that forces the user to do a factory reset, wiping all of the user’s data.

If the user logs in to iCloud to restore the data, the denial of service attack will replay once the data is restored, resulting in a “rinse and repeat” cycle.

Apple was told about the bug last August but has not mitigated it. As a result, the researcher who discovered it has publicly disclosed it and created a proof of concept app to demonstrate it.

Apple has repeatedly said that they would fix it, but have not.

The bug is related to the Homekit software, which does home automation and, apparently, it does not matter whether you are doing any home automation or not. If the hacker manages to create a device name of more than 500,000 characters, which can be done in a number of ways, the iDevice goes into cardiac arrest.

For more technical details on how the attack works, read the article at the link.

Since all good attacks need a catchy name, this one is called DoorLock.

Apple did quietly create a partial mitigation in 15.1, if you know about it and use it. The attack creates a device name of more than 500,000 characters, causing the iDevice to go belly-up. There is a way to limit the device name length, but it is not set by default (why?). My guess is that maybe a half dozen Apple employees have set this to protect themselves.

One bright spot is that the hacker would either need to have access to your “home” or get you to manually accept an invitation to one. The second seems easier than the first, using a pretty vanilla social engineering scam.

If you don’t have your data backed up, you are, as they say, in a world of trouble.

There is a way, if you know what is going on, to mitigate the “rinse and repeat” loop to restore your data from iCloud, so all is not lost, but it could be very stressful.

You are now warned Credit: Bleeping Computer

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today