Category Archives: Apple

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

Security News for the Week Ending September 13, 2019

Facebook/Cambridge Analytica Suit Moves Forward

Facebook tried to convince a judge that when users share information privately on Facebook they have no expectation of privacy.  The judge didn’t buy it and the suit against Facebook moves forward.  Source: Law.com  (registration required)

Equifax Quietly Added More Hoops for you to get your $0.21

Yes, if everyone who was compromised in the Equifax breach asks for the $125, the total pot, which is only $31 million, will be divided up and everyone will get 21 cents.  Not sure how the courts will handle that when the cost of issuing 150 million checks for 21 cents is tens of millions.  Often times the courts say donate the money to charity in which case, you get nothing.

The alternative is to take their credit monitoring service, which is really worthless if you were hit by one the many other breaches and already have credit monitoring services.

So what are they doing?  Playing a shell game – since the FTC is really a bunch of Bozos.  Equifax is adding new requirements after the fact and likely requirements that you will miss.

End result, it is likely that this so called $575 million fine is purely a lie.  Publicity is not Equifax’s friend, but  it will require Congress to change the law if we want a better outcome. Source: The Register.

End of Life for Some iPhones Comes Next Week

On September 19th  Apple will release the next version of it’s phone operating system, iOS 13.  At that moment three popular iPhones will instantly become antiques.

On that date, the iPhone 5s, iPhone 6 and iPhone 6s Plus will no longer be supported.  Users will not be able to run the then current version of iOS and will no  longer get security patches.

This doesn’t mean that hackers will stop looking for bugs;  on the contrary, they will look harder because they know that any bugs they find will work for a very long time.

As an iPhone user, you have to decide whether it is time to get a new phone or run the risk of getting hacked and having your identity stolen.

What Upcoming End of Life for One Operating Systems Means to Election Security

While we are on the subject of operating system end of life, lets talk about another one that is going to happen in about four months and that is Windows 7.

After the January 2020 patch release there will be no more security bug fixes for Windows 7.

The good news is that, according to statcounter, the percentage of machines running Windows 7 is down to about 30%.

That means that after January, one third of the computers running Windows will no longer get security fixes.

Where are those computers?  Well, they are all over the world but the two most common places?

  1. Countries that pirate software like China, Russia and North Korea
  2. Most election computers, both those inside the voting machines and those managing those machines.

That means that Russia will have almost a year of no patches to voting systems to try and find bugs which will compromise them.

Microsoft WILL provide extended support to businesses and governments for a “nomimal” fee – actually a not so nominal fee.  ($50 per machine for the first year and $100 per machine for the next year with carrots for certain users – see here), but will cash strapped cities cough up the money?  If it is my city, I would ask what their plan is.  Source: Government Computer News

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.