Category Archives: Apple

Apple Contractors “Regularly Hear Confidential Details’ on Siri Recordings

Apple uses contractors to listen to Siri recordings to figure out whether Siri responded correctly.  Apple says that these contractors are under non-disclosure agreements and the Siri conversations are not directly tied to the person’s iPhone or Apple credentials.

Still, these people hear about:

  • Confidential medical conversations
  • People having sex
  • Drug deals
  • Other likely illegal activities
  • Business deals

While they grade Siri on it’s responses, they don’t have to grade it on the subject matter of those conversations.

Apple does not specifically disclose that they hire contractors to listen to your requests, but they did not deny it either.  They say only about one person of the conversations per day are reviewed by humans.  Still, that is likely millions of sound bites.  Per day.

You are probably saying why would someone ask Siri a question while having sex?  Well, the short answer is that they do not.  But Siri can get confused and think that you said the activation word when you did not, hence the recordings.

If you have an iPhone or other Siri enabled Apple device around you, you implicitly consent to Apple recording you and humans listening to that conversation sometimes, whether you asked it to or not.  Siri can be activated accidentally, apparently, by the sound of a zipper.  Really?!

Another way that Siri can be activated is if an Apple Watch detects it has been raised, which could easily happen during drug deals. Or during sex.

So lets assume that you are OK with the possibility, maybe even likelihood that Siri may record you in compromising or private situations.

Does that mean that other people in the room are okay with that?  Like your sec partner.  Who may use your name.

Are other people in the room even aware that they are being recorded?

Is that even legal?  Answer: probably not in states that require two party consent, but I am not aware of a court decision yet,

In some companies, you are not allowed to bring your electronic devices into the building.  You may remember that Snowden required reporters to put their iPhones in the refrigerator to block signals to them.

If you are concerned about the confidentiality of a conversation you are having then you need to ask these questions.  Samsung was forced to put a disclosure on their TVs to this effect after a lawsuit.

Remember, it is not your device that you have to be worried about, it is everyone else within earshot that you should be concerned about.

Not only does this include Siri devices, but it includes any other smart device that has the capability to covertly record.

Source: The Guardian

Facebooktwitterredditlinkedinmailby feather

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.

 

Facebooktwitterredditlinkedinmailby feather

So You Thought Your iPhone Was Secure

The security of all computers is dependent on three things:

  • The Hardware
  • The Operating System
  • The Apps

When it comes to the iPhone, Apple does a great job of making sure the hardware is secure.  The Secure Enclave is the best in the industry and Apple spends a lot of money testing their hardware.  The good news for Apple users is that Apple controls all of the hardware because the make all of it.

The next piece is the operating system.  iOS has a great security reputation and pretty much forces all of the security patches into user’s devices whether they want them or not.

So what is left?

Yes, it is the apps.  Depending on the user and the phone, you could have 50 or a hundred or more apps on your phone.    That’s where the trouble starts.

Security researchers at Wandera evaluated about 30,000 popular apps found in the app store.  They noticed that data was being transmitted unencrypted because app security was turned off.

This seemed odd to the researchers since Apple’s app security framework, called App Transport Security or ATS, is turned on by default.  It comes included as part of Apple’s Swift development platform, so it is no additional work for the developers to use it.

The researchers found that 20,000 of the 30,000 apps had ATS turned off.

Their best guess is that the developers thought, maybe, that encryption would reduce the app’s performance, but on most phones that is not true.

For the last few versions of iOS, Apple even  made it possible for developers to only use ATS when they were transferring sensitive information, but apparently, app developers don’t care.

I think it is fair to say that the state of app security is similar to the state of web site security ten years ago (or older).

The challenge for the end user is that they really have no easy way to tell which apps are secure and which ones are not without being a security expert, which is not reasonable.

Unfortunately, I do not have a silver bullet.  I tend to minimize the number of apps that I have installed as one way to reduce my attack surface.  Maybe not the best answer, but the best one that I have.  Source: Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Financial Institutions are Risking Customer’s Data. And Money.

Banks are very good at security.  Certain kinds of security, that is.

They have vaults with really cool doors.

Many banks have armed guards.  And alarms.

In some cities they put tellers in cages to protect them (that is NOT a great metaphor).

But when it comes to developing software, they are subject to the same challenges that everyone else developing software deals with.

So it shouldn’t be much of a surprise that banking software for your phone is not as secure as it should be.

According to a recent report of 30 mobile banking apps offered by financial institutions, almost all of the apps could be reverse engineered by hackers revealing account information, server information and other non-securely stored data.

According to the report, 97% of the apps tested lacked the proper code protections.  90% of the apps shared services with other apps on the device.  83% of the apps stored data insecurely.  You get the idea.

And that is not the end of it.  For more information on what the apps are doing wrong, read the Tech Republic Article below.

So what should you be doing?

Believe it or not, bank web sites are probably more secure than their apps.  For one thing, the web sites run on servers owned or controlled by the banks.  Your phone is, to be polite, a cesspool when it comes to security.  All those apps,  Many that were there when you bought the phone and a lot that you can’t remove, even if you want to.

General phone cyber hygiene helps.  Don’t install any apps that you don’t need to.  Remove apps that you don’t use any more, if you can.  Patch your phone’s operating system and apps whenever patches are available.

To the degree that you can avoid installing banking apps (I know they want you to use it), that is more secure.

Unfortunately, the report does not list which apps it tested and which apps came up on the wrong side of the security story.  Needless to say, the banks are not going to tell either.  My guess is that the researchers are worried about being sued.  Which does not help us.

Do look for third parties that review apps for security.  Since most people don’t ask whether their money is secure, I haven’t found many, but keep looking.

If I find more information, I will post it.

Source: Tech Republic.

 

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending March 22, 2019

If privacy matters in your life, it should matter to the phone your life is on

Apple is launching a major ad campaign to run during March Madness with the tagline “If privacy matters in your life, it should matter to the phone your life is on.  Privacy.  That’s iPhone“.

Since Apple’s business model is based on selling phones and apps, they do not need to sell your data.  I saw a stat yesterday that one app (kimoji) claimed to be downloaded 9,000 times a second at $1,99 after it was launched.  One app out of millions.

The ad, available in the link at the end of the post, attempts to differentiate Apple from the rest of industry that makes money by selling your data.  Source: The Hill.

 

Another Cyber-Extortion Scam

Ignoring for the moment that the CIA is not allowed to get involved with domestic law enforcement, this is an interesting email that I received today.

Apparently the CIA is worried about online kiddie porn and my email address and information was located by a low level person at the CIA.  See the first screen shot below (click to expand the images).

Notice (first red circle) that the CIA now has a .GA email address, so apparently they must have moved their operations to the country of Gabon in south west Africa.

Next comes the scam – see second screen shot below

First, she knows that I am wealthy (I wish!).This nice person is warning me that arrests will commence on April 8th and if I merely send her $10,000 in Bitcoin, she will remove my name from the list.

Tracing the email, it bounces around Europe (UK, France and Germany) before landing in Poland.

Suffice it to say, this is NOT legit and you should not send her $10,000 or any other amount.

Hacker Gnosticplayers Released Round 4 of Hacked Accounts

The Pakistani hacker who goes by the handle Gnosticplayers, who already released details on 890 million hacked accounts and who previously said he was done, released yet another round of hacked accounts for sale.  This round contains 27 million hacked accounts originating from some obscure (to me) web sites: Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual and Coubic.  This time the details can be yours for only $5,000 in Bitcoin, which seems like a bargain for 27 million accounts – that translates to way less than a penny per account).

Ponder this – one hacker out of the total universe of hackers is selling close to a billion compromised online accounts.  HOW MANY compromised accounts are out there?  Source: The Hacker News.

 

Airline Seatbacks Have … Cameras? !

Two U.S. Senators have written a letter to all of the domestic airlines asking them about seatback cameras in airplane seats.

I SUSPECT that it is based on some crazy plan to allow people to video with each other while travelling – likely at some exhorbitant cost.  If you allow people to use their phones, they can Facetime for free, but if you build it into the seat, you can charge them for the same service.

The concern, of course, is whether big brother is watching you while you sit there.  Maybe trying to figure out if you are the next shoe bomber.

Now you need to travel with yet one more thing – a piece of duct tape to put over the camera.

The airlines say that the cameras a dormant.  For now at least.  Source: CNN .

 

Congress May Actually Pass (Watered Down) IoT Security Bill

Cybersecurity bills seem to have a challenge in getting passed in Washington, in part because the Republicans are wary of anything that smells like regulation back home, partly because most Congress people are clueless when it comes to cyber and partly because they are scared to death of anything that might impact the tech industry money machine and what it has done for the economy.

Still, at least some Congresspeople understand the risk that IoT represents and after watering down the current IoT bill under consideration, it may actually get passed.  So, a start, but not the end.

The original bill said that any IoT device the government buys should adhere to acceptable security standards and specified several examples.  The new bill kicks the can down the road and says that NIST should create some standards in a year or two and then, probably, give industry several more years to implement it.  That way we will have hundreds of millions of non-secure IoT devices out in the field first for hackers to use to attack us.  Source:  Dark Reading.

Facebooktwitterredditlinkedinmailby feather

One in Three Companies Suffered Data Breaches Due To Mobile Malware

As people use their mobile devices as what one friend used to call a “pocket super computer” as opposed to something where you dial 7 digits (remember that) and talk to someone, hackers have figured out that the new attack vector is your phone.

In part, this is due to the fact that finally, after 20 years of trying, Apple and Microsoft have significantly improved the security of their operating systems, making the hacker’s job more difficult (lets ignore for the moment that people are not very good about applying patches).

When it comes to phones and security, we are at roughly the same point we were with Windows computers in say 1995 or so.  That is not very comforting.

For example,  when was the last time you patched your phone?

In fact, DO YOU KNOW FOR SURE if there are patches available for your phone on a regular – monthly – basis?

For most iPhone users, Apple does provide patches for the operating system BUT NOT FOR THE APPLICATIONS THAT RUN ON IT. And not for old iPhones.

For Android users, it is a much more complicated situation that splits the job between Google, the phone manufacturer (such as LG or Samsung or 100 other vendors) and the carrier.  With one exception – Google provides patches directly to phones for Google branded phones.

According to a new Verizon report, one in three organizations ADMITTED that  they suffered a compromise due to a mobile device.  That is up five percent since last year.  And probably highly underreported.

Mobile devices are susceptible to many of the same attacks as Windows and Macs as well as a whole host of special mobile attacks.  And, no, Linux users are not in the clear.  Remember that the Android kernel is basically Linux and the iPhone OS is basically BSD Unix on top of a Mach kernel, so all phones are Linux cousins and other relatives.

And here is an interesting tidbit – OVER 80 percent of organizations BELIEVE their protections are either effective or very effective, even though less than 12 percent had implemented all basic protections: Encrypting data on public networks, changing default passwords, REGULARLY testing security systems and restricting access based on a need to know.

80% of the companies said they could spot a problem quickly.  Only problem is that 63% of the problems were found by customers.

Okay, so now that we have a kind of “state of the phone security union”, what should you do?

First, you should create a policy regarding mobile device security.

Part of that policy needs to include what mobile devices are allowed to access corporate data (for example, only phones which are running a currently supported operating system) and what happens if the mobile device does not meet those requirements.

Then you need to decide how you are going to enforce the rules – software generically called mobile device management (MDM) is the most efficient way to do that and there are many vendors of MDM software.

Next you need to set up the people and the processes to make this work from now forward.  (If you need help with this, contact us).

Not simple, not easy, but absolutely necessary.  Sorry.

Some information for this post came from CSO.

Facebooktwitterredditlinkedinmailby feather