Category Archives: Apple

Security News Bites for the Week Ending September 14, 2018

How, Exactly, Would the Government Keep a Crypto Backdoor Secret?

The Five Eyes (US, Canada, Australia, New Zealand and Great Britain) countries issued a statement last week saying that if software makers did not voluntarily give them a back door into encrypted apps they may pursue forcing them to do that by law.  Australia and the UK already have bills or laws in place trying to mandate that (Source: Silicon Republic).

First, parental control/spyware app Family Orbit stored their private access key in a way that hackers were able to access 281 gigabytes of spied on photos in over 3,000 Amazon storage buckets.  This means that tens of millions of photos taken by kids and of kids are now on the loose.  All because parents wanted to keep tabs on what their kids were doing.  Now the hackers can keep tabs on their kids too (Source: Hackread).   Family Orbit shut down all services until they can fix the problem, but that won’t help recover the 281 gigabytes of data already stolen.

And, for the second time in three years, spyware maker mSpy leaked the data from a million customers including passwords, call logs, text messages, contact, notes and location data, among other information (Source: Brian Krebs).

So here, in one week, two companies who’s very existence is threatened by these leaks were hacked.  Somehow, hundreds of backdoors on major apps will be kept secret by the government.

Sure.  I believe that.  Not.

This is also a word of advice to parents who either are using spyware on their kids or are thinking about it.  The odds of that data getting hacked is higher than you might like.  Would it be a problem for you or your kids if all of their pictures, texts, contacts and passwords were made public?  Consider that before you give all of that data to ANY third party.

Popular Mac App Store App Has Been Sending User Data to China for Years

In a situation that you very rarely hear about, researchers have discovered that the 4th most popular paid app in the Mac app store, Adware Doctor, has been sending user browsing history to China for years.  Apparently, when you click on CLEAN, they take a very liberal view of the request, zip up your browsing history and send it to China. They are able to do this based on the permissions that the user gives it, reasonable permissions given the app.  In other words, they abused the trust that users gave them.

This was reported to Apple a month ago and Apple did nothing about it, but within hours of the news hitting the media, Apple yanked this very popular app from the store.  That, of course, does not protect anyone who has already downloaded it, but at least it will stop new people from becoming victims.

The power of the media!  Source: (Motherboard).

ISPs Try Hail Mary in Bid to Derail California’s Net Neutrality Bill

The California legislature is on a roll.  First the California Consumer Privacy Act (AB 375) – now law, then  the Security of Connected Devices Act (SB 327)- on the Governor’s desk and now The Internet Neutrality Act (SB 822) which would implement many of the requirements of the now repealed FCC Net Neutrality policy.  ISPs such as Frontier, have asked employees to contact the governor and tell him to veto the bill.  This was after AT&T bribed, err, technically “lobbied” an Assembly committee to gut the bill.  The industry then targeted robocalls at seniors saying the bill would cause their cell phone bill to go up by $30 a month and for their data to slow down (neither is true).  It is still on Governor Brown’s desk.  (Source: Motherboard).

Facebook is in the middle of an Apple-esque Fight Over Encryption with the Feds

While this case is under seal, a few details have surfaced.  In this case the feds are asking Facebook to comply with the wiretap act, a law passed in the 1960s, long before the Internet, which requires a phone company to tap a phone conversation after receiving a warrant.

In this case is Facebook Messenger even a phone call as defined in the Act?  Facebook, apparently, says that they do not have the means to do it;  that they do not have the keys.   Can the government force Facebook to rewrite it’s code to provide the keys to the government on request?  Even if they do, the conversations themselves do not go through Facebook’s network, so they could not capture the actual traffic, even if they wanted to.  The NSA could do that, but that is between the NSA and the FBI, not Facebook.

Can they force Facebook to completely rearchitect their system, at Facebook’s cost, to comply?  Even if they do, how long would that take?  What would be the operational impact to Facebook?

Since this is all under seal, we don’t really know and may, possibly, never know.

At this point it is not at all clear what will happen.  It is possible that the court will hold Facebook in contempt, at which point, I assume, Facebook will appeal, possibly all the way up to the Supreme Court.

Think San Bernadino all over again.  Source:  The Verge.

Facebooktwitterredditlinkedinmailby feather

25 Android Phones Vulnerable

No big surprise here really, but still disappointing.

Researchers at Def Con last week reported that they had found 47 vulnerabilities in the firmware and default apps of 25 Android phones.

When they talk firmware, I don’t think they really mean firmware.  Rather, they mean the operating system like Android Oreo or Nougat, although it is possible that they mean the software that lives below the operating system and controls things like the radio hardware or camera hardware.  That stuff is buggy too.

The good news is that the bugs are not serious.  All they allow a hacker to do is:

  • Send or receive text messages
  • Take screenshots of whatever you are looking at
  • Record videos of your screen
  • Steal your contacts
  • Install malware and crimeware without your approval
  • Wipe your data

Other than that, not really a big deal.

Just kidding.  Holy cow!  That pretty much means they can do whatever they want.

Part of the problem are those apps that come preinstalled on your phone because the manufacturer or carrier gets paid to put them there.  Affectionately, that software is called crapware.  Those are the apps that they will not let you remove.  But some of them are vulnerable to attack.

Android phone vendors affected include:

  • ZTE
  • Sony
  • Nokia
  • LG
  • Asus
  • and a host of smaller players

This does not mean all models were tested or all models were affected.

IT ALSO DOESN’T MEAN THAT BECAUSE YOUR VENDOR ISN’T LISTED IT IS SAFE.  THE RESEARCHERS ONLY HAD A LIMITED AMOUNT OF TIME AND MONEY.

Part of the problem is that many of the companies that manufacture phones are used to selling washing machines and headphones – stuff that you do not have to patch.  As a result, they are not really culturally ready to deal with a product that releases hundreds of patches a year.

But they need to.

So what should you do?

Some people say “but my phone is not broke, why do I need to get a new one”? That is because, even though it works, after a while, it doesn’t get any patches.  That doesn’t mean that researchers won’t find new security holes for the Chinese to exploit to steal your data and try to get you to pay them to give it back.  In fact, old phones are the most likely to get attacked because they are the least likely to get patched.

BEFORE you buy any phone, look for the manufacturer’s guarantee of patches.  For example, Google is about to release the Pixel 3, but they say they will be issuing patches for the Pixel 2 Until October 2020 – at least.  If the manufacturer is cagey about patches and support, choose a different one.  Apple calls their unsupported products “Vintage”, but that just is just a cute term for “You are on your own, buddy”.  iPhone 4 and older are vintage.  Reports indicate that due to less than exciting sales, the iPhone X might see the end of its life as early as this year.  That doesn’t mean that they won’t patch it however.  They just won’t sell it.  The iPhone 5s is the oldest phone that supports iOS 12.  Apple does a very nice job of supporting older phones.

See how often your chosen vendor releases software patches.  Google and Apple release patches monthly.  Some vendors don’t ever release patches and others release them quarterly or less frequently.  Long wait for a patch?  Find a different vendor.

It is not just the manufacturer you have to worry about, but also all of the apps that you have installed.  Less apps is better.  Maybe not as much fun, but definitely more secure.  Uninstall anything you are not using any more.  Really. 

I know this is a pain in the tush, but, sorry, you just have to deal with it.  iPhones and Google Pixel phones are definitely the best when it comes to timely patches.

Remember that all it takes to get infected is to receive a well crafted malicious email (you don’t have to click on anything), a malicious text or visit a malicious web site.  NO. CLICKING. REQUIRED!

Don’t say I didn’t warn you.

Information for this post came from Bleeping Computer.

Facebooktwitterredditlinkedinmailby feather

HIPAA Privacy Rules and High Tech Services

Health IT Security wrote an article beating up Amazon on it’s HIPAA compliance process.  The article was not favorable and also interesting.

The issue that they are talking about was a medic-alert style bracelet that someone bought on Amazon.  After this person bought it, the vendor put a picture of it, with the lady’s name, birth date and medical condition on it in an ad on Amazon.  The customer found out about it when her physician called her saying he had seen it.

When the buyer contacted Amazon, she was told they would investigate.  She later received an email from Amazon saying that they would not release the outcome of the investigation.

So the lady reached out to her local NBC TV affiliate.  It is amazing what a little bad PR can do.  The TV station contacted the Amazon vendor and they apologized and said they would fix the problem.  The TV station confirmed that the offending material was removed.

But this post is not about health jewelry.

It is to clear up a possible misunderstanding on the part of the average consumer.

While Amazon may yet get into trouble for not understanding and complying with HIPAA, this is not a HIPAA issue.

For consumers that use apps and other tech products there is an important lesson here.

Amazon does *NOT* have a HIPAA problem.

In fact, as of today, Amazon’s web site does not need to be HIPAA compliant because they are neither a covered entity nor a business associate under the terms of HIPAA.  Covered entities include organizations like doctors, hospitals and insurance companies.  Business associates are companies that handle HIPAA type information on behalf of one or more covered entity.

That means that they have no HIPAA requirement to protect your personal information.

They *MAY* have a requirement to protect it under state law in your state, but they also may not.  This depends on the particular law in your state.  In this case they may be in more trouble for publishing her birth date (which may be covered under her state’s privacy law) than her medical condition.

It does mean that they have no requirement to protect your healthcare information under Federal law because other than HIPAA, which does not apply here, there is no Federal law requiring anyone to protect your healthcare information that I am aware of.

This also includes Apple, Google and any app that is available on either the Apple or Android stores.  Apple and Google are likely covered entities because of the way their employee health insurance plans work, but that is completely separate from iphones, android phones and apps.

So, if one of those apps collects information from a hospital for you, for example, and makes it available to you, they can certainly use the diagnosis, for example, that you have diabetes to show you ads for diabetes medicine or supplies.

It is also possible (although I think this may be pretty dicey) that they could sell your healthcare data.  Depending on the state that you live in, healthcare data may not be protected AT ALL under the state’s privacy laws.  This is likely because legislators are usually lawyers and lawyers rarely understand tech and often don’t understand privacy and they think that your healthcare data is protected under HIPAA.  it is, but only under certain circumstances.  The net effect is that it MAY BE perfectly legal to sell your health care information.

If anyone thinks differently, please post a reply and I will publish it.

Information for this post came from Health IT Security.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for Week Ending July 13, 2018

Timehop Hack Compromises 21 Million Users

In a bit of good news/bad news, the social media time capsule site Timehop said that it was hacked around July 4th, but that they interrupted the hack in progress.  Still the hackers got usernames, passwords, email addresses, date of birth, gender, some phone numbers and other information for 21 million users.

More importantly, the security tokens that Timehop uses to access the social media sites like Twitter were also compromised.  Part of the good news is that since they detected this hack in progress, they were able to immediately disable those tokens, reducing the damage.

Still this does point out the risk of granting someone else proxy to your data – in this case, 21 million users were compromised because of a breach of a third party.  The data here was not particularly sensitive – unless your FB posts are sensitive, but that is purely accidental.

One bit of bad news in all of this (beyond all the bad news above for the people who’s data was stolen).  This attack in December 2017.  The hacker logged on in March and April 2018 also.  The hacker next logged in on June 22 and finally, stole the data on July 4, 2018.

Why is that important?  Because GDPR went into effect on May 25, 2018 and the data was stolen on July 4, 2018.  I hope they have deep pockets or a lot of insurance.  The Register article has a table with the number of GDPR impacted records, but I am having a hard time making sense of it.  For sure, it is in the millions.  (Source: CNet and The Register)

Apple Adds Security Feature to iOS11.4.1

Apple has added USB restricted mode to the current release of iOS.  Restricted mode locks down the lightning port of an iPhone or iPad after it has been locked for another so that it cannot be used for data access, only charging.  It defaults to enabled although you can manually turn the feature off.  This is designed to make it harder to hack an iPhone/iPad.

This will make it harder for law enforcement to hack into phones, but some of the hackers are saying that they have figured out a workaround.  The cat and mouse game continues.  (Source: The Verge)

Another Hospital Invokes Emergency Procedures Due to Ransomware

Cass Regional Medical Center in Harrisonville, MO.  put ambulances on diversion and invoked its incident response protocol earlier this week due to a ransomware attack.  They shut down their EHR system to make sure it did not become a casualty of the ransomware attack.  The day after the attack they said that they had begun decryption of the affected systems, which, while they are not saying, is likely a result of paying the ransom and getting the decryption key from the attacker.  The wording of the statement did not say that they were restoring the affected systems from their backups.  Other hospitals, which chose not to pay the ransom, took weeks to recover, so the reasonable assumption is that they paid off the hackers.  (Source: Cass Regional web site)

The Insider Threat is a Real Problem

We are seeing an increasing number of insider threat issues; some are accidental, some are intentional.

A hacker was found to be selling manuals for the Reaper MQ-9, a $17 million military drone for less than $200 on the dark web.  He got them by hacking an Air Force Airman’s home Internet router which was not patched for a known vulnerability.  It is likely that the Airman was not involved, but it is not clear if he was authorized to have the manuals on his personal home computer (Source: Defense One).

In another case, an employee of a Navy contractor stole thousands of documents from his soon to be former employer before going to work for a competitor.  He was caught and convicted (Source: The Hartford Courant).

These are just two examples of many.  Most do not get caught because the company that was hacked does not want the bad publicity.  Still it is a multi-billion dollar a year problem.

Facebooktwitterredditlinkedinmailby feather

Soldiers Get Lonely Too

If you can’t beat them on the battlefield, beat them in cyberspace.  Israel has accused Hamas of creating a fake dating app and targeting both male and female Israeli soldiers to download the app.

Once installed, the app has the ability to see the soldier’s location, contact list and to use the phone as a listening device and camera.

The app targeted Android phone users, likely because that was easier to do.  This is apparently the second generation of a surveillance app and is more sophisticated than the earlier app.  The user granted the app the permissions to do all of these things, which sort of makes sense for a dating app.

In an effort at spin control, the Israeli Defense Force said that the apps had failed to do any security damage at all, saying that some soldiers had refused to download the app and reported it to superiors.  They did admit that some soldiers had downloaded and installed the app.

In another situation, researchers at Northeastern University ran a small experiment to try and detect if their phones were eavesdropping on them.

They took what amounts to a tiny sample of apps – 17,000 out of millions – to see if the phone’s microphone was activated.  Out of this small sample, they didn’t find any.

What they did find, however, may be more disturbing.

They discovered that many of these apps were sending screenshots of the phone to third party domains and also video recordings of the user’s interaction with the apps.  There is only a very tiny step from there to listening to you in general.

The fact that these apps were doing this was not obvious to a normal user.

Given this, what do you do?

First, and you are not going to like this, read the user license agreement.  While only some of the apps that secretly recorded screenshots and video disclosed the fact in their license agreement, some of them did disclose it.

Second, if you are no longer using an app, uninstall it.  If the app is not there, it is hard to eavesdrop.

Finally, be cautious about installing apps.  Some people never met an app that they couldn’t use.  Being selective is probably just smart.

This, apparently, is both an Android and iPhone problem as some of the frameworks that mobile apps are built on top of intentionally offer this screen and video capture.  At least one vendor, Appsee, said they their developers are violating their license agreement by capturing user data without permission.  Once they were outed by the media, they disabled the video capture for a single app and feel a lot better about themselves.  Google also says this violates the Play store agreement.  Gee, I am sure that any hacker would be scared about that.

Other software platforms may not even care.

Until Google and Apple give you the ability to absolutely, positively know if your data is being captured, you have something else to be concerned about.

 

Information for this post came from The Guardian and Gizmodo.

Facebooktwitterredditlinkedinmailby feather

Do You Care If Someone Is Reading Your Email?

For some people, they don’t really care.  For other people, it is a complete invasion of privacy.

For both groups, it is happening every day.

Apps sometimes ask for permission to read your mail.  It could be to get rid of junk mail or clean your mailbox or many other reasons, but in all cases, you MUST give the app permission in order for it to read your mail.

What is sometimes not clear is that while YOU think that means that the app is reading your email, what the developer thinks is that HE/SHE can read your email.

When the app was installed eons ago, Google popped up a dialog box something like this:

You then clicked on the Allow box and the app started working its magic.

The Wall Street Journal reported earlier this week that, for example, employees of Edison Software read the mail of hundreds of users to build a new feature.   Return Path reportedly read the emails of thousands of users.

The developers say, its in the license agreement that I am sure that you read.  NOT!

Google says Not Our Fault!  You gave the app permission.

To see who you gave those permissions to and take them away, follow these steps from Motherboard:

To see which apps you’ve given email permissions to, you can use Google’s Security Checkup for Gmail. To remove these permissions, go to your Google account settings, select “sign-in and security,” navigate to “apps with account access,” click “manage apps,” and then click on your linked apps and hit “remove access.” (Go to the bottom of the post linked at the end of this blog for step-by-step screenshots illustrating how to do this.)

But this really begs a larger question.

Think about all the apps that you have installed on your iPhone or Android phone (or the two people on the planet that are still running Windows phones).

Did you even think about the permissions that the app asked for when you installed it.  Or if it asked for permissions when you ran it.

Absent doing that, there is no telling what your apps are doing.  Reading your texts, tracking your location or who knows what else.

Of course, if you don’t care, then its not a problem.  Otherwise, you should look at the permissions that you have given the various apps that are installed.  And when you install a new app, consider whether you REALLY want that app or its developers to be reading your mail or tracking your location.

 

Information for this post came from Motherboard.

Facebooktwitterredditlinkedinmailby feather