Category Archives: Apple

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

How Many Images Are Required to Unlock Your iPhone?

Many people have moved to facial recognition to unlock their iPhone, mostly because it is easy.

Researchers wanted to know how secure that is.

For those people who use their face to authorize payments, the problem is, maybe, a bit more serious.

Researchers at Tel Aviv University harnessed deep fakes and that magic word, AI, to figure out what three of the leading facial recognition software packages are looking for.

Then they created a deep fake to look like that.

They created less than a dozen of these deep fake images – nine to be exact.

Then they tested these nine fake images against a publicly available database of faces called Labeled Faces in the Wild.

Those nine computer generated faces were considered a match for 40 to 60% of the faces in that database, depending on which software package was being tested.

NINE matched over 13,000.

While this was a research project and some of the systems could be programmed to reject the flat images, all that means is that the researchers would need to create 3D versions of those nine. Not a high bar to meet.

Researchers say that with more test data they could do even better.

Does this mean that facial device verification is useless?

No, it doesn’t. What it means is that it is a relatively low security authentication mechanism.

Each person needs to decide what an appropriate level of risk/security is for them.

Likely, for most consumers, facial recognition is probably sufficient.

Remember that facial recognition is different than iris or retina scans. They use completely different technologies, are much more expensive and complex and are highly secure.

We have seen similar problems with consumer-grade fingerprint scans.

All of these vendors have to deal with how long a consumer is willing to wait for his or her device to unlock and how many false “failures” that consumer is willing to tolerate.

Credit: Cybernews

I Remember When Apple Was A Privacy-Focused Company

Apple is about to announce a new feature.

They are going to start scanning everyone’s iPhone for banned content. Seriously.

It uses neural networks and machine learning, so I am sure it will be cool.

According to respected cryptography professor Matthew Green, it is going to scan everyone’s devices for child porn (now referred to as Child Sexual Abuse Material or CSAM).

Historically, the industry hashed known CSAM material and looked for exact matches. But if someone changes a single pixel, it no longer matches, hence the use of machine learning.

Apple, apparently, already scans users’ iCloud backups since Apple refused to encrypt them. They did that at the request of police. Who want to be able to easily search your backups.

This is just the next step, right?

And CSAM is bad (fair, it is).

I am sure that Russia or China. Or the United States. Will never ask Apple to search a phone for ANYTHING else.

Pinky promise.

And guess who the guinea pigs are?

United States users. Probably because the U.S. has no national privacy law, no national privacy rights. So they don’t have to deal with breaking those pesky laws.

Welcome to 1984. Only a little bit late.

Pre-crime comes next year, no doubt.

I am glad I am an Android user.

Credit: The Register

Security News for the Week Ending June 18, 2021

Security Company Founder Charged with Hacking Georgia Hospital

An indictment unsealed this week in a Northern District of Georgia court accuses Vikas Singla, 45, with 18 separate counts of aiding and abetting a 2018 cyber attack against the Gwinnett Medical Center in Georgia. According to his LinkedIn profile, he is (or maybe now was) the COO of Atlanta based Securolytics. It is not clear what he did, but the feds say that he aided and abetted the attack. Credit: SC Magazine

Energy Secretary Says Adversaries Have Ability to Shut down US Power Grid with Cyberattacks

Maybe this story is a no-big-deal in light of the Colonial Pipeline attack, but Energy Secretary Jennifer Granholm said that US adversaries already are capable of using cyber intrusions to shut down the US power grid. This is something that security professionals have been saying for a long time and in light of the almost half dozen attacks on water, oil and support infrastructure in the last couple of months, this is not a big surprise. Credit: Fox8

China Crackdown Continues

The FCC approved a plan this week to ban approvals for Chinese telecom equipment from companies deemed a threat to US national security. This includes, potentially, revoking the approval of equipment and apps already in use. This continues the pressure on China started in the last administration. Credit: Verdict

Apple Not Happy With Proposed Requirement for Competition

Europe is trying to force some competition in the Apple app store and, given the amount of money that represents to Apple, they are not happy. They say that it would harm consumer’s privacy. Informed consumers could make a choice under those circumstances. Would a consumer be willing to trade some personal data in exchange for getting an app for free or at a reduced cost? Apple thinks it is their job to answer that question for their customers; the EU disagrees. Actually, Apple thinks it is their job to be a monopoly. Stay tuned. Credit: The Register

Cybersecurity News for the Week Ending May 14, 2021

If You Thought the FTC Was Toothless Before, Just Wait

I always complained that the FTC’s penalties were way too meek. Now I understand why, but it has just gotten MUCH worse. 99.99% of the blame goes to Congress. Initially, the FTC could not bring lawsuits against businesses at all. All they could do was to hold an administrative hearing. Then they could issue telling a business to stop doing bad things. In 1973 Congress added Section 13(b) to the FTC act, allowing the FTC to go to court and get an injunction – again no penalty for past bad deeds. In 1975 Congress added Section 19 which allows the FTC to seek monetary damages – after obtaining a cease and desist order and then only after future bad deeds which were obviously malicious, so still no relief. Last month the Supreme Court agreed that Congress, in its stupidity, did not grant the FTC any ability to make consumers whole for companies that break the law. Individually, a person can still sue the company – spending a lot money and years. Maybe they can convince some State AG to take up their case – maybe. If you can convince the Justice Department to go after some company, that is possible too, but all of those take years, maybe a decade with appeals. Congress intentionally neutered the FTC. This is the result. Will Congress act now? Your guess is as good as mine. Credit: ADCG

Apple is Privacy Focused – Except if it Hurts their Rep

Epic games and Apple are fighting in court and lawsuits tend to get dirty. In countering Apple’s argument that they didn’t want Epic to bypass their store because they want to protect their customers, Epic trotted out emails that Apple chose not to notify 128 million customers after a supply chain attack called XcodeGhost. This is the largest ever known attack against Apple products. They said notifying all those people would be hard and it would damage their reputation. They never did notify anyone. So much for being a privacy focused company.

The True Cost of Ransomware

Insurance giant CNA, which announced that it suffered a “sophisticated cyberattack” (what you and I call ransomware) in March. This week, two months later, they announced that all of the systems were back up and that yes, surprise, it was a ransomware attack. They said it took them two months to get back online because they had to restore each system, then scan and clean it and finally, harden it. This is the cost of ransomware. A lot of hard work and more importantly, months of time. If you do not have good backups, add to that the loss of data. And, as Colonial Pipeline learned this week, just because the hackers give you the decryption key, it doesn’t mean that the decryption process will be fast (they said that they were restoring from backups, even though they paid the $5 million in ransom) or that it will even work. Credit: Security Week

Global Chip Shortage Much Worse than Communicated

OUT OF STOCK! Expect to see more of that message.

In addition to phones, computers and laptops, expect to see those signs elsewhere such as appliances and kids toys. Already car makers are replacing cool tech like high tech entertainment consoles with radios. Probably with knobs and dials. Maybe that fancy auto-parking feature, well it is not available. Manufacturers are looking at which products are more popular or offer them higher margins and just not shipping some other models. Samsung is considering completely skipping the next generation of the super popular NOTE phones altogether. Expect the problem to continue into and through 2022. Credit: ZDNet

China has Collected Health Data of 80% of US Adults

China wants our data. Our health data is particularly useful because our population is very diverse. That makes us useful for them to test their software and systems on. Besides stealing that data, the are doing things like setting up Covid testing labs. What do you get with every sample? Our DNA. China wants to beat the US out of the biotech industry and stealing our data is helping them. Credit: The Hill

Apple’s New iPhone SW Brings Big Changes

If you were using your phone and visited a web site when a message popped up that said something like “we want to sell your data to anyone we want and you get nothing for that – do we have your permission to do that?” – what would your answer be?

Well, if you are an iPhone user, that day is possibly today or at least as soon as your phone upgrades to iOS 14.5 .

Since Apple does not make most of their money from selling your data and Google, one of their biggest competitors makes 80% of their money by selling your data, this change is a double win. Apple can tell their customers how wonderful they are while, at the same time, they get to poke a sharp stick in the eye of one of their biggest competitors, Google.

Developers are now required to ask users via a pop-up if they can “track your activity across other companies’ apps and websites”. If you opt out, you will not see any fewer ads but the ads will be less targeted to you since they can’t share your data to figure out what items you were looking at on Amazon or what stories you were reading on Twitter.

The phone remembers your choices, but you can change your mind at any time.

While some data is useful to the average consumer, it is likely that data is data that the site collects itself. If you are using, for example, a fitness tracker, the app needs to know where you have been and when, but it does not need to sell that data to Amazon so that they can hawk running shoes to you. In general, that does not improve your experience of the fitness tracker’s web site, regardless of what they say.

Facebook, for one, rolled out prototype screens basically begging users to let them sell their data. We don’t know what the final screens will look like yet.

I suspect that many users initial reaction is going to be “HELL NO!!”. This is really a radical change in the United States and on a huge scale given the tens of millions of users who will get to have a small voice, finally.

Until today, in the U.S. users never had the ability to OPT-IN to data sharing – only a hard to use, hard to find, opaque and in some cases, fake, OPT-OUT capability. What a difference a day makes. While I have never been an Apple fan-boy, in this case, GO APPLE!!

It is fair that some businesses, likely mostly large ones, will have some negative impact. The small ones likely either don’t do targeted advertising or don’t make a lot of their sales as a result of that targeting. I don’t know about you, but I visit hundreds of web pages a day and if I were to click on one ad a week it would likely be by mistake.

Facebook says that by saying yes they won’t collect any more data than we already do now, it will just mean that we can show you different ads to ignore.

Companies will adapt. This is not the end of advertising. But it is the beginning of some well needed transparency.

Credit: CNN