Category Archives: iOS

Security News Bites for the Week Ending July 24, 2020

Cloudflare DNS Goes Down Taking A Big Chunk of the Internet Down

Good news and bad news. For companies like Shopify, League of Legends and Politico, among many others, Friday afternoon gave you a headache. You outsourced your DNS to Cloudflare and they had a burp. The good news is that because they are Cloudflare they were able to diagnose it and mitigate the problem in 25 minutes. While no one wants to be down, could you fix your internal DNS server meltdown in 25 minutes? Credit: Techcrunch

Great Article on How Norsk Hydro Dealt with a Ransomware Attack

Bloomberg has a great article on how Norsk dealt with their ransomware attack. Couple of thoughts. They spent $60 million to recover. Their insurance has paid them $3.6 million. You do the arithmetic. And, they weren’t dealing with ransomware 2.0 which really changes things. Check out the article on Bloomberg.

Grayshift Has a New Form of Spyware

Grayshift, the company that breaks into cell phones for cops and “other entities”, has come up with a new tool. Take a locked iPhone and put it on the Grayshift box. They install malware onto your locked iPhone. Then they give it back to the suspect under the guise of, say, calling their lawyer. The suspect unlocks the phone and the malware records the unlock code. Then the cops take the phone back and can unlock the phone without you. Likely Apple will figure out how they are doing this, but for now, it works. Credit: NBC News

First American (Title Company) Makes History

New York’s Department of Financial Services released a highly detailed set of security standards a couple of years ago for businesses that they regulate called DFS 500. This set of security standards dictates what controls and processes banks, mortgage companies, insurance companies and others must implement to protect the data that they store. First American is the first company that DFS has sued for messing up. There were 885 million records exposed and the fine can be $1,000 per record. You do the math and start the negotiations. Credit: PYMNTS.Com

Security News for the Week Ending May 29, 2020

Hackers Have Access to iOS 14 Months Before You Will

Apple gives developers early prototypes of their new software so that Apple doesn’t have a disaster on its hands when the new software is released and user’s applications no longer work. Unfortunately, some developers sell those phones – or at least access to them – so that they can get unlocked copies of the OS to hack and reverse engineer. This is why hacks appear so quickly after the new versions are finally released. Credit: Vice

Reports: eBay is Scanning User’s Computers for Open Ports

Bleeping Computer tested reports that users who visit eBay’s web site have their Windows computers scanned for open ports. It is possible that they are looking for computers that are compromised and used to commit fraud. However, accessing a user’s computer like this likely violates the Justice Department’s interpretation of the Computer Fraud and Abuse Act, which is a felony, specifically because they did not ask for permission. That “interpretation” is now being reviewed by the Supreme Court. Expect lawsuits. Credit: Bleeping Computer

UK Says They Will Keep Contact Tracing Info for 20 Years

No big surprise here – I expected this. This is the downside of the “centralized” model for contact tracing apps.

According to the privacy notice attached to the UK’s new contact tracing app, data collected by the app will be stored for up to 20 years.

And, you have no right to have it deleted. Credit: Computing UK

Abandoned Apps May Pose a Security Risk to Mobile Devices

If you are like most people, you have a number of apps on your phone or tablet.

Question for you – whether you use every single one of those apps frequently or not – is how many of those apps are still supported by the developer? That includes the so-called “packages” that the app developer used to write that app.

The unsupported app – with bugs that have not be discovered or patched – can provide an avenue for exploit by hackers. For as long as those apps remain on your phone.

So while you are not using that app, hackers are trying to figure out how to exploit it. The risk is higher than you might think. Credit: Dark Reading

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Security News for the Week Ending September 13, 2019

Facebook/Cambridge Analytica Suit Moves Forward

Facebook tried to convince a judge that when users share information privately on Facebook they have no expectation of privacy.  The judge didn’t buy it and the suit against Facebook moves forward.  Source: Law.com  (registration required)

Equifax Quietly Added More Hoops for you to get your $0.21

Yes, if everyone who was compromised in the Equifax breach asks for the $125, the total pot, which is only $31 million, will be divided up and everyone will get 21 cents.  Not sure how the courts will handle that when the cost of issuing 150 million checks for 21 cents is tens of millions.  Often times the courts say donate the money to charity in which case, you get nothing.

The alternative is to take their credit monitoring service, which is really worthless if you were hit by one the many other breaches and already have credit monitoring services.

So what are they doing?  Playing a shell game – since the FTC is really a bunch of Bozos.  Equifax is adding new requirements after the fact and likely requirements that you will miss.

End result, it is likely that this so called $575 million fine is purely a lie.  Publicity is not Equifax’s friend, but  it will require Congress to change the law if we want a better outcome. Source: The Register.

End of Life for Some iPhones Comes Next Week

On September 19th  Apple will release the next version of it’s phone operating system, iOS 13.  At that moment three popular iPhones will instantly become antiques.

On that date, the iPhone 5s, iPhone 6 and iPhone 6s Plus will no longer be supported.  Users will not be able to run the then current version of iOS and will no  longer get security patches.

This doesn’t mean that hackers will stop looking for bugs;  on the contrary, they will look harder because they know that any bugs they find will work for a very long time.

As an iPhone user, you have to decide whether it is time to get a new phone or run the risk of getting hacked and having your identity stolen.

What Upcoming End of Life for One Operating Systems Means to Election Security

While we are on the subject of operating system end of life, lets talk about another one that is going to happen in about four months and that is Windows 7.

After the January 2020 patch release there will be no more security bug fixes for Windows 7.

The good news is that, according to statcounter, the percentage of machines running Windows 7 is down to about 30%.

That means that after January, one third of the computers running Windows will no longer get security fixes.

Where are those computers?  Well, they are all over the world but the two most common places?

  1. Countries that pirate software like China, Russia and North Korea
  2. Most election computers, both those inside the voting machines and those managing those machines.

That means that Russia will have almost a year of no patches to voting systems to try and find bugs which will compromise them.

Microsoft WILL provide extended support to businesses and governments for a “nomimal” fee – actually a not so nominal fee.  ($50 per machine for the first year and $100 per machine for the next year with carrots for certain users – see here), but will cash strapped cities cough up the money?  If it is my city, I would ask what their plan is.  Source: Government Computer News

Security News for the Week Ending September 6, 2019

Cisco: Critical Bug Allows Remote Takeover of Routers

Cisco rated this bug 10 out of 10.  For users of Cisco 4000 series ISRs, ASR 1000 series aggregation routers, 1000v cloud routers and integrated services virtual routers, an unauthenticated user can gain full control just by sending a malicious HTTP request.  So yet another reminder that patching your network gear is critical.  For Cisco, that means having to purchase their maintenance agreement every year.  Source: Threatpost.

USBAnywhere – Especially Places You Don’t Want

Eclypsium announced a vulnerability in the Baseband Management Controller (BMC) in Supermicro motherboards that allow any attacker anywhere, without authorization, to access the BMC chipset and mount a virtual USB device, wreaking all kinds of havoc as you might imagine.  Like stealing your data, installing malware or even disabling the server entirely.  The researchers found 14,000 servers publicly exposed, which is a small number, but as soon as a hacker compromises a single user’s computer anywhere in the enterprise, public equals private – no difference.  Part of the problem is that almost no one knows who’s motherboard is inside their server.  The only good news, if there is any, is that Supermicro has released patches, but you have to figure out if your boards are vulnerable and patch them manually.  Isn’t that exciting?  Source: The Hacker News.

Remember When we Thought iPhones Were Secure?

Apparently that myth is beginning to get a little tarnished.  In fact, Android zero days are worth more than iPhone attacks.  Why?  Because, exploit broker Zerodium says, iPhone exploits, mostly based on Safari and iMessage, two core parts of the iPhone, are FLOODING the market.

I don’t think that users need to panic, but I think that they need to understand that iPhones are computers running software and software has bugs.  All software has bugs.  Practice safe computing, no matter what platform you are using.  Source: Vice.

Unencrypted Passwords from Poshmark Breach For Sale on the Dark Web

When Poshmark put up a information free notice last year that some user information had been hacked (turns out it was 36 million even though they didn’t say so), but that no financial information was taken, so they didn’t feel too bad about it, most people said, another day, another breach.

The 36 million accounts were for sale for $750 which means that even the hacker didn’t think they were valuable.  But now there are reports that one million of those accounts are available with the passwords decrypted, likely at a much higher price.  Does this mean they are working on the other 35 million?  Who knows but if you have a Poshmark account, you should definitely change that password and if the password was used elsewhere, change that too.  Source: Bleeping Computer .

Researchers Claim to Have Hacked the Secure Enclave

CPU makers have created what they call a “secure enclave” as a way to protect very sensitive information in the computer.  Intel calls their feature SGX.  Researchers claim to have created an attack based on Intel’s and AMD’s assumption that only non-malicious code would run in a secure enclave.  If this all proves out, it represents a real threat and reiterates the fact that you have to keep hackers out, because once they are in, nothing is safe.  Source: Bruce Schneier.

Phone Apps Collect User Data Even If You Deny Permissions

All smartphones are data collection machines; hopefully everyone understands that.  There are an amazing number of sensors on the device and many apps just ask for everything.  If the user grants that, then the app can harvest all that data and likely sell it, either individually or in the aggregate.

Researchers took a tiny sample of 88,000 apps out of the Android app store (because that is easier than the Apple store) and found that 1,300+ of those apps – or a bit more than one percent – figured out how to circumvent the permission rules.

Some of these apps are mainstream apps.  For example, Shutterfly grabs the GPS coordinates out of your pictures, assuming they are there in the photos.

Does this mean that they are hacking the phone?  No, it means that they have figured out how to finesse  the system.

Another thing that some apps do is look for data other apps leave unprotected on the phone and snarf that data up.  For example, in older versions of Android do not protect individual data on external storage.  If you give an app access to external storage, it can rummage around on that external storage for any data that might be there.

If an app can find the phone’s IMEI number (basically the phone’s serial number) that was retrieved by another app that has permission to do that and which was not protected, then it can tie all of your data to you even if it doesn’t have permission to retrieve your serial number.

With each new release of iOS and Android, the developers of those operating systems implement new controls in an effort to rein in developers who have figured out how to game the system.

Sometimes it is not the app developer who is being deceptive but rather the provider of one or more libraries that the developer integrated into the application.  That means the the app provider could be unwittingly helping out Chinese library developers (yup, that is happening, for reals).

This is not limited to one operating system.  As they say, if the app is free, then you are the product.

As an app developer, you need to understand what each and every library does and if you can’t be sure, you can sniff the network traffic and see what is actually happening.

Source: The Hacker News.