Tag Archives: Apple

Security News for the Week Ending October 1, 2021

Women, Minorities are Hacked More Than Others

A new report, released this week, says that lower income and vulnerable populations are disproportionately affected by cyber crime. Shockingly (not), the report says that those with lower incomes, lower education and minority groups are more likely to fall victim to cyber crime. While the gap is not huge, it is consistent from question to question. Credit: Threatpost

Leaked Apple Training Video Shows It Trains Repair Partners to Disparage Third Party Repairs

Leaked videos show that Apple trains its authorized repair partners to disparage third party repair shops. While at one level this is not a surprise, at another level, as a dominant player in the market, they are going to take some serious heat over the videos. According to Motherboard, who reviewed the videos, it appears that some of the claims made are suspect. Bottom line, users need to review different choices and make an educated decision. Credit: Motherboard

Customs and Border Protection Uses Encrypted App Wickr As FBI Goes Dark

CBP is deploying encrypted messaging app Wickr enterprise wide. While the FBI lobbies Congress to ban end-to-end encryption, another executive branch department thinks encryption is pretty useful. They spent $900,000 to renew their Wickr software licenses (which is pretty reasonable for the size of the organization). Wickr is now owned by Amazon and they do have an enterprise version that can log message traffic as is required by law for CBP. It is unclear what version they are using, but it is likely that version. Credit: Vice

IKEA Admitted to Placing Surveillance Cameras in Warehouse Bathrooms

IKEA has now removed these cameras that were placed in men’s and women’s bathrooms and discovered in a warehouse in England. It is not clear whether cameras exist in other IKEA bathrooms, but the privacy commissioner’s office is likely not happy. IKEA admitted the cameras had been in place since 2015. Credit: The Register

Driverless Cars Could Generate 100 GB of Data Per Second

While predictions of driverless cars by 2020 only materialized in limited situations, driverless cars are coming and they will generate a ton of data. Test vehicles are generating between 20 and 40 Terabytes of data a day. Estimates say the average self-driving car will generate between 1 and 15 TB a day and a robotaxi might generate 450 TB. If most cars are driverless by 2030, that will create an amazing amount of data and I am sure that it will all be secure and private. Remember that these cars are collecting data of everything that it drives past – cars, buildings, roads, people, so just because YOU don’t drive a self-driving car, that doesn’t mean that one of those cars won’t catch you in a place where you should not be, doing something that you should not be doing. Credit: Cybernews

Security News for the Week Ending November 27, 2020

Senate Passes Legislation to Protect Against Deep Fakes

While I agree that deep fakes – photos and videos that use tech to make it look like someone is saying something or doing something that they never did – can be nasty, is that really the best use of the Senate’s time right now? In any case, they did pass the legislation, the IOGAN Act (S.2904) and sent it to the House. It directs the NSF to support deep fake research and NIST measure the problem and see if they can get private companies to spend their money on solving the problem. The bill plans to allocate a total of $6 million over 6 years towards the problem. Credit: The Register

Apple’s Global Security Team Charged with Bribing Sheriff with iPads

Not only is Apple in trouble but so is the Sheriff. Apparently the Santa Clara County Sheriff’s office has decided that concealed carry weapons permits can be bought and sold – or at least they can be bought. Apple offered the Sheriff’s Department 200 iPads worth $75,000 if they got the permits. The undersheriff and a captain are now charged with soliciting bribes. Other folks, including Apple’s security chief are charged with offering bribes. Business as usual. Credit: The Register

Feds Fine JPMorgan $250 Million For Failing to Maintain Controls

The Office of the Comptroller of the Currency fined JPMorgan Chase Bank for failing to maintain sufficient internal controls and internal audit. The OCC said the bank’s risk management practices were deficient. Probably not something you want the feds to tell you. Credit: Reuters

You Know Those Nigerian Hacker Stories – They Are Real

The feds have broken a Business Email Compromise (BEC) scam operating out of Lagos, Nigeria. So far they have identified 50,000 targeted victims and 26 different malware tools. BEC attacks are growing in size and some Russian attacks netted over a million dollars each. Three men have been arrested. Credit: Threatpost

Comcast Imposes More Bandwidth Caps

While bandwidth caps have no real effect on network performance, they do have a great impact on Comcast’s balance sheet, so they are back to imposing them across the country. If you use more than 1.2 terabytes a month, they will charge you $10 for every extra 50 gigabytes up to $100 extra a month. Unless, of course, you buy their unlimited plan for an extra $30 a month, whether you use extra or not. Or unless you rent a modem from them for $25 a month. Given that American Internet prices are among highest in the world and American mobile Internet performance is below countries like Ethiopia and Uganda (see chart), it makes perfect sense that Monopolistic Internet providers will figure out how to charge us more for less. Credit: Vice

The Trump-Bytedance Dance Continues

The Trump administration has been trying to force Bytedance, owner of TikTok to sell the company or the administration was going to shut it down. The only problem is that there are 100 million users of TikTok in the U.S. and some percentage of them are Republicans and, politically, pissing off 100 million Americans is not a really great thing to do. As a result, the administration, which told Bytedance to sell in August, gave Bytedance another 15 day extension recently and now gave it another 7 day extension. Personally, I am fine with the administration killing TikTok off; it doesn’t seem like an important national asset, but those 100 million American users/voters probably disagree with me. Credit: Cybernews

Security News for the Week Ending October 16, 2020

5 Eyes Ask For Crypto Backdoor – Again

Law enforcement does not like it if they cannot snoop whenever they want. It has been a problem since encryption started to be used by the masses. The CIA, for example, even went to go so far as to BUY the Swiss encryption company Crypto AG, insert backdoors into their hardware and sell it to both our allies and our adversaries for decades before circumstances changed and made that hardware less important. They didn’t tell our allies that we were snooping on them. Part of the game.

So it is no surprise that when consumer products contain decent crypto, these same folks are not happy and they have been fighting the battle ever since.

Now they are saying that these companies should allow them to snoop on everyone – which they will do responsibly, of course – is a matter of public safety and protecting children.

And, of course, unlike the TSA, NSA, CIA and others before them who lost control of those secrets, these secret backdoors that companies should provide will not get into the wild. Trust us! credit: SCMagazine

Apple Releases New 5G Phones That Use Non-Existent 5G Service

Okay, this is not a cybersecurity issue, but it is a hot button for me. You can now buy an iPhone 12 Max with Apple care for $1700+ with 5G support.

I guess if you want to spend your money and help the economy, go for it, but if you think that you will be able to surf the web on your phone 10 times faster than today as they claim, you can. But you will have to wait around 10 years.

The problem is that none of the carriers have FAST 5G infrastructure. Verizon, does have some fast 5G – it covers about one percent of the US population. So, if you want to have a new iPhone and be one of the cool kids, go for it. Just don’t expect to surf the web any faster than you do today. Credit: Cybernews

Microsoft Takes Down TrickBot Network

On October 12, Microsoft and several partners announced that they were able to disrupt the TrickBot infrastructure by legally disabling IP addresses, making servers inaccessible and suspending services employed by the botnet. The effort was also aimed at preventing operators from registering new infrastructure.  There is a concern that the bot network, which has connections to Russia and has compromised at least a million computers may be used in an attempt by Russia to impact the U.S. Presidential elections.

That takedown lasted two days. The network is back operational again, causing mischief. This just points to the challenge of permanently stopping hackers who are living in unfriendly countries like Russia. Even with the best efforts of Microsoft and Cyber Command, it only stopped them for 2 days. Credit: ZDNet and Security Week.

And You Thought TSA was the Only Non-Secure Part of Flying? Wrong!

The aviation industry uses a system called ACAS internationally or TCAS in the U.S. It is a collision avoidance system which tells a pilot that there is another plane nearby and tells each pilot how to avoid a collision (up, down, left, right, fast, slow, etc.). Except that TCAS has no security in it and it can be spoofed by a bad guy to crash the plane. There is a new version coming out soon called ACAS X and it too can be fooled. So much for the basics of security. Credit: The Register

800,000 Sonicwall Appliances Can be Hacked by a Kid

The patch, which affects 800,000 Internet facing VPN servers, was released on Monday. The details were disclosed two days later, on Wednesday. In its simplest form, a kid can either crash the device or just make it not respond to commands. Worst case, a more skilled hacker may be able to execute arbitrary code, including bypassing login requirements. Sonicwall says that they are not AWARE OF any customers impacted YET. If I was running a Sonicwall appliance, I would treat this as an emergency and patch it as soon as possible. Credit: ZDNet

Security News for the Week Ending July 3, 2020

Apple Likely to Make Charger, Earphones Extra on Next iPhone

Before everyone goes crazy, first this is a rumor – a likely accurate rumor, but a rumor, and second, it is likely aligned with the EU’s directive to reduce electronic waste. Your old charger and old earphones probably still work and if, say, 50% of people agree with that, that is a lot of electronic waste avoided. People who are less Apple-friendly say that Apple reduces costs, improves its environmental image and gets many people to buy unbundled, high margin accessories. Do not expect Apple to reduce the price over this. Credit: The Register

Apple Says NO to Advertisers

And now another Apple story. Apple has decided not to implement 16 new web APIs because they might enable advertisers to track users. This only applies to Safari, the default browser on Apple devices, which represents 17% of web users and since Apple doesn’t make it’s livelihood by selling people’s data, it is a win-win. It doesn’t cost Apple anything and it helps their customers. It is OK if everyone wins. Credit: Metacurity

Hackers Selling 100 Million+ Hacked Credentials

A seller of stolen credentials is flooding the black market with stolen userids and passwords. 14 companies worth of breached databases from 2020 represent 130+ million userids. Sites affected include Homechef, Minted, Tokopedia and almost a dozen more. That is just from the first 6 months of this year. In case that is not enough, the broker is selling a number of older databases. Beware of password reuse (also called stuffing) attacks where hackers try those passwords on other sites. Credit: Bleeping Computer

Location Data Used on Specific Voters So Candidates Knew Who Voted

Money is money. A data broker sold location data on Black Lives Matters protesters so that (police) could track their movements and also sold location data on evangelicals so that the (Trump campaign) knew whether people who were favorable to them had not voted so that they could get out the vote in a very targeted manner. All legal. Expect it to be used this year, likely by many candidates. I put the names in parentheses because the broker didn’t exactly say who they sold the data to. Credit: Vice

Denial of Service Attacks up 542% in First Quarter

Distributed Denial of Service attacks jumped more than 500% between fourth quarter last year and first quarter of this year and more than 250% year to year according to NexusGuard. Likely this is due to work from home. The attacks are going after businesses and ISPs. Are you ready? Credit: Dark Reading

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Security News for the Week Ending May 15, 2020

Pitney Bowes Hit By Ransomware for 2nd Time in 7 Months

Pitney Bowes has verified that it has been hit by a ransomware attack for the second time in 7 months. This time it is the maze ransomware, which steals data before encrypting your systems. Sometimes ransomware hackers leave their hooks in a victim’s system so they can come back later and cause more pain. Again I ask – are you ready? Credit: Computer Weekly

U.S. To Accuse China of Trying To Steal Vaccine Data

The U.S. says – no surprise – that other countries such as China, Vietnam and even South Korea are trying to steal vaccine research, treatments and testing. Other than warning businesses that other countries are trying to steal our stuff, it is not clear what the government can or plans to do. Credit: MSN

Security May Be Victim to Business Downturn

If fairness, all costs have to be justified during a business downturn and security costs are one of those costs.

As companies layoff employees and downsize, security teams are at risk because they don’t tie directly to revenue.

But all you need to do is as a company that had even a small breach and spent, say, $1 million on it, whether saving the salary of that dedicated security team member made sense in hindsight.

The bad news is that the hackers understand this and they will watch for companies that are not paying attention.

Of course, that does not mean that every company is spending every security dollar wisely. Probably not. Credit: WSJ

Ransomware is Getting to be Like Commercial Software with Feature Releases

Something tells me that this is not a good thing, but ransomware software is big business. As a result developers are enhancing their software with new releases. The Sodinokibi (REvil) software has added a new feature that allows it to encrypt files, even if they are open and locked by another process. The ransomware kills the process or processes that are locking the file and then encrypt it, after stealing a copy first. Adding features seems to work for companies like Google and Microsoft…. Credit: Bleeping Computer

FBI Reportedly Asks Apple for Contents of Senator Burr’s iPhone

Senator Burr, is being investigated for selling stocks after he was briefed on the Coronavirus as the chairman of the Senate Intelligence Committee. The FBI asked for his phone, which his attorney gave them. Apparently the FBI was able to get a warrant after they asked Apple for the contents of Burr’s iCloud account. Apple seems to be willing to give the cops your iCloud data, which they can decrypt, if the cops remember to ask in time. It has been reported that in late January and early February, Burr and his wife sold between $600,000 and $1.7 million worth of stock. The market started it’s nosedive around February 20th. Credit: CNet