Tag Archives: Safari

Weekly Security News for the Week Ending December 13, 2019

Apple’s Ad Tracking Crackdown Shakes Up Ad Market

Two years ago Apple decided that since they don’t earn a lot of revenue from ads and Google, their competitor in the phone business, does, wouldn’t it be great to do something to hurt them.  Oh, yeah, we can pretend the real reason we are doing it is to protect the privacy of our users.  Thus was born Intelligent Tracking Prevention.  This makes it much more difficult for advertisers to micro-target Safari users.

The results have been “stunningly effective”, trashing Google and others ad revenue from Safari users (typically affluent users who buy $1,000+ Apple phones, hence a highly desirable demographic) by 60%.  The stats are that Safari makes up a little over half of the US mobile market (Android wallops iPhone worldwide, but there are more users in the US willing to pay a lot of money for a phone).

So it is kind of a win-win.  Apple puts a dent in Google’s revenue and the users get tracked a little bit less.  Source: Slashdot.

 

Apple Releases Fix to Bug That Can Lock Users Out of Their iDevices

Apple users are generally pretty good at installing new releases, but this one fixes a bug that would allow an attacker to create a denial of service attack against any Apple device by sending it a bunch of requests at a speed the device can’t handle.  The bug is in AirDrop, Apple’s file sharing feature.    The good news is that a patch is available, so you just need to install it.  Source: Techcrunch

 

KeyWe Smart Lock is Broke and Can’t Be Fixed

KeyWe is a smart lock for your house.  You can buy it on Amazon for about 150 bucks. And unlock your house from your phone.

But you probably shouldn’t.  Because, apparently, ANYONE can unlock your house from their phone.

Researchers have figured out how to intercept the communications using a $10 Bluetooth scanner and decrypt the communications because the folks that wrote the software thought they knew something about cryptography.

Worse yet – the software in the lock cannot be upgraded.  Ever.  By any method, local or remote.  You get to buy a new lock.

So, as people continue to be infatuated with anything Internet, the crooks say thank you because, as I always say, the S in IoT stands for security (hint: there is no S in IoT).  Source:  The Register

 

Over 1 BILLION Userid/Password Combinations Exposed

There is a bit of good news in this (at the end).   Researchers found a publicly exposed Elasticsearch database on the net that was indexed by the BinaryEdge search engine.  The database contained 2.7 billion email addresses and clear text (unencrypted) passwords for over a billion of them.  The researchers contacted the ISP hosting the database and it was eventually taken offline.  It is not clear who owns the database or what its purpose is.   It looks like it is a collection aggregated from a number of breaches.  The good news is that most of the email addresses are from Chinese domains, so if we want to hack back at China, we have most of their emails and passwords.  Source: Info Security Magazine

New Orleans Hit By Ransomware Attack

In what is at least the third ransomware attack in Louisiana in recent weeks, the City of New Orleans shut down all of its computers, including the City’s official web site in an attempt to contain a ransomware attack.  As of right now, 911 is using their radios in place of computers to manage emergencies.

The city told users to unplug their computers from the network and stop using WiFi in an effort to contain the damage.  They then went from floor to floor to check if people really did that.

A MUCH SIMPLER AND QUICKER WAY TO CONTAIN THE DAMAGE IS TO POWER OFF ALL NETWORK SWITCHES (including the ones that the WiFi routers are connected to).  Doing that eliminates the communications path for the malware.  Once that is complete, you can power off individual computers. Source: NOLA.Com

News Bites for the Week Ending November 23, 2018

Japan’s Cybersecurity Minister has Never Used a Computer

Yoshitaka Sakurada, the deputy chief of Japan’s cybersecurity strategy office and the minister in charge of the 2020 Olympic Games in Tokyo says that he doesn’t use computers – basically, he has secretaries and employees to do that.  He also acted confused about whether Japan’s nuke plants use USB drives.

While a few people joked that he has mastered cybersecurity (which of course is not true unless he plans to shut down all of Japan’s computers), most people were amazed that the government put someone with absolutely no understanding of cybersecurity, never mind no expertise, in charge. Source: The Guardian .

Suspect Remotely Wipes iPhone that Police Seized as Evidence

Juelle Grant is a suspect in a shooting in New York in October.  Police think she was the driver and hid the shooter’s identity and hid the gun.

Apparently Grant tried to out-think the police and used Apple’s find my phone feature to do a remote wipe of the phone.

The cops were not amused and charged her with tampering with evidence and hindering prosecution.  The police could have foiled her by putting the phone in a $1.00 foil bag.

That she was able to successfully do this is indicative of the up hill battle that police face shifting from a world of cops walking a beat to a world of cyber experts.  Source: Apple Insider.

China’s Response to Tariffs – Increase Hacking

According to a U.S. government report released recently, China’s response to U.S. tariffs is to increase, not decrease hacking.  The tariffs, which were put in place due to unfair business practices, including hacking, were supposed to get China to reduce hacking our intellectual property, but according to the report, has in fact, had the opposite effect.

The report says that Chinese hacking efforts aimed at stealing American technology and trade secrets have “increased in frequency and sophistication” this year.

The Chinese appear to be interested in stealing information on artificial intelligence and other technologies and includes a “sharp rise” in hacking against manufacturers.

What this means is that U.S. need to take efforts to protect themselves.  Source: Real Clear Defense .

 

Adobe Releases Yet Another Emergency Fix For Flash

In the “gee, what a surprise” category, the pile of Band-Aids (R) that some people call Adobe Flash released yet another emergency patch for a bug that would allow an attacker to run arbitrary malicious code on a user’s device by getting them to visit a web page that had, for example, a malicious ad on it.

Adobe has announced that they will discontinue support by the end of 2020, which means that we still have years of emergency patches in the wings, followed by hacks for new bugs that are never going to be patched.  Source: CyberScoop.

 

Just Visiting a Website Could Have Hacked Your Mac

A bug in Safari allowed an attacker to take over your Mac simply by getting you to visit some web page.  The bug, now patched, would have allowed an attacker to own any Mac.  The researchers released a video and proof of concept code now that the hole has been closed.  That, of course, does not mean that other hackers didn’t know about it already.

Attacks are getting more sophisticated as vendors try to lock down their systems.  This exploit used three different Mac bugs to take over your computer.

No user involvement was required after the user opened a web page in Safari.  Source: The Hacker News.