Tag Archives: Tariffs

Security News for the Week Ending September 27, 2019

Did Apple ‘Play’ President Trump?

Apple says that it has received a waiver from import tariffs on Chinese parts for the Mac Pro.  Why, after President Trump said he wouldn’t do that?  Apple’s PR machine made it look like the Mac Pro was now going to be made in Texas after they floated a rumor that it was going to be made in  China.  But the Pro has always been made in Texas.  And they are not building a new plant – only using the same plant where they have always been built.  It is an example of how a very rich, connected and powerful company can game the system to get what it wants while smaller companies lose out.  Source: The Register.

Click2Gov – ITS BACK!

Click2Gov facilitates self service government web site portals and in 2017 and 2018 it was compromised in dozens of cities, compromising 300,000 credit cards and costing banks about $2 million.

Well, ITS BACK!

The new attacks started last month and have hit 8 cities so far this time. So far, 20,000 records have been offered for sale.  Cities in Florida, Idaho, California and Oklahoma have been hacked.

Coming to a city near you.  Source: Wired.

Simjacker – A Mobile Attack That is Invisible

The SIM card in your phone has the information necessary to identify your phone to your carrier, but of course, vendors could not leave well enough alone, so it does more.

The attack begins with the attacker sending the victim an infected SMS message.  Except this message has a series of SIM Toolkit (STK) instructions.  This message is captured by the SIM card and the commands in it processed.  The commands are quite powerful and could potentially send SMS messages containing data from the phone to the attacker, conduct espionage, spread malware  and other things.

Not all phones and not all carriers are susceptible.  Some US carriers say that they do not use that type of SIM chip.  Source: Adaptive Mobile.

Microsoft Bans More File extensions from Outlook Web Access

Apparently OWA is now called Outlook for the Web.  Must have missed the email.  In any case, Microsoft is now banning a total of 142 file extensions after 38 more extensions will be banned in the next release.   In addition to the existing banned extensions like .EXE, .COM, .ASP, .JAR and more, the new list includes Python files (6 extensions), Powershell (10), Digital certificates (3), Java (2) and miscellaneous applications (17).  Source: The Hacker News.

Checkm8 Exploit Could Mean Permanent Jailbreak for Many iPhones

This is still new, so there is a lot we don’t know, but a researcher nicknamed ami0mX says that he accidentally found a bug in the iPhone boot ROM that affects most iPhones.

The good news is that it requires local access.  Read only memory is only sometimes read only, so maybe Apple will be able to patch this – stay tuned.

If you can exploit this, it would allow you to jailbreak any affected iPhone or iPad.  The models affected include (but may not be limited to) the iPhone 4s through the iPhone 8 and the iPhone X.  It is not clear if the most recent iPhones are vulnerable.

A jailbreak would allow either a hacker or state actor or a vendor like Celebrite to either extract all data or compromise any affected phone, hence the name checkmate (Checkm8).  Source: Threatpost.

 

Trump Considers Executive Order Declaring National Security Emergency

President Trump is considering signing an executive order asserting a national security emergency using the International Emergency Economic Powers Act (IEEPA).

While every president since Jimmy Carter has used the IEEPA to impose sanctions on governments that we don’t like, no president has ever used it to tell private companies who they should buy parts from and who they should do business with.

This is all based on concerns from some people on both sides of the aisle that Chinese components (and Chinese products) have the potential to present national security issues.  Trump used national security as the reason to impose tariffs on imported steel and aluminum.  While that argument has drawn a lot of critics, it seems likely that IF the president decides to try and force businesses to stop buying parts and products and stop foreign investment in U.S. businesses, there may be less complaints.

Except, that is, for companies that have to shut down, lay off workers and go out of business because the only source for the components that they use to make their products has been banned or the money that they need to keep operating is no longer available.

That is the challenge that the president has to sort out.

Very few chips that are the guts of everything from dishwashers to computers are made in the United States.  Many are made in China, but others are made in Japan, Korea and a small number of other countries.

In general, there is very little overlap.  A chip that is made in China is likely not made elsewhere, so for companies building products that use those chips, they will have stop building and selling those products and also, possibly more importantly, possibly stop fixing ones that people have already bought.  They likely could re-engineer those products, source new and different parts, rework the assembly lines and then restart production.  For large companies, that is possible.  Smaller companies will just go bankrupt and layoff all of their employees.  Since most American companies are small businesses, it could, possibly, have significant impact on the U.S. workforce, depending.

It is also not clear whether this is like the tariffs in the sense that products that are made outside the U.S. would be banned because they contain Chinese parts.  None of this has been sorted out yet, but it is likely that if that happens, those countries would retaliate and ban U.S. products.  That would turn the U.S. into an island.

The whole thing is a bit of a mess.

The government also considered using this same law to implement restrictions on foreign investment in the United States, but instead used a different law, CFIUS, to achieve the same goals.  In both cases, the result is that U.S. businesses that want to expand and create more jobs won’t be able to do that – at least not with certain foreign investments.  This EO could further restrict foreign investment in the U.S. above and beyond what is possible with CFIUS.

Interestingly, two companies that the EO would target are Huawei and ZTE, both of whom are the subject of major Department of Commerce sanctions right now. Trump has been trying to negotiate a deal where ZTE pays the U.S. a lot of money and would then be no longer considered a national security threat.  You can’t have it both ways.  Either they are or they are not.  To be continued.

This is at the same time that Facebook admitted to sharing information on users with 52 companies, including Chinese companies like Huawei, Lenovo, Alibaba and Qualcom.  One assumes that in Facebook’s case, it was a matter of money – probably not direct cash, although it may have included some of that, but rather to lock those vendors into the Facebook Kool-Aid in one way or another.

In light of admitting to doing this, likely illegally since they did not get user’s permission to share the data, Facebook now says that they have ended 38 of those relationships and will end the rest of them soon.

Facebook says that it forgot to mention these data sharing relationships because they had shifted to sharing data using a different method – the way they shared data with Cambridge Analytica.  I am not sure that is any better, but who knows.

All in all, there are some real issues here, but also, given the global economy, it is not clear that there is an easy answer.  We have already seen that some of the countries that we have hit with tariffs on Steel and Aluminum have imposed their own tariffs, and all that has not played out yet.

Information for this post came from The Washington Post and The Hill.