Security

Link

This Terminal Command Can Bypass Mac Privacy Protections

Andrew Orr ·

A UNIX command line tool called “ls” can be used to bypass Mac privacy protections like TCC (Transparency, Consent, and Control) and the sandbox. This provides unauthorized access to file metadata in directories that are supposed to be protected

I continue to believe that macOS “security” is mainly theater that only impedes the law-abiding Mac software industry while posing little problem for Mac malware. It doesn’t take a genius hacker to bypass macOS privacy protections: calling “ls” is a script kiddie level attack.

It affects macOS Big Sur, Catalina, and Mojave.

Link

Amazon Sidewalk Shares Your Wi-Fi With Neighbors

Andrew Orr ·

Amazon Sidewalk is a new initiative by the company that creates a low-bandwidth network pooled from the personal networks of Amazon device owners.

Amazon Sidewalk is a shared network, coming later this year, that helps devices like Amazon Echo devices, Ring Security Cams, outdoor lights, and motion sensors work better at home and beyond the front door. When enabled, Sidewalk can unlock unique benefits for your device, support other Sidewalk devices in your community, and even open the door to new innovations like locating items connected to Sidewalk.

Of course, there are numerous privacy and security concerns, although Amazon does claim it has “strong encryption” without going into details.

Link

Walmart ‘Jetstream’ Routers Contain Backdoors

Andrew Orr ·

Researchers found backdoors found in Jetstream routers that lets a hacker remotely control the router and any device connected to it. This router is sold exclusively at Walmart.

CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: “Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it.”

Bad news for owners of these routers, but at least Walmart won’t sell them anymore.

Link

Fraud Operation Targets Spotify Users With Leaked Database

Andrew Orr ·

In a similar situation to a Facebook scam, researchers uncovered an unsecured database with over 380 million records in a potential Spotify hacking operation.

The origins of the database and how the fraudsters were targeting Spotify are both unknown. The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts.

Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users. We also helped the company isolate the issue and ensure its customers were safe from attack.

Link

Update Google Chrome ASAP to Patch Two Zero Days

Andrew Orr ·

Two zero days in Chrome, CVE-2020-16013 and CVE-2020-16017, are “high severity” in nature and users should update the browser as soon as possible. The The Cybersecurity and Infrastructure Security Agency (CISA) says the security flaws are actively being exploited in the wild.

I can confirm that CVE-2020-16013 relates to the V8 JavaScript engine for Chrome and involves an incorrectly handled security check. Exploitation would most likely require an attacker to direct the victim to a malicious web page.

CVE-2020-16017, on the other hand, would appear to be a memory corruption vulnerability within the Chrome website sandboxing feature known as Site Isolation.

News

Was Your Mac Slow on Thursday? Apple's OCSP Server Was Likely the Cause

Dave Hamilton ·

On Thursday, October 12th, right around 3:30pm EST, Apple’s OCSP server stopped responding. On the surface that doesn’t sound like much, but when you stop and realize this is the server responsible for authenticating the certificates at the core of all your apps, it starts to matter.

And matter it did! For about an hour yesterday, Mac apps wouldn’t launch (or would launch slowly), rebooting was super-slow (for the same reason), and even Zoom connections took minutes to connect.

Link

Facebook Credit Card Scam Exposed via Data Leak

Andrew Orr ·

A phishing and credit card fraud operation has been targeting Facebook users and was recently uncovered due to an exposed database.

The fraudsters used the stolen login credentials to share spam comments on Facebook posts via the victims hacked account, directing people to their network of scam websites. These websites all eventually led to a fake Bitcoin trading platform used to scam people out of ‘deposits’ of at least €250.

However, the day after we discovered the database, it was attacked by the ongoing widespread Meow cyberattack, which completely wiped all its data.

Link

Vertafore Data Breach Affects 27.7 Million Texan Drivers

Andrew Orr ·

Insurance software company Vertafore disclosed a data breach in which an unknown third-party accessed the personal information of 27.7 million drivers in Texas.

The incident is believed to have taken place sometime between March 11 and August 1, and happened as a result of human error when three data files were inadvertently stored in an unsecured external storage service.

Exposed data included Texas driver license numbers, names, dates of birth, addresses, and vehicle registration histories.

Link

Compal Electronics Suffers DoppelPaymer Ransomware Attack

Andrew Orr ·

Computer manufacturer Compal Electronics has been hit by a DoppelPaymer ransomware attack, and the ransom is US$16.7 million.

DoppelPaymer is a ransomware operation known for attacking enterprise targets by gaining access to admin credentials and using them to spread throughout a Windows network. Once they gain access to a Windows domain controller, they deploy the ransomware payloads to all devices on the network.

According to the DoppelPaymer Tor payment site linked to in the ransom note, the ransomware gang is demanding 1,100 Bitcoins, or $16,725,500.00 at today’s prices, to receive a decryptor.

Link

Michigan Prop 2 Passes; Police Need a Warrant to Search Your Devices

Andrew Orr ·

Voters in Michigan overwhelmingly passed Proposition 2 which adds “electronic data and electronic communications” to the state’s search and seizure laws.

The person, houses, papers, possessions, and electronic data and electronic communications of every person shall be secure from unreasonable searches and seizures. No warrant to search any place or to seize any person or things or to access electronic data or electronic communications shall issue without describing them, nor without probable cause, supported by oath or affirmation.

Translation: Michigan police need a warrant to search your electronic devices. And as a Michigander myself I definitely voted in favor of this.

Link

Mattel Revealed it Suffered a Data Breach on June 28

Andrew Orr ·

Toy company Mattel suffered ransomware attack on June 28, 2020. It revealed this in a 10-Q form filed with the Securities and Exchange Commission (SEC).

On July 28, 2020, Mattel discovered that it was the victim of a ransomware attack on its information technology systems that caused data on a number of systems to be encrypted. Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems. Mattel contained the attack and, although some business functions were temporarily impacted, Mattel restored its operations.

Link

NSA Avoids Discussing Back Doors in Commercial Products

Andrew Orr ·

The U.S. National Security agency is dodging questions about back doors in commercial products and whether it’s continuing this practice. The article mentions Dual EC, a type of encryption algorithm the NSA tried to get ratified as a global standard. Why? Because they could easily crack it.

Juniper Networks got into hot water over Dual EC two years later. At the end of 2015, the maker of internet switches disclosed that it had detected malicious code in some firewall products. Researchers later determined that hackers had turned the firewalls into their own spy tool here by altering Juniper’s version of Dual EC.

And that’s the reason we oppose these kinds of back doors or “weaknesses on purpose” on Security Friday. If one group can easily crack it, so eventually will other groups.

Link

Researchers Extract Intel CPU Encryption Key

Andrew Orr ·

Security researchers have successfully extracted the Intel CPU encryption key used to secure updates to the chip.

The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.

Of course, it’s the “other parties” to worry about. The key can be extracted from any chip that uses Intel’s Goldmont architecture. This is used for low-power chips like the Atom, Celeron, and Pentium brands.

Link

Zoom Rolls Out End-to-End Encryption for Video Calls

Andrew Orr ·

Starting next week, video conferencing app Zoom is finally adding end-to-end encryption to its platform.

Zoom’s E2EE offering uses public key cryptography. In short, the keys for each Zoom meeting are generated by participants’ machines, not by Zoom’s servers. Encrypted data relayed through Zoom’s servers is indecipherable by Zoom, since Zoom’s servers do not have the necessary decryption key. This key management strategy is similar to that used by most end-to-end encrypted messaging platforms today.

Good to see Zoom doing this; they’ve certainly had misses in the past. Update: The new version is now available for most users.

Link

Link Previews in Chat Apps Could Leak Your IP Address

Andrew Orr ·

Security researchers found that link previews in chat apps could expose data like IP addresses if not implemented properly. Or they could be downloading as much as gigabytes of data in the background. They tested a variety of different messaging apps, and iPhone users will be relieved to know that iMessage didn’t experience any of these security leaks.

We think there’s one big takeaway here for developers: Whenever you’re building a new feature, always keep in mind what sort of privacy and security implications it may have, especially if this feature is going to be used by thousands or even millions of people around the world.

Link

Thousands of Law Enforcement Agencies Use Phone Cracking Tools

Andrew Orr ·

Upturn, a non-profit focused on the use of technology by police, used over 110 public records filed with law enforcement departments across the country to figure out how many of them use phone cracking tools, or mobile device forensic tools (MDFTs).

Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant.

Kelly and I will definitely share our thoughts in this week’s Security Friday.