Security

Link

Address Bar Spoofing Bugs Surface on Mobile Browsers

Andrew Orr ·

A number of address bar spoofing vulnerabilities have surface on mobile browsers, and Rafay Baloch wrote about them. There was one found in Safari but Apple patched it in September with iOS 13.6. The other bugs mostly concern Opera.

With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal. First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.

Link

Barnes & Noble Hack Revealed in Emails to Customers

Andrew Orr ·

A Barnes & Noble hack occurred on Saturday, October 10, customers learned in an email from the retailer. Data that was accessible included email addresses, billing/shipping addresses, and telephone number. Financial data like credit cards were safely encrypted.

According to Barnes & Noble’s Nook Twitter account, a “system failure” was responsible for the service interruption for Nook owners. The firm said it was “working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration.”

Link

Report: Some Robinhood Accounts Were Hacked

Andrew Orr ·

Bloomberg reports that some Robinhood users had their accounts hacked and investments liquidated. But Robinhood said that the company itself wasn’t hacked.

A limited number of customers appear to have had their Robinhood account targeted by cyber criminals because of their personal email account (that which is associated with their Robinhood account) being compromised outside of Robinhood. We’re actively working with those impacted to secure their accounts.

Link

Apple’s Internal Networks Were Hacked for Three Months

Andrew Orr ·

But don’t worry, they were hacked by good guys working under Apple’s bug bounty program. Sam Curry, Brett Buerhaus, Ben Sadeghipour, Samual Erb, and Tanner Barnes found a total of 55 vulnerabilities.

During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would’ve allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim’s iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.

When I first saw the news I was aghast to learn that Apple only paid them US$55,000, but the blog post was updated to add that the team so far has gotten 32 payments totaling US$288,500. Still doesn’t seem enough to me. Apple needs to work on its internal security.

Link

Apple Wants to Store Your ID Digitally. What Could Go Wrong?

Andrew Orr ·

William Gallagher writes how Apple is working on methods to store your ID digitally in Wallet, like credit cards. But I found this part concerning:

This all presumes that we are able to present our ID. There are situations, such as when we’re incapacitated, when we need to be identified yet we cannot personally do anything about that. In this case, Apple proposes that under the right circumstances, our devices could “automatically transmit the user’s identity credential.”

Apple gives the example of a first responder, “such as police officer, firefighter, etc,” who could legitimately possess a device that would automatically request ID like this.

I bet law enforcement would love a Stingray-like device that can automatically harvest IDs when they walk through a protest.

Link

More Details on the Mac T2 Security Chip Jailbreak

Andrew Orr ·

Catalin Cimpanu shares more details of the T2 chip jailbreak I wrote about last week.

The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.

Unfortunately, since this is a hardware-related issue, all T2 chips are to be considered unpatchable. The only way users can deal with the aftermath of an attack is to reinstall BridgeOS, the operating system that runs on T2 chips.

Link

Apple’s T2 Security Chip Jailbroken by Checkra1n

Andrew Orr ·

The latest update of checkra1n adds support for bridgeOS, which runs on the T-series of chips. These are responsible for the Touch Bar, managing encrypted data in its Secure Element, and controlling Mac camera access.

The ability to exploit the T2 processor could also allow you to bypass the anti-repair mechanism built into the Touch Bar. Further, it may allow hackers to get rid of the password or unlock MDM-locked systems.

As far as the OS goes, we could also add secure boot certificates like Microsoft’s secure boot signing or a self-signed Linux certificate.

Link

Can iOS 14 Widgets Steal Your Keyboard Info?

Andrew Orr ·

After claims that iOS 14 widgets are up to no good, can they access your keyboard and act as keyloggers? First, as the developer of Widgetsmith says:

Leaving for a moment that I don’t think that is technically possible for a widget to read the keyboard. Widgetsmith was built from the ground up with complete privacy in mind and collects essentially no data about its users.

After using the app I wrote about this morning, Sticky Widgets, I’d say yes they can access your keyboard, because if not then Sticky Widgets would be unusable and you couldn’t type anything into them. Can they access the keyboard without user consent? Most likely not, as the quote continues: “Widgets use SwiftUI views to display their content. WidgetKit renders the views on your behalf in a separate process. As a result, your widget extension is not continually active, even if the widget is onscreen.”

Link

‘Blacklight’ Tool Reveals Website Trackers

Andrew Orr ·

A tool called Blacklight has been making waves in the news recently. When you enter a website address into the page it scans it to reveal user-tracking technology.

Blacklight works by visiting each website with a headless browser, running custom software built by The Markup. This software monitors which scripts on that website are potentially surveilling the user by performing seven different tests, each investigating a specific, known method of surveillance.

Quickly Access iCloud Keychain With This Apple Engineer’s Shortcut
Cool Stuff Found

Quickly Access iCloud Keychain With This Apple Engineer’s Shortcut

Andrew Orr ·

Ricky Mondello works on app and website authentication as well as password management at Apple. They recently created a shortcut that lets you quickly access iCloud Keychain, so instead of opening Settings and scrolling down to tap on Passwords, it’s a one-tap method to directly open the Passwords section. Separately from that, this is also something you can do yourself using the Settings Shortcut Generator. You can quickly jump to a variety of different places within Settings. One that I recently created is jumping to Settings > Privacy > Photos to manage app access to photos.

Link

How the United States is Ensuring Votes are Secure

Andrew Orr ·

Max Eddy writes an examination of election engineering and how the U.S. can ensure voting security. The part I think is fascinating is the work of Sam Curry, CSO of cybersecurity company Cybereason. His team has been simulating election attacks to figure out how best to protect our elections.

He’s observed numerous strategies and has advice on how best to protect an election. The people playing the role of defenders, usually given the role of law enforcement, “must create open lines of communication between government departments and also media sources and social media companies,” said Curry. Knowing who to call and when to call them and having a reliable back-up system in case one fails (or is intentionally sabotaged) are all critical.

Link

CISA Believes China Hacked US Government Systems

Andrew Orr ·

According to the Cybersecurity and Infrastructure Security Agency, Chinese-affiliated hackers have compromised U.S. government computer systems.

“This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools,” the advisory states. “CISA observed activity from a Federal Government IP address beaconing out to the threat actors’ [command and control] server.”

Get we just get it together for 10 seconds, please?

Link

Gaming Company Razer Leaked 100,000 Users’ Data

Andrew Orr ·

In August, security researcher Volodymyr Diachenko found a server owned by Razer that exposed the data of over 100,000 users. It took the company over three weeks to get around to fixing the issue.

The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit card transaction, although not the credit card numbers themselves. The Elasticseach cluster was not only exposed to the public, it was indexed by public search engines.

Link

Reboot Your iPhone Weekly as a Security Measure

Andrew Orr ·

Adrian Kingsley-Hughes has a tip for iPhone owners: Reboot it at least once a week as a security measure.

Not only does this clean the systems RAM and get it ready to do more work, it also helps protect against remote exploits by making it harder for hackers to keep control of your iPhone — hacks don’t survive reboots.

A good, practical, and easy tip for Apple users.