Security

Link

A $10 Million New York Lab Tries to Brute Force iOS Devices

Andrew Orr ·

Inside a lab in New York worth US$10 million, specialists are trying to brute force their way into iPhones and iPads.

What’s going on in the isolation room is important, if silent, forensic work. All of the phones are hooked up to two powerful computers that generate random numbers in an attempt to guess the passcode that locked each device. At night, technicians can enlist other computers in the office, harnessing their unused processing power to create a local supercomputer network.

Link

Hackers Dump 70,000 Tinder Photos of Women

Andrew Orr ·

Over 70,000 Tinder photos of women have been dumped in an online forum for cybercrime.

Contextual clues, including particular phone models like the iPhone X seen in the photographs, as well as limited metadata, suggest that many of the (mostly) selfies were taken in recent years. Some of the photos, in fact, contain timestamps dated as recent as October 2019.

Tinder also noted that all of the photos are public and can be viewed by others through regular use of the app; although, obviously, the app is not designed to help a single person amass such a massive quantity of images. The app can also only be used to view the profiles of other users within 100 miles.

Emphasis mine.

Link

Scotland Police to Use ‘Cyber Kiosks’ to Extract Smartphone Data

Andrew Orr ·

Starting January 20, 2020 Scotland police will use devices called cyber kiosks to analyze the contents of smartphones during investigations.

Police Scotland will only examine a digital device where there is a legal basis and where it is necessary, justified and proportionate to the incident or crime under investigation.

Cyber kiosks used by Police Scotland will not be enabled to store data from digital devices.  Once an examination is complete, all device data is securely deleted from the cyber kiosk.

Link

Google’s iPhone Security App Keeps You in its Ecosystem

Andrew Orr ·

Google updated its Smart Lock app on iOS to let iPhones be used for two-factor authentication. But it will only work inside Chrome. Now your only choices for Google two-factor authentication are this Smart Lock app, or a phone number (an insecure method). You can also use a physical security key but not an app like Authy.

After installing the update, users are asked to select a Google account to set up their phone’s built-in security key. According to a Google cryptographer, the feature makes use of Apple’s Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

Update. So I made a mistake and you can use an app like Authy, but you first have to surrender your phone number to Google. Which I’m obviously loathe to do so I use a disposable number.

Link

Cellebrite’s Acquisition Adds Computer Forensics to its Portfolio

Andrew Orr ·

Cellebrite, a company specializing in hacking smartphones for law enforcement, has acquired BlackBag Technologies, a company specializing in hacking computers for law enforcement. This will let Cellebrite offer law enforcement an “all-in-one” forensic solution to cover smartphones, laptops, desktops, and cloud data.

It also means offering a broad array of field acquisition capabilities including consent-based evidence collection along with an integrated solution set that provides access, insight and evidence management to facilitate and control large-scale deployments and orchestrate the entire digital intelligence operation.

Cellebrite offers all of these capabilities to law enforcement, but the FBI still wants Apple to create a backdoored version of iOS.

Link

How to Avoid Online Scams With This Guide

Andrew Orr ·

Emily Long put together a guide on how to avoid online scams, like not clicking links in emails, not sharing passwords, and more.

The basic rule for surviving internet scams is simple: If it sounds too good to be true, it probably is. A little common sense goes a long way to realizing that you aren’t going to suddenly win the Spanish National Lottery when you didn’t even know you had a ticket.

A useful guide.

Link

Texas Sees Surge in Iranian Cyber Attacks

Andrew Orr ·

Texas officials say they’ve seen an increase in Iranian cyber attacks. Over the past two days as many as “10,000 probes…per minute” came from the country.

Speaking after a meeting of the Texas Domestic Terrorism Task Force, of which she’s a member, Crawford of the state information resources agency said as far as she knows, none of the attempted cyberattacks on state government networks originating in Iran have been successful.

Link

Here’s What Data is Accessible With Cloud Forensics

Andrew Orr ·

When a company like Cellebrite or GrayKey use their devices to break into your iPhone, it’s not just your local data that can be accessed. Using various types of “cloud forensics” or cloud extraction technology, they can get your data in the cloud as well. It’s a long read but worth it.

Cellebrite’s UFED Cloud Analyzer, for example, uses login credentials that can be extracted from the device to then pull a history of searches, visited pages, voice search recording and translations from Google web history and view text searches conducted with Chrome and Safari on iOS devices backed-up iCloud.

Link

Travelex Infected With Sodinokibi Ransomware, Attacker Wants $3M

Andrew Orr ·

A cyber attack infected international foreign currency exchange Travelex with Sodinokibi ransomware. The attackers are demanding US$3 million.

The attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its computer systems, a precaution meant “to protect data and prevent the spread of the virus.”

We were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days (countdown likely started on December 31), the attackers said they will publish the data they stole.

Link

Wyze Leaks Data of 2.4 Million Security Camera Customers

Andrew Orr ·

Wyze makes cheap security cameras for people, cheap in terms of price and now apparently security (ironically). A database of its user data was found exposed on the internet, unsecured.

This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.

“We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,” the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked “body metrics” for a small number of beta testers.

I’m still trying to figure out why a security camera company would have health information.

Link

Spotify Encourages Journalists to Plug in Random USB Drives

Andrew Orr ·

As part of a promotion for a podcast, Spotify sent USB drives to journalists. But the move was criticized by computer security researchers.

But anyone with basic security training under their hat — which here at TechCrunch we do — will know to never plug in a USB drive without taking some precautions first.

Plugging in random USB drives is a bigger problem than you might think. Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug into their computer random USB drives.

I doubt anyone at Spotify was clueless about the security risk. But negative publicity is still publicity.