Apple says that Mac apps distributed outside of the Mac App Store have to be notarized by February 3, 2020, an attempt to increase security.
Security
267 Million Facebook IDs, Phone Numbers Exposed
A database that contained over 267 million Facebook user IDs, phone numbers, and IDs was discovered on the web. It wasn’t password-protected.
Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals in Vietnam, according to the evidence.
Diachenko immediately notified the internet service provider managing the IP address of the server so that access could be removed. However, Diachenko says the data was also posted to a hacker forum as a download.
FBI Shares 7 Tech Tips to Keep You Safe
The FBI’s Oregon office shared seven tech tips to keep people safe over the holidays, like not letting devices auto-connect to free Wi-Fi. It’s well worth the read.
The kids are getting out of school this week and you are packing your bags for the big trip to the in-laws. Now is not the time you want to talk about cyber security, but we do have a few travel tips to keep you safe while you are on the go.
Home Automation Standards, Ring "Security" Measures – TMO Daily Observations 2019-12-18
Bryan Chaffin and Andrew Orr join host Kelly Guimont to discuss Apple joining a standards group for smart home devices, and Ring’s security.
VICE Tests Amazon Ring’s Security, and it’s Not Good
Journalists at VICE tested the security of Amazon Ring security cameras, and they call it “awful.”
Ring is not offering basic security precautions, such as double-checking whether someone logging in from an unknown IP address is the legitimate user, or providing a way to see how many users are currently logged in—entirely common security measures across a wealth of online services.
Cellebrite Now Uses iOS Exploit Checkm8
Checkm8 is an iPhone flaw in the bootrom that can lead to a jailbreak. It can’t be patched via software, and it affects the iPhone 4s through iPhone X. But attackers need physical access to your device, and the jailbreak can only be tethered, meaning that if the iPhone is restarted it disappears.
The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario. This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court.
Speaking about recent rumors, if Apple did remove the Lightning port from future iPhones, I wonder if it would defeat companies like Cellebrite. I’m not sure if they could still extract data via the wireless charger.
iOS 13.3 Fixed the ‘AirDoS’ Bug That Could Make Devices Unusable
Apple fixed a bug referred to as “AirDoS” that let people spam surrounding iOS devices with AirDrop pop ups.
Defense Department: We Need That Encryption You Want to Break
Everyone from the Department of Justice, the FBI, and politicians like Senator Lindsey Graham are attacking encryption, calling for backdoors for the “public good.” But people who understand security are cautioning against such a move. This week Representative Ro Khanna forwarded a letter to Lindsay Graham from the Defense Department’s Chief Information Officer Dana Deasy.
As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.
Encryption on iOS, Apple's Fan Allergy – TMO Daily Observations 2019-12-12
John Martellaro and Charlotte Henry join host Kelly Guimont to discuss an iOS security kerfuffle, and Apple’s known allergy to computer fans.
Senator Lindsey Graham to ‘Impose His Will’ on Encryption Backdoors
Apple and Facebook representatives met with lawmakers today where senators pushed for the companies to compromise their users’ security by including encryption backdoors. In particular, Sen. Lindsey Graham said:
My advice to you is to get on with it. Because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.
“Encryption backdoors for thee, but not for me.”
Yubico Authenticator iOS App Now Supports NFC
While Yubico has a security key that plugs into your iPhone via Lightning, the app also supports NFC YubiKeys now.
Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines.
US Among Top 5 Worst Countries for Biometrics Privacy
The United States is one of the worst countries in the world when it comes to the privacy of citizens’ biometrics data.
While there is a handful of state laws that protect state residents’ biometrics (as can be seen in our state privacy study), this does leave many US citizens’ biometrics exposed as there is no federal law in place.
Dutch Politician Faces Prison for iCloud Hacking
Dutch politician Mitchel van der Krogt., who also moonlighted as a hacker, is believed to have participated in 2014’s Celebgate.
Apple Collects Location Data Even if You Say No
Security researcher Brian Krebs discovered something about his iPhone 11 Pro. It continued to collect location data even when disabled.
This VPN App Sent User Data to China
According to a report of VPN apps for 2019, downloads of these apps has increased 54%. But people need to be careful which VPN app they use. The most popular app called VPN – Super Unlimited sent user data to China. But it’s privacy policy made no secret of this.
We regularly collect and use information that could identify an individual, in particular about your purchase or use of our products, services, mobile and software applications and websites… We use various technologies to determine [your] location, including IP addresses, GPS, and other sensors.
The VPN apps I wrote about are all safe (or at least I personally believe them to be safe).
‘Chain of Trust’ on Apple Devices Explained
In computer security, a ‘chain of trust’ is when each component of hardware and software validates each other to make sure they haven’t been compromised. Kirk McElhearn explains the chain of trust on Apple devices.
It all begins with your Apple ID. When you create a new Apple ID on Apple’s website, or on a device you own, you provide your name, birthday, and email address, set up a password, then answer three security questions. You verify your email address, and your Apple ID now allows you to use Apple’s services.
A Smartwatch for Kids Just Exposed the Location of Over 5,000 Children
The Chinese SMA-WATCH-M2 was recently caught exposing personal data like location of over 5,000 children and their parents.
Would Apple Leave Russia Over Device Ban?
Going into effect on July 2020, Russia just passed a law that would ban the sale of devices that don’t come pre-installed with Russian software. This obviously butts up against the integrity of iOS. Would Apple have the “courage” to leave the country if the Kremlin tried to force them to install their surveillance software? Because of course it’s for surveillance. Why else would a government meddle with device makers in this way?
The law will not mean devices from other countries cannot be sold with their normal software – but Russian “alternatives” will also have to be installed.
The legislation was passed by Russia’s lower house of parliament on Thursday. A complete list of the gadgets affected and the Russian-made software that needs to be pre-installed will be determined by the government.
Twitter Finally Adds Alternative Two-Factor Authentication Methods
Twitter announced that users can finally use other two-factor authentication methods besides SMS, which is an insecure authentication method.
Mozilla Unveils 2019 Privacy Not Included Gift Guide
Mozilla announced its third annual 2019 *Privacy Not Included gift guide to highlight gadgets and toys that are secure, and ones that aren’t secure.
This year we found that many of the big tech companies like Apple and Google are doing pretty well at securing their products, and you’ll see that most products in the guide meet our Minimum Security Standards. But don’t let that fool you. Even though devices are secure, we found they are collecting more and more personal information on users, who often don’t have a whole lot of control over that data.
Need the Tor Browser on iOS? Try Onion Browser
Need a Tor browser on iOS? Onion Browser is the only iOS app recommended on the Tor Project’s website. Starting out at the U.S. Naval Research Lab, Tor is a special network that helps people browse the internet with as much privacy as possible. You should note there are a couple of security advisories on its website: WebRTC/Media leaks: Due to iOS limitations, WebRTC and media files leak outside of Tor and are routed over the normal internet. This will reveal your real IP address to sites using these features. (If you are using a VPN, the VPN IP address is revealed instead.) To defend against this, you may set Strict security mode in Host Settings, which will disable Javascript. More information here. OCSP leak: Visiting EV “Green Bar” HTTPS sites may leak information that can be used to reveal the domain name of the website you are visiting. This is handled within iOS and cannot be changed by Onion Browser. There is no known workaround. A detailed report can be found here. App Store: Free
FBI Draft Resolution Calls for End-to-End Encryption Ban
An FBI draft resolution for Interpol calls for a ban on end-to-end encryption. It’s for Interpol’s 37th Meeting of the INTERPOL Specialists Group on Crimes Against Children.
A draft of the resolution viewed by Ars Technica stated that INTERPOL would “strongly urge providers of technology services to allow for lawful access to encrypted data enabled or facilitated by their systems” in the interest of fighting child sexual exploitation. Currently, it is not clear whether Interpol will ultimately issue a statement.
Remember when I mentioned the Four Horses of the Infocalypse? Terrorists, drug dealers, pedophiles, and organized crime. Four fears to use as a way to push their agenda. I know it’s a delicate issue. These groups are definitely ones that the majority of society would want to stop. But removing end-to-end encryption for everyone isn’t the way to do that.
iVerify Can Detect if Your iPhone has Been Jailbroken
iVerify is a security toolkit for iPhones and iPads. It can check the security of your device to see if modifications have taken place, such as jailbreaking or other forms of hacking. It also has a Safari content blocker.
iVerify is your personal security toolkit. Use iVerify to manage the security of your iOS device and detect modifications to your smartphone. iVerify makes it easy to manage the security of your accounts and online presence with simple instructional guides.
I’m curious to see how long it will last. I’ve used two similar apps in the past that offered the same modification detection, but both were removed from the App Store. I don’t know if it was Apple’s doing or if each company independently removed it. App Store: US$4.99
Subscriber Numbers, iOS and Security Keys – TMO Daily Observations 2019-11-15
Charlotte Henry joins Kelly Guimont to discuss subscriber stats for Disney+ vs Apple services, bundles, and iOS using hardware security keys.
