Corellium is a mobile device virtualization company that offers iOS and Apple’s apps in the cloud. Apple is suing the company for damages.
Security
Using Two-Factor Authentication on Old Apple Devices
Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.
But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.
I always forget about the manual method.
Battery/Email PSAs, Siri Spotify Teamup – TMO Daily Observations 2019-08-14
Andrew Orr and Charlotte Henry join host Kelly Guimont to talk about a couple of PSAs for Apple folks and how Siri and Spotify might team up.
Def Con 2019: Lightning Cables That Can Hack Your Computer
Security researcher “MG” presented some special Lightning cables at Def Con 2019 that can hack your computer.
News+: Don't Give Money to Ransomware Scammers
In the latest issue of PCMag, Max Eddy writes that you shouldn’t give money to ransomware attackers when they ask.
First, most cyberattacks—including ransomware—don’t last long. The command and control servers that issue the unlock commands and receive payment can be found and taken offline…In either case, anyone who has been infected and not paid the ransom can no longer get their system unlocked, even if they pay.
This is why keeping several backups is important, one online, one offline. And keep your operating system up to date with the latest security patches and improvements.
This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.
Online Payment Integrations Can Introduce Vulnerabilities
At Black Hat 2019, researcher Joshua Maddux found that security vulnerabilities can arise when websites add online payment integrations like Apple Pay. To be clear, he says it’s not an issue with Apple Pay itself, but rather how websites add it. And other third-party integrations can be similarly affected.
The flaws fit into a well-known type of vulnerability called “server side request forgery,” which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month’s massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.
Researchers Spoof Face ID Using Tape and Glasses
During the Black Hat 2019 conference, researchers demonstrated a way to spoof Face ID using nothing more than glasses and tape.
To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.
Apple Laptop Ports, Bug Bounty Program – TMO Daily Observations 2019-08-07
John Martellaro and Charlotte Henry join host Kelly Guimont to talk about port differentials on MacBook models and Apple’s macOS bug bounty.
Microsoft Launches Azure Security Lab and Doubles Bug Bounty
Announced at Black Hat 2019 today, Microsoft launched the Azure Security Lab, as well as doubling its top Azure bug bounty to US$40,000.
The Azure Security Lab takes the idea to the next level. It’s essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.
The Azure Security Lab isn’t open to the public — you have to apply. Microsoft is promising quarterly campaigns for targeted scenarios with added incentives, including exclusive swag. Security researchers will also be able to engage directly with Azure security experts.
Jamf Gets Native Mac Security With Digita Security
Enterprise Mac company Jamf has acquired Digita Security, bringing native Mac security to its platform.
Digita, a two-year old startup, was founded by a team of security experts led by Patrick Wardle, whose background includes a decade as a Mac security researcher, seeking out vulnerabilities on the Mac, and time at the NSA where he honed his security research skills.
Patrick makes a lot of great Mac tools with Objective See that I recommend.
Capital One Hack: What We Know and What You Can Do
A Capital One hack was recently discovered, affecting over 100 million people. Here’s what we know, and what you can do to stay protected.
Google's Project Zero Finds 6 iOS 'Interactionless' Bugs
Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.
The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.
Capital One Hack Affects Credit Card Customers
On July 19 Capital One found it had gotten hacked. The FBI arrested the hacker but 100 million U.S. customers are affected.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
What angers me the most about this is the fact that I had to read the news to learn what happened. As a Capital One customer I feel I should’ve been notified by email. Customers affected by this will get an email but I want a notification email as well. Maybe I’ll get five bucks like those affected by Equifax.
Louisiana Declares Cyber State of Emergency
The governor of Louisiana has declared a cybersecurity state of emergency after a series of attacks on school districts.
Stock Trader Robinhood Stored Passwords in Plaintext
Investment and stock trading app Robinhood recently admitted to storing user credentials like passwords in plaintext.
William Barr Wants You to Accept Encryption Backdoor Security Risks
U.S. Attorney General William Barr suggested that Americans should just accept encryption backdoor security risks (via TechCrunch). Encryption Backdoor Risks In a speech today, William Barr called on tech companies to help the federal government to access devices with a lawful order. In other words, ignore the security risks and put a backdoor into their…
NSO Group Tool Harvests Targeted iCloud Data
Israel-based NSO Group claims it can harvest iCloud data in targeted attacks. It’s said to be a version of the Pegasus spyware.
Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target’s location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.
When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn’t specifically deny that it had developed the capability described in the documents.
Bluetooth Low Energy Flaw Affects Apple Devices
Researchers have discovered a Bluetooth Low Energy (BLE) flaw that affects Apple devices and expose them to tracking and data leakage.
Keeper Password Manager 1-Year Subscription: $19.99
We have a deal on Keeper, a password manager for iOS, Mac, Android, Windows, and Linux. With Keeper’s password manager and vault, you can generate, store, and AutoFill strong passwords on all devices while securely storing private documents. It also supports multiple forms of 2FA, including TOTP, SMS, Touch ID, Face ID, and U2F security keys (e.g. Yubikey). A one year subscription is $19.99 through our deal.
iOS 13 Password Bug Gives Unauthenticated Access in Settings
An iOS 13 password bug was discovered in the latest betas that give unauthenticated access to Website & App Passwords in Settings.
As detailed by iDeviceHelp on YouTube, you can access all of the saved usernames and passwords in Settings by repeatedly tapping the “Website & App Passwords” menu and avoiding the Face ID or Touch ID prompt. After several tries, iOS 13 will show all of your passwords and logins, even if you never successfully authenticated with Face ID or Touch ID.
I haven’t been able to replicate the issue, but I’ll keep trying to see.
Apple's Security Evolution, iCloud VPN – TMO Daily Observations 2019-07-15
John Martellaro and Andrew Orr join host Kelly Guimont to talk about Apple’s balance of security and user freedom, and a new iCloud VPN idea.
iOS URL Scheme Open to Highjacking
The iOS URL Scheme is a way for apps to work around the sandbox limitations of the OS. But it can also be taken advantage of.
Apple Disables Walkie Talkie due to Bug
Apple has disabled the Walkie Talkie app on Apple Watch because of a vulnerability that could let someone secretly eavesdrop on your iPhone.
Apple Releases Mac Update to Remove Zoom Web Server
After the controversy surrounding Zoom and its hidden web server, Apple is pushing a hidden Mac update that removes it.
