A flaw in macOS Mojave can expose your Safari browsing history. Developer Jeff Johnson discovered this on February 8.
Security
Russia Prepares for Cyber War With Disconnect Test
Russia prepares for cyber war with an internet disconnect test. Russia will temporarily disconnect itself from the internet.
Department of Homeland Security to Investigate Foreign VPNs
Senators Ron Wyden and Marco Rubio are worried about the possibility of foreign VPNs used to spy on U.S. government employees.
This Data Breach is Equal to 469,000 War and Peace Books
Last month we heard of the Collection #1 data breach, which contained 773 million email addresses and 21 million passwords. Now, Collections #2-#5 are here.
Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox. WIRED examined a sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.
As with any data breach you can find out if your details have been leaked by visiting HaveIBeenPwned.com. My eBook copy of War and Peace is 1.8MB. The total size of the new breaches is 845GB, which equals 469,000 of those books.
Be Safe on the Internet With This Security Checklist
The Security Checklist is an open source list of resources designed to improve your online privacy and security. Check things off to keep track as you go.
This website provides a beginner’s checklist for staying safe on the internet. This website is the result of a conversation started during a recent episode of the Design Details Podcast and a subsequent tweet by Michael Knepprath.
This is a great website that Kelly Guimont pointed my way. Even if you’re a techie and have a handle on your online privacy, you should check this out too.
Screen Recording Your Activity, RIP Do Not Track – TMO Daily Observations 2019-02-07
Dave Hamilton and Andrew Orr discuss iOS apps recording your screen and bid farewell to Safari’s Do Not Track option, with host Kelly Guimont.
Security Researcher Won't Share macOS Keychain Bug
Security researcher Linuz Henze found a macOS Keychain bug but won’t share it with Apple out of protest.
Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility. However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.
It is odd that there isn’t a macOS bug bounty but I think withholding security information isn’t the way to go.
U.S. Navy Needs to Destroy 2 Tons of Hard Drives
The U.S. Navy has issued a solicitation asking for an appropriate service to turn 4,000 pounds of storage devices into ash.
The information stored on these devices is highly sensitive, as evidenced by the physical security requirements set forth in the solicitation. The incineration facility must have “at the minimum, secure entry, 24-hour armed guards and 24/7 camera surveillance with recordable date and time capabilities.”
Any interested destruction service has to be located within 10 driving hours of the White Sands Missile Range.
GCHQ Wants Apple to add it to iMessage, FaceTime Chats
The GCHQ wants Apple to secretly add the agency to iMessage chats and FaceTime calls, effectively creating a backdoor into encryption.
Silicon Valley Needs Abusability Testing
Andy Greenberg writes that security isn’t enough for Silicon Valley. Companies should also adopt abusability testing.
It’s time for Silicon Valley companies to take the potential for unintended, malicious use of a product as seriously as they take its security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Soltani argues that tech companies need to think not just in terms of protecting their own users, but what Soltani calls abusability: the possibility that users could exploit their tech to harm others, or the world.
In my cynical opinion, companies don’t care about whether their products could cause social harm. It’s all about money.
This Weird Trick Will Make Five Eyes Countries Hate You
Michael Grothaus argues that it’s the perfect time for Android iMessage thanks to Facebook’s plans to unify its messaging apps.
The iPhone maker’s messaging app is widely regarded as one of the best messaging apps ever, thanks to its clean, simple design, its ability to send and receive both encrypted iMessages and regular SMS text messages in the same interface, and its end-to-end encryption.
It’s not the first time this has been suggested, but I think Android iMessage would be great for users. We need an end-to-end encrypted messaging app from a company with a better track record than Facebook.
Google Investigation Shows Apple Was Right About Face ID
Take this with a grain of salt because this tweet is all I’ve seen about this. But David Ruddock of AndroidPolice mentioned a Google investigation trying to determine if certain types of fingerprint sensors are secure.
Another CES Story: I’ve heard Google is currently investigating whether current optical fingerprint sensor designs are secure enough to be used for TrustZone auth (mobile payments, banking apps, etc). There is real concern optical FPRs may be too easy to spoof.
Although facial recognition came to Android first, it was there for convenience as a way to unlock your device. But Apple added it for security, and it looks like they bet on the right horse.
Federal HTTPS Certificates Not Renewed Because of the Government Shutdown
The U.S. Government shutdown has affected a whole host of areas in the public sector. One that might not immediately spring to mind, but is rather important nevertheless, is federal HTTPS certificates. Techcrunch had a look into the issue and compiled a list of all the federal HTTPS certificates that expired, or are about to expire. It included domains that redirect to the Congressional record and websites for agencies such as the Federal Energy Regulatory Commission. If you go to one of the sites with an already expired HTTPS certificate, such as disasterhousing.gov, you get a warning that the site might not be secure.
During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any.
Collection 1 is a Massive New Data Breach
Troy Hunt, creator of the Have I Been Pwned? tool, wrote a blog post about the latest data breach called Collection 1.
Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows.It’s made up of many different individual data breaches from literally thousands of different sources.
To find out if your account credentials were leaked, visit haveibeenpwned.com.
EU Does not Have a Coordinated Plan to Fight Election Hacking
LONDON – The EU does not have an overall plan to deal with hackers seeking to disrupt its election in May 2019. According to a feature in Wired, each of the 27 states who will be in the EU when the election takes place is expected to secure the vote in their own country. Consequently, smaller member states could be left vulnerable, and cyber-attacks or disinformation could have a serious effect on the election results.
If a tiny member state is left it to go alone against Russia’s state-backed hacking teams and disinformation brigades, the calculus of the European Parliament could be engineered by a third-party state to tilt in its favor. The stakes are huge, and some say the EU hasn’t faced up to the enormity of the issue.
Bounty Hunter Successfully Tracked Down a Phone
AT&T, Sprint, and T-Mobile sell access to customers’ location data. As an experiment, Joseph Cox paid a bounty hunter to locate a phone, and it worked.
The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.
The technology apparently works on all mobile networks, but there was some issue with Verizon. Shady practices like this are why we need an American GDPR, as well as a better FCC.
Apple Support Scam is a new Voice Phishing Trick
Brian Krebs reported today that a woman got an Apple Support scam via an automated phone call. And it looked like a legitimate call from Apple.
USB-C Cables Could Get Built-In Security
Any system that uses this protocol will be able to confirm if a USB-C port or cable is authentic as soon as a connection is made.
U.S. Government had 4,570 Device Requests for Apple in 2018
Apple has redesigned its transparency website to make it easier to understand the number of government device requests the company receives.
Apple Cloud Services, Password Management, Apple Leadership, with Peter Cohen - ACM 493
Bryan Chaffin is joined by guest-host Peter Cohen to discuss Apple’s cloud services, including the ones they do really well and the ones that suck. They also talk about password management and practices, and look at Apple’s leadership team 8 years after Steve Jobs’s passing.
Cloud-hosted Military Data, Password Offenders – TMO Daily Observations 2018-12-12
Join host Kelly Guimont to talk with John Martellaro and Andrew Orr about military data being hosted in the cloud and about the worst password offenders in 2018.
Security Laws and Data Breaches – TMO Daily Observations 2018-12-07
Andrew Orr and Bryan Chaffin join host Kelly Guimont to talk about security laws, data breaches, and robot-led bear spray attacks.
Experimental Safari Feature Supports USB Security Keys
In the experimental version of Safari Technology Preview, the browser adds support for USB security keys.
Find Out If Your Data Was Leaked With This Data Breach Tool
A data breach tool called have i been pwned? is an app and website that helps you find out if your information was included in data breaches. It’s easy to use, just enter your email address. Have I been pwned? allows you to search across multiple data breaches to see if your personal data was compromised by any of the big hacks on record. The app includes no or automatic collecting of private data, searching among published databases and so-called pastes, getting real-time updated by receiving push notifications when new breaches happen, and information behind certain hacks, provided with relevant links to more information. The app has also been provided as open source software, found at GitHub. App Store: Free
