Cellebrite Now Uses iOS Exploit Checkm8

· · Link

Checkm8 is an iPhone flaw in the bootrom that can lead to a jailbreak. It can’t be patched via software, and it affects the iPhone 4s through iPhone X. But attackers need physical access to your device, and the jailbreak can only be tethered, meaning that if the iPhone is restarted it disappears.

The Cellebrite UFED team is working quickly to provide users with support for the above-mentioned scenario.  This will be included with the launch of our iOS extraction agent in an upcoming release. The team is committed to providing a comprehensive, forensically-sound solution that adheres to Cellebrite’s high standards, is fully tested, and is admissible in court.

Speaking about recent rumors, if Apple did remove the Lightning port from future iPhones, I wonder if it would defeat companies like Cellebrite. I’m not sure if they could still extract data via the wireless charger.

Defense Department: We Need That Encryption You Want to Break

· · Link

Everyone from the Department of Justice, the FBI, and politicians like Senator Lindsey Graham are attacking encryption, calling for backdoors for the “public good.” But people who understand security are cautioning against such a move. This week Representative Ro Khanna forwarded a letter to Lindsay Graham from the Defense Department’s Chief Information Officer Dana Deasy.

As the use of mobile devices continues to expand, it is imperative that innovative security techniques, such as advanced encryption algorithms, are constantly maintained and improved to protect DoD information and resources. The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.

Senator Lindsey Graham to ‘Impose His Will’ on Encryption Backdoors

· · Link

Apple and Facebook representatives met with lawmakers today where senators pushed for the companies to compromise their users’ security by including encryption backdoors. In particular, Sen. Lindsey Graham said:

My advice to you is to get on with it. Because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.

“Encryption backdoors for thee, but not for me.”

Yubico Authenticator iOS App Now Supports NFC

· · Link

While Yubico has a security key that plugs into your iPhone via Lightning, the app also supports NFC YubiKeys now.

Instead of storing the time-based one-time passcodes on a mobile phone or computer, Yubico Authenticator generates and stores one-time codes on the YubiKey. A user must present their physical key in order to receive the code for login. This not only eliminates security vulnerabilities associated with a multi-purpose computing device, but also offers an added layer of convenience for users that work between various machines.

This VPN App Sent User Data to China

· · Link

According to a report of VPN apps for 2019, downloads of these apps has increased 54%. But people need to be careful which VPN app they use. The most popular app called VPN – Super Unlimited sent user data to China. But it’s privacy policy made no secret of this.

We regularly collect and use information that could identify an individual, in particular about your purchase or use of our products, services, mobile and software applications and websites… We use various technologies to determine [your] location, including IP addresses, GPS, and other sensors.

The VPN apps I wrote about are all safe (or at least I personally believe them to be safe).

‘Chain of Trust’ on Apple Devices Explained

· · Link

In computer security, a ‘chain of trust’ is when each component of hardware and software validates each other to make sure they haven’t been compromised. Kirk McElhearn explains the chain of trust on Apple devices.

It all begins with your Apple ID. When you create a new Apple ID on Apple’s website, or on a device you own, you provide your name, birthday, and email address, set up a password, then answer three security questions. You verify your email address, and your Apple ID now allows you to use Apple’s services.

Would Apple Leave Russia Over Device Ban?

· · Link

TMO's Dramatic Reenactment of a Typical Russian Hacker

Going into effect on July 2020, Russia just passed a law that would ban the sale of devices that don’t come pre-installed with Russian software. This obviously butts up against the integrity of iOS. Would Apple have the “courage” to leave the country if the Kremlin tried to force them to install their surveillance software? Because of course it’s for surveillance. Why else would a government meddle with device makers in this way?

The law will not mean devices from other countries cannot be sold with their normal software – but Russian “alternatives” will also have to be installed.

The legislation was passed by Russia’s lower house of parliament on Thursday. A complete list of the gadgets affected and the Russian-made software that needs to be pre-installed will be determined by the government.

Mozilla Unveils 2019 Privacy Not Included Gift Guide

· · Link

Mozilla announced its third annual 2019 *Privacy Not Included gift guide to highlight gadgets and toys that are secure, and ones that aren’t secure.

This year we found that many of the big tech companies like Apple and Google are doing pretty well at securing their products, and you’ll see that most products in the guide meet our Minimum Security Standards. But don’t let that fool you. Even though devices are secure, we found they are collecting more and more personal information on users, who often don’t have a whole lot of control over that data.

Google doing well at securing its products.

Need the Tor Browser on iOS? Try Onion Browser

· · Cool Stuff Found

Need a Tor browser on iOS? Onion Browser is the only iOS app recommended on the Tor Project’s website. Starting out at the U.S. Naval Research Lab, Tor is a special network that helps people browse the internet with as much privacy as possible. You should note there are a couple of security advisories on its website: WebRTC/Media leaks: Due to iOS limitations, WebRTC and media files leak outside of Tor and are routed over the normal internet. This will reveal your real IP address to sites using these features. (If you are using a VPN, the VPN IP address is revealed instead.) To defend against this, you may set Strict security mode in Host Settings, which will disable Javascript. More information here. OCSP leak: Visiting EV “Green Bar” HTTPS sites may leak information that can be used to reveal the domain name of the website you are visiting. This is handled within iOS and cannot be changed by Onion Browser. There is no known workaround. A detailed report can be found here. App Store: Free

Need the Tor Browser on iOS? Try Onion Browser

FBI Draft Resolution Calls for End-to-End Encryption Ban

· · Link

An FBI draft resolution for Interpol calls for a ban on end-to-end encryption. It’s for Interpol’s 37th Meeting of the INTERPOL Specialists Group on Crimes Against Children.

A draft of the resolution viewed by Ars Technica stated that INTERPOL would “strongly urge providers of technology services to allow for lawful access to encrypted data enabled or facilitated by their systems” in the interest of fighting child sexual exploitation. Currently, it is not clear whether Interpol will ultimately issue a statement.

Remember when I mentioned the Four Horses of the Infocalypse? Terrorists, drug dealers, pedophiles, and organized crime. Four fears to use as a way to push their agenda. I know it’s a delicate issue. These groups are definitely ones that the majority of society would want to stop. But removing end-to-end encryption for everyone isn’t the way to do that.

iVerify Can Detect if Your iPhone has Been Jailbroken

· · Cool Stuff Found

iVerify is a security toolkit for iPhones and iPads. It can check the security of your device to see if modifications have taken place, such as jailbreaking or other forms of hacking. It also has a Safari content blocker.

iVerify is your personal security toolkit. Use iVerify to manage the security of your iOS device and detect modifications to your smartphone. iVerify makes it easy to manage the security of your accounts and online presence with simple instructional guides.

I’m curious to see how long it will last. I’ve used two similar apps in the past that offered the same modification detection, but both were removed from the App Store. I don’t know if it was Apple’s doing or if each company independently removed it. App Store: US$4.99

iVerify Can Detect if Your iPhone has Been Jailbroken

macOS Mail Stores Encrypted Emails in Plain Text

· · Link

IT specialist Bob Gendler found that macOS Mail was storing encrypted emails in plain text. He first notified Apple on July 29, but only got a temporary fix from the company 99 days later on November 5.

The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it *still* stores unencrypted messages in this database!

Mr. Gendler shard a fix in his blog post.