IT Security Manager, NIST, Bob Gendler - BGM Interview

· John Martellaro · Background Mode Podcast

Bob Gendler on Background Mode

Bob Gendler is an IT Specialist in the Apple world and a Jamf guru. He holds a B.S. degree in Information Technology from the Rochester Institute of Technology. He is now part of the Mac Management team at NIST, the National Institute of Standards and Technology, in Washington, D.C.

From a very early age, Bob fell into the world of Apple starting with an Apple IIgs and, as a teenager, a Power Mac 6100. Quickly, as an undergraduate, his specialty became system administration, and, later, that served him well landing the job at NIST. Bob filled me in on his latest project, the “macOS Security Compliance Project,” and the security problem the community faced with macOS. Basically, the new GitHub project leverages a library of scriptable actions which are mapped to compliance requirements in existing security guides or used to develop customized guidance. Bob nicely explains this crucial tool, his team, and who would benefit.

Sorry, Catnip Won’t Protect You Against the Meow Attack

· Andrew Orr · Link

White cat looking at laptop screen

Over 1,000 insecure databases have been completely erased, and the attackers leave no trace except the word “meow.”

Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time this post went live, the Shodan computer search site showed that 987 ElasticSearch and 70 MongoDB instances had been nuked by Meow. A separate, less-malicious attack tagged an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string “university_cybersec_experiment.” The attackers in this case seem to be demonstrating to the database maintainers that the files are vulnerable to being viewed or deleted.

Better erased than breached, right?

DNA Company ‘GEDmatch’ Hacked in Data Breach

· Andrew Orr · Link

Image containing the words “data breach”

First, over a million DNA profiles from GEDmatch were leaked. Then, email addresses from the breach were used in a phishing attack against users of genealogy website MyHeritage.

As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.

If GEDmatch sounds familiar, it was the DNA database used to identify the Golden State Killer.

Kingston Now Sells 128GB Encrypted Flash Drives

· Andrew Orr · Cool Stuff Found

Kingston has added 128GB capacities to its line of encrypted flash drives. The announcement lists several drives, like the DataTraveler Locker+ G3, DataTraveler Vault Privacy 3.0, and DataTraveler 4000G2 (Available July 27). Richard Kanadjian, encrypted USB drive business manager, Kingston: “Within our full line of encrypted drives, we offer high levels of encryption, fast USB 3.0 performance and after 10 intrusion attempts, the drives lock down so users can rest assured their data is safe.”

Kingston Now Sells 128GB Encrypted Flash Drives

Big Twitter Accounts Like Apple, Elon Musk, Bill Gates, Were Hacked

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Major Twitter accounts were hacked today, reports Kevin Truong. Accounts like Apple, Bill Gates, Elon Musk, Uber, and others were the victim of a hacking campaign that involved bitcoin.

Events kicked off when the Twitter accounts for major cryptocurrency platforms Coinbase, Gemini, and Binance, among others, all put out tweets minutes apart stating they had partnered up with an organization called CryptoForHealth and that they would be “giving back 5000 BTC to the community.” The tweets all included a link to a site that has been tagged by Google and Cloudflare as a phishing site […]

Most of the tweets have been removed already. Apple’s Twitter account appears to be entirely wiped of tweets.

A fascinating hack that clearly took advantage of Twitter vulnerabilities. But I’d also like to point out that Apple has never actually tweeted, so there wasn’t much to wipe.

iOS 14: How to Create an Apple ID Recovery Key

· Andrew Orr · How-To

Apple key icon

An Apple ID recovery key is an extra layer of security for your account. But you can be permanently locked out if you lose it, so be careful.

Secret Service Warns of Hacking Increase to Managed Service Providers

· Andrew Orr · Link

Image of locks to suggest security and encryption

The U.S. Secret Service sent out a security alert to warn of an increase in hacking to Managed Service Providers. These provide remote management software for companies, like file-sharing systems.

In a security alert sent out on June 12, Secret Service officials said their investigations team (GIOC — Global Investigations Operations Center) has been seeing an increase in incidents where hackers breach MSP solutions and use them as a springboard into the internal networks of the MSP’s customers.

Safari 14 Adds Face ID, Touch ID to FIDO Logins

· Andrew Orr · Product News

Touch ID fingerprint icon

A feature coming to Safari 14 later this year involves logging into websites with Face ID and Touch ID through the Web Authentication API.

‘Lawful Access to Encrypted Data Act’ is Latest Encryption Attack

· Andrew Orr · Link

Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.

Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place.  This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.

”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.

Dashlane Family Plans Arrive for Customers

· Andrew Orr · Cool Stuff Found

TDashlane Family Plans are here, the company announced today. Two offerings provide password management for up to six family members. Premium Family is US$7.49/month and gives you features like dark web monitoring, VPN service, two-factor authentication, personalize security alerts, and more. Premium Plus Family is US$14.99 and gives you the features of Premium Family with three additions: Credit monitoring, identity restoration support, and identity theft insurance.

Dashlane Family Plans Arrive for Customers

NSO Group Tools Used to Hack Journalist Omar Radi’s iPhone

· Andrew Orr · Link

Generic image displaying the word hacked.

An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.

Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.

The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.

‘Bundlore’ Adware Targets Macs With Updated Safari Extensions

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.

This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.