Safari 14 Adds Face ID, Touch ID to FIDO Logins

· Andrew Orr · Product News

Touch ID fingerprint icon

A feature coming to Safari 14 later this year involves logging into websites with Face ID and Touch ID through the Web Authentication API.

‘Lawful Access to Encrypted Data Act’ is Latest Encryption Attack

· Andrew Orr · Link

Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.

Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place.  This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.

”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.

Dashlane Family Plans Arrive for Customers

· Andrew Orr · Cool Stuff Found

TDashlane Family Plans are here, the company announced today. Two offerings provide password management for up to six family members. Premium Family is US$7.49/month and gives you features like dark web monitoring, VPN service, two-factor authentication, personalize security alerts, and more. Premium Plus Family is US$14.99 and gives you the features of Premium Family with three additions: Credit monitoring, identity restoration support, and identity theft insurance.

Dashlane Family Plans Arrive for Customers

NSO Group Tools Used to Hack Journalist Omar Radi’s iPhone

· Andrew Orr · Link

Generic image displaying the word hacked.

An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.

Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.

The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.

‘Bundlore’ Adware Targets Macs With Updated Safari Extensions

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.

This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.

Zoom Backtracks, Will Give Free Users Encryption Protection

· Andrew Orr · Link

Zoom logo

After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.

The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.

Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”

Good to see Zoom do this.

New: The macOS Security Compliance Project

· John Martellaro · Product News

macOS Catalina

The objective of this project is to develop an extensible, modern approach to security guidance that can be used by any organization to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads

Facebook Helped Hack ‘Tails’ OS to Catch a Child Predator

· Andrew Orr · Link

Generic image displaying the word hacked.

A report today from Motherboard details how Facebook and the FBI used a zero-day exploit for privacy OS Tails to catch a child predator. The reason I’m specifically linking to it is because of this paragraph:

Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.

That is a slippery slope argument that will be used by politicians, like how Apple does what it can to help the FBI get into terrorists’ iPhones. “But you helped them before, why not again?” More fuel on the EARN IT fire.

IBM Releases Homomorphic Encryption Toolkit for iOS, macOS

· Andrew Orr · Link

Generic image of data

IBM has released a toolkit for iOS and macOS to help developers to easily add homomorphic encryption into their programs.

While the technology holds great potential, it does require a significant shift in the security paradigm. Typically, inside the business logic of an application, data remains decrypted, Bergamaschi explained. But with the implementation of FHE, that’s no longer the case — meaning some functions and operations will change.

In other words, “There will be a need to rewrite parts of the business logic,” Bergamaschi said. “But the security that you gain with that, where the data is encrypted all the time, is very high.”

If you haven’t added homomorphic encryption to your technology watch list, be sure to do so. As I wrote in the past, this type of encryption lets a company perform computations on data while still keeping that data encrypted.

Apple Launches Open Source Password Project

· Andrew Orr · Product News

Apple key icon

Apple recently created an open source project to help developers of password managers collaborate with websites to create strong passwords for users.

Security Researcher Believes Mac Backdoor ‘Tiny Shell” Still Being Used

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Mac security researcher Jaron Bradley says he believes hackers are still using an open source macOS backdoor called “Tiny SHell.”

Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself.

Amtrak Data Breach Affects Guest Rewards Accounts

· Andrew Orr · Link

Image containing the words “data breach”

Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.

The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.

Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.

iOS 13.5.1 is Out Today With Security Patches

· Andrew Orr · Product News

Image of apple’s settings app

Today Apple released a 13.5.1 OS update for iPhones and iPads. It contains important security patches although details aren’t yet known about what was patched.