Apple recently created an open source project to help developers of password managers collaborate with websites to create strong passwords for users.
Security
Dropbox Introduces Password Manager With Zero-Knowledge Encryption
The Dropbox password manager can be found on the App Store, offering zero-knowledge encryption to paid Dropbox subscribers.
Google Adds Support for WebAuthn on Apple Devices
Google is adding security features for people who use Google accounts on Apple devices to give you more options for physical security keys.
Security Researcher Believes Mac Backdoor ‘Tiny Shell” Still Being Used
Mac security researcher Jaron Bradley says he believes hackers are still using an open source macOS backdoor called “Tiny SHell.”
Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself.
Amtrak Data Breach Affects Guest Rewards Accounts
Discovered on April 16, 2020, Amtrak suffered a data breach that affects its Amtrak Guest Rewards accounts.
The attack vector involved was compromised usernames and passwords, which may suggest the use of credentials previously leaked or stolen, or the use of brute-force methods.
Amtrak says that some personal information was viewable, although the company has not specifically said what data may have been compromised. However, Amtrak was keen to emphasize that Social Security numbers, credit card information, and other financial data was not involved in the data leak.
iOS 13.5.1 is Out Today With Security Patches
Today Apple released a 13.5.1 OS update for iPhones and iPads. It contains important security patches although details aren’t yet known about what was patched.
Patched Sign In with Apple Zero Day Netted Hacker $100,000
Security researcher Bhavuk Jain found a zero day vulnerability with Sign In with Apple in April. Apple has already patched it.
Security Friday, Apple Card Updates – TMO Daily Observations 2020-05-29
Andrew Orr joins host Kelly Guimont to discuss Security Friday news and some updates to Apple Card data in the Wallet app.
Roberto Escobar Sues Apple for $2.6B Over iPhone Security
Roberto Escobar, brother of Pablo Escobar, is suing Apple for US$2.6 billion. He claims someone hacked his iPhone and found his email through FaceTime. As a way to fight the company he’s also launching a limited edition iPhone 11 Pro 256GB, gold plated, for US$499.
According to the lawsuit, obtained by TMZ, Pablo’s brother bought an iPhone X back in April 2018, and he claims the security promise fell horribly flat. One year after buying the X, Roberto claims he got a life-threatening letter from someone named Diego, who said he found Roberto’s address through FaceTime.
In the suit, Roberto says he conducted his own investigation after receiving the letter, and found his iPhone had been compromised due to a FaceTime vulnerability.
Go to Settings > FaceTime. You can choose which address and phone number you let people contact you with, if you have multiple numbers and emails associated with your Apple ID. This won’t stop people from obtaining your address elsewhere.
Jamf Protect Adds Malware Prevention and Unified Log Forwarding
Today Jamf is adding new capabilities to its Jamf Protect product. The update adds malware prevention and unified log forwarding.
Bluetooth ‘BIAS’ Attack Affects Some Apple Devices
The Bluetooth Special Interest Group reported today an update to the Bluetooth Core Specification to stop Bluetooth BIAS attacks.
Zerodium Pauses Purchases of iOS Exploits
Zerodium is temporarily suspending its purchasing of iOS exploits due to a high number of submissions, with the CEO saying ”iOS security is f**ked.”
Zerodium is an exploit acquisition platform that pays researchers for zero-day security vulnerabilities and then sells them to institutional customers like government organizations and law enforcement agencies. The company focuses on high-risk vulnerabilities, normally offering between $100,000 and $2 million per fully functional iOS exploit.
Adobe Acrobat Reader Flaw Lets Malicious Programs Get Root Privileges
Adobe Acrobat Reader DC patched three serious vulnerabilities today for macOS. Update as soon as possible by going to the menu bar.
Researcher Finds 7 Vulnerabilities in Intel Thunderbolt Chips
Researcher Björn Ruytenberg found 7 vulnerabilities in Intel Thunderbolt chips. Critically, an attacker needs physical access to the machine.
Security Friday, Animal Crossing – TMO Daily Observations 2020-05-08
Andrew Orr joins host Kelly Guimont for a Security Friday News Roundup of items, and then a discussion of Nintendo’s new Animal Crossing game.
Lazarus Group’s Dacls RAT Affects Macs for the First Time
Security researcher Patrick Wardle writes that the Lazarus group’s RAT malware has been targeting macOS for the first time. MalwareBytes also published a report (and the source of my quote below). It was found to be distributed with a two-factor authentication app called MinaOTP, commonly used by Chinese users.
We believe this Mac variant of the Dcals RAT is associated with the Lazarus group, also known as Hidden Cobra and APT 38, an infamous North Korean threat actor performing cyber espionage and cyber-crime operations since 2009.
The group is known to be one of the most sophisticated actors, capable of making custom malware to target different platforms. The discovery of this Mac RAT shows that this APT group is constantly developing its malware toolset.
The conclusion I’m drawing is that it’s unlikely to affect most Mac users.
Hacker Bribed Roblox Insider to Access Kids’ Data
Motherboard reports that a hacker had bribed a Roblox insider to access the data of over 100 million users.
“I did this only to prove a point to them,” the hacker told Motherboard in an online chat. Motherboard granted the hacker anonymity to speak more candidly about a criminal incident.
Beyond just viewing user data, the hacker was able to reset passwords and change user data too […] The hacker said they changed the password for two accounts and sold their items. One of the screenshots appears to show the successful change of two-factor authentication settings […]
Proving a point my a**. This person tried to claim a bug bounty from Roblox. They denied it because he/she acted “more maliciously than a legitimate security researcher.” He messed with the accounts after denial, so his point was revenge.
Update: A Roblox spokesperson informed me that only a small amount of customers were affected, not 100 million, and immediate action was taken to address the issue. Additionally, it was a Roblox insider and not an employee.
Contact Tracing Origin Story – TMO Daily Observations 2020-04-29
Andrew Orr and Charlotte Henry join host Kelly Guimont to discuss the latest on Contact Tracing and how Apple and Google teamed up.
Zoom Security Tips – TMO Daily Observations 2020-04-28
Charlotte Henry joins host Kelly Guimont to discuss newly everywhere meeting service Zoom, and how hosts and attendees can stay safe.
Netatmo Smart Indoor Security Camera Patched After Security Issue Found
Following an investigation by PCMag and Bitdefender, a patch has been issued for the Netatmo Smart Indoor Security Camera.
The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.
Many smart home devices are notoriously insecure, and this is the main reason why I don’t have any of them (Besides my robot vacuum, but I explained my reasoning).
Data Privacy vs Data Security – TMO Daily Observations 2020-04-22
Bryan Chaffin, John Martellaro, AND Charlotte Henry join host Kelly Guimont to discuss the Apple/Google teamup and how that affects our data.
‘Insomnia’ iOS Exploit Used to Target Uyghurs in China
An iOS exploit called Insomnia was used between January and March 2020 to spy on Uyghurs in China using apps like Signal and ProtonMail.
iPhone Zero Day Found, Will Be Patched in iOS 13
An iPhone zero day has been found in the wild that takes advantage of two vulnerabilities in the Mail app. It’s currently unpatched in the public release of iOS.
Interview with Gary Orenstein of Bitwarden – TMO Daily Observations 2020-04-17
Kelly sits down with Bitwarden’s Gary Orenstein to talk about their password manager and how it can be both open source AND secure software. Learn more about setting up passwords and why it matters on Security Friday!