Security

Link

‘Chain of Trust’ on Apple Devices Explained

Andrew Orr ·

In computer security, a ‘chain of trust’ is when each component of hardware and software validates each other to make sure they haven’t been compromised. Kirk McElhearn explains the chain of trust on Apple devices.

It all begins with your Apple ID. When you create a new Apple ID on Apple’s website, or on a device you own, you provide your name, birthday, and email address, set up a password, then answer three security questions. You verify your email address, and your Apple ID now allows you to use Apple’s services.

Link

Would Apple Leave Russia Over Device Ban?

Andrew Orr ·

Going into effect on July 2020, Russia just passed a law that would ban the sale of devices that don’t come pre-installed with Russian software. This obviously butts up against the integrity of iOS. Would Apple have the “courage” to leave the country if the Kremlin tried to force them to install their surveillance software? Because of course it’s for surveillance. Why else would a government meddle with device makers in this way?

The law will not mean devices from other countries cannot be sold with their normal software – but Russian “alternatives” will also have to be installed.

The legislation was passed by Russia’s lower house of parliament on Thursday. A complete list of the gadgets affected and the Russian-made software that needs to be pre-installed will be determined by the government.

Link

Mozilla Unveils 2019 Privacy Not Included Gift Guide

Andrew Orr ·

Mozilla announced its third annual 2019 *Privacy Not Included gift guide to highlight gadgets and toys that are secure, and ones that aren’t secure.

This year we found that many of the big tech companies like Apple and Google are doing pretty well at securing their products, and you’ll see that most products in the guide meet our Minimum Security Standards. But don’t let that fool you. Even though devices are secure, we found they are collecting more and more personal information on users, who often don’t have a whole lot of control over that data.

Google doing well at securing its products.

Need the Tor Browser on iOS? Try Onion Browser
Cool Stuff Found

Need the Tor Browser on iOS? Try Onion Browser

Andrew Orr ·

Need a Tor browser on iOS? Onion Browser is the only iOS app recommended on the Tor Project’s website. Starting out at the U.S. Naval Research Lab, Tor is a special network that helps people browse the internet with as much privacy as possible. You should note there are a couple of security advisories on its website: WebRTC/Media leaks: Due to iOS limitations, WebRTC and media files leak outside of Tor and are routed over the normal internet. This will reveal your real IP address to sites using these features. (If you are using a VPN, the VPN IP address is revealed instead.) To defend against this, you may set Strict security mode in Host Settings, which will disable Javascript. More information here. OCSP leak: Visiting EV “Green Bar” HTTPS sites may leak information that can be used to reveal the domain name of the website you are visiting. This is handled within iOS and cannot be changed by Onion Browser. There is no known workaround. A detailed report can be found here. App Store: Free

Link

FBI Draft Resolution Calls for End-to-End Encryption Ban

Andrew Orr ·

An FBI draft resolution for Interpol calls for a ban on end-to-end encryption. It’s for Interpol’s 37th Meeting of the INTERPOL Specialists Group on Crimes Against Children.

A draft of the resolution viewed by Ars Technica stated that INTERPOL would “strongly urge providers of technology services to allow for lawful access to encrypted data enabled or facilitated by their systems” in the interest of fighting child sexual exploitation. Currently, it is not clear whether Interpol will ultimately issue a statement.

Remember when I mentioned the Four Horses of the Infocalypse? Terrorists, drug dealers, pedophiles, and organized crime. Four fears to use as a way to push their agenda. I know it’s a delicate issue. These groups are definitely ones that the majority of society would want to stop. But removing end-to-end encryption for everyone isn’t the way to do that.

iVerify Can Detect if Your iPhone has Been Jailbroken
Cool Stuff Found

iVerify Can Detect if Your iPhone has Been Jailbroken

Andrew Orr ·

iVerify is a security toolkit for iPhones and iPads. It can check the security of your device to see if modifications have taken place, such as jailbreaking or other forms of hacking. It also has a Safari content blocker.

iVerify is your personal security toolkit. Use iVerify to manage the security of your iOS device and detect modifications to your smartphone. iVerify makes it easy to manage the security of your accounts and online presence with simple instructional guides.

I’m curious to see how long it will last. I’ve used two similar apps in the past that offered the same modification detection, but both were removed from the App Store. I don’t know if it was Apple’s doing or if each company independently removed it. App Store: US$4.99

Link

macOS Mail Stores Encrypted Emails in Plain Text

Andrew Orr ·

IT specialist Bob Gendler found that macOS Mail was storing encrypted emails in plain text. He first notified Apple on July 29, but only got a temporary fix from the company 99 days later on November 5.

The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails. And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED. Even with Siri disabled on the Mac, it *still* stores unencrypted messages in this database!

Mr. Gendler shard a fix in his blog post.

Link

Google's OpenTitan aims to Create an Open Source Secure Enclave

Andrew Orr ·

Google wants Android phones to have a Secure Enclave chip like iPhones. Its OpenTitan project aims to help design an open source one.

OpenTitan is loosely based on a proprietary root-of-trust chip that Google uses in its Pixel 3 and 4 phones. But OpenTitan is its own chip architecture and extensive set of schematics developed by engineers at lowRISC, along with partners at ETH Zurich, G+D Mobile Security, Nuvoton Technology, Western Digital, and, of course, Google.

The consortium will use community feedback and contributions to develop and improve the industry-grade chip design, while lowRISC will manage the project and keep suggestions and proposed changes from going live haphazardly.

You can view the OpenTitan Github repo here, but it’s not fully fleshed out yet.

Link

Trump Cybersecurity Advisor Rudy Giuliani Probably Doesn't Know Much About Cybersecurity

Andrew Orr ·

I think it’s a safe assumption that Rudy Giuliani, named as Trump’s cybersecurity advisor, probably doesn’t know anything about cybersecurity. My evidence? He forgot the passcode to his own iPhone.

Giuliani showed up at the San Francisco store after being locked out of his iPhone, just 26 days after Trump named him cybersecurity adviser, NBC News reported Thursday, citing interviews with two sources and an internal Apple Store memo.

The former New York mayor had entered his passcode incorrectly 10 times and went to the store for help — a troubling move that suggests a sloppy approach to cybersecurity for someone so close to the president, experts said.

Link

NordVPN Falls Victim to Credential-Stuffing Attack

Andrew Orr ·

About 2,000 NordVPN users have fallen victim to credential-stuffing attacks that let third-parties access their accounts.

While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.

NordVPN emailed all the publishers that have reported on its hack. In my opinion the company has been trying to downplay it. We’ll see if its recent security measures will improve the service, or if it’s lip service.

Link

Corellium Strikes Back Saying it Makes iPhones Safer

Andrew Orr ·

Apple filed a lawsuit against a company called Corellium. This company runs virtualization software that lets it emulate iOS. It responded to Apple’s lawsuit on Monday and said it makes iPhones safer. Oh, and it claims Apple owes it US$300,000.

Corellium’s key argument lies on the assumption that Corellium’s customers are looking for bugs with the intention of alerting Apple of their existence…For now, however, that is only an assumption…When Motherboard asked today whether they ever reported a bug in iOS found using Corellium, Mark Dowd, the founder of Azimuth, said: “no.”

That “no” is a pretty damning answer. If you claim that your software helps fix iOS bugs, you should probably also report those iOS bugs to Apple. At least if you also claim to make iPhones safer, because selling those bugs on the black market doesn’t do that.

Link

New iOS Security Suite Helps Developers Protect Apps

Andrew Orr ·

The iOS Security Suite is a brand new platform for developers. It helps them detect if their apps are running on a secure iOS device. What ISS detects:

Jailbreak (even the iOS 11+ with brand new indicators!)

Attached debugger

If an app was run in emulator

Common reverse engineering tools running on the device

Link

Apple Patents Discuss Digital Government ID

Andrew Orr ·

Two new Apple patents discuss methods for replacing paper documents with a digital government ID, and how they could be verified.

US Patent applications numbered 20190325125 and 20190327228, both titled “Identity Credential Verification Techniques,” follow previous reports of Apple hoping to make iPhones central to ID security.

The two new patent applications separate out the functions of such systems into the creation or collection of a user’s identity details, the later authentication of that ID, and then the user’s ability to provide this detail on request.

I’m normally all about privacy but personally I look forward to the day when such documents are digital.

Link

Travel Platform Autoclerk Just Leaked 179GB of Military Data

Andrew Orr ·

Hosted on AWS servers, Autoclerk leaked 179GB of military data containing sensitive personal data of users and hotel guests.

The most surprising victim of this leak wasn’t an individual or company: it was the US government, military, and Department of Homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future. This represented a massive breach of security for the governmentagencies and departments impacted.

Link

Firefox 70 Brings Enhanced Tracking Protection Today

Andrew Orr ·

Mozilla released Firefox 70 today and one of the new features is Enhanced Tracking Protection turned on by default on all platforms.

More privacy protections from Enhanced Tracking Protection:

Social tracking protection, which blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn, is now a standard feature of Enhanced Tracking Protection.

The Privacy Protections report shows an overview, with details, of the trackers Firefox has blocked. It provides consolidated reports from Monitor and Lockwise.

Link

Trend Micro Apps Caught Harvesting User Browser History

Andrew Orr ·

Several Trend Micro apps were removed from the Mac App Store after they were found collecting user browser history.

Dr Cleaner, Dr Antivirus, and App Uninstall – utilities owned by the Japan-headquartered security house and distributed on the Mac App Store – are no longer available for download…Mac security guru Patrick Wardle noted last week that in addition to the advertised functions of removing adware and malware from Macs, the software also collected people’s personal data including their browsing history, then transmitted that data as a password-protected archive to a server on the internet.

As of this writing Dr. Antivirus is still in the MAS.