Security

Link

Apple Security Tool Unveiled at RSA Conference 2019

Andrew Orr ·

The RSA Conference is a series of computer security conferences. This year, security researcher Patrick Wardle announced a new tool for Macs called GamePlan.

…GamePlan, a tool that watches for potentially suspicious events on Macs and flags them for humans to investigate. The general concept sounds similar to other defense platforms, and it hooks into detection mechanisms—has a USB stick been inserted into a machine? has someone generated a screen capture? is a program accessing a webcam?—Apple already offers in macOS. But GamePlan, cleverly written with Apple’s GameplayKit framework, collects all of this data in a centralized stream and uses the videogame logic engine to process it.

I use a couple of Mr. Wardle’s security tools. I look forward to downloading GamePlan.

Link

Huawei Suing U.S. Government Over Ban

Andrew Orr ·

Huawei is suing the U.S. government because its products were banned from being used by federal agencies.

According to one of the people familiar with the matter, Huawei’s lawsuit is likely to argue that the provision is a “bill of attainder,” or a legislative act that singles out a person or group for punishment without trial. The Constitution forbids Congress from passing such bills.

Private Internet Access 2.8.0 Brings Network Whitelisting
Cool Stuff Found

Private Internet Access 2.8.0 Brings Network Whitelisting

Andrew Orr ·

The Private Internet Access 2.8.0 update brings a network management tool. When you enable the feature PIA will automatically turn itself on when you connect to untrusted Wi-Fi networks. You can add networks you do trust to a whitelist, including your cellular network. If you set it not to trust cellular networks and you turn on the option to protect all networks, it means that the VPN will automatically turn itself on all the time.

The update also adds support for IKEv2. Internet Key Exchange (IKE) is part of the IPsec protocol suite, and it’s used to set up a security association. Jargon aside, IKEv2 is responsible for making a secure connection between you and the VPN server. It does this by authenticating you both and establishing which encryption methods will be used.

Link

No, You Probably Don't Take Privacy and Security Seriously

Andrew Orr ·

Zach Whittaker is tired of the same old line companies use, like when they suffer a data breach: “We take your privacy and security seriously.”

The truth is, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen…About one-third of all 285 data breach notifications had some variation of the line. It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

I’m betting there’s a template that public relations employees have that they copy and paste into official emails sent out in the wake of security stuff like this.

Link

Comparing Android Security Versus iOS Security

Andrew Orr ·

Keiran Dennie tweeted an interesting chart that compares the security of various smartphone operating systems.

Wondering about Android and Apple phone security? Here’s an objective chart to help you decide.

It’s a well known fact of Android that people have to rely on their carrier to push out security updates. This can take weeks, months, and sometimes they don’t get released at all.

Link

This Data Breach is Equal to 469,000 War and Peace Books

Andrew Orr ·

Last month we heard of the Collection #1 data breach, which contained 773 million email addresses and 21 million passwords. Now, Collections #2-#5 are here.

Despite its unthinkable size, which was first reported by the German news site Heise.de, most of the stolen data appears to come from previous thefts, like the breaches of Yahoo, LinkedIn, and Dropbox. WIRED examined a sample of the data and confirmed that the credentials are indeed valid, but mostly represent passwords from years-old leaks.

As with any data breach you can find out if your details have been leaked by visiting HaveIBeenPwned.com. My eBook copy of War and Peace is 1.8MB. The total size of the new breaches is 845GB, which equals 469,000 of those books.

Link

Be Safe on the Internet With This Security Checklist

Andrew Orr ·

The Security Checklist is an open source list of resources designed to improve your online privacy and security. Check things off to keep track as you go.

This website provides a beginner’s checklist for staying safe on the internet. This website is the result of a conversation started during a recent episode of the Design Details Podcast and a subsequent tweet by Michael Knepprath.

This is a great website that Kelly Guimont pointed my way. Even if you’re a techie and have a handle on your online privacy, you should check this out too.

Link

Security Researcher Won't Share macOS Keychain Bug

Andrew Orr ·

Security researcher Linuz Henze found a macOS Keychain bug but won’t share it with Apple out of protest.

Henze has publicly shared legitimate iOS vulnerabilities in the past, so he has a track record of credibility. However, Henze is frustrated that Apple’s bug bounty program only applies to iOS, not macOS, and has decided not to release more information about his latest Keychain invasion.

It is odd that there isn’t a macOS bug bounty but I think withholding security information isn’t the way to go.

Link

U.S. Navy Needs to Destroy 2 Tons of Hard Drives

Andrew Orr ·

The U.S. Navy has issued a solicitation asking for an appropriate service to turn 4,000 pounds of storage devices into ash.

The information stored on these devices is highly sensitive, as evidenced by the physical security requirements set forth in the solicitation. The incineration facility must have “at the minimum, secure entry, 24-hour armed guards and 24/7 camera surveillance with recordable date and time capabilities.”

Any interested destruction service has to be located within 10 driving hours of the White Sands Missile Range.

Link

Silicon Valley Needs Abusability Testing

Andrew Orr ·

Andy Greenberg writes that security isn’t enough for Silicon Valley. Companies should also adopt abusability testing.

It’s time for Silicon Valley companies to take the potential for unintended, malicious use of a product as seriously as they take its security. From Russian disinformation on Facebook, Twitter, and Instagram to YouTube extremism to drones grounding air traffic, Soltani argues that tech companies need to think not just in terms of protecting their own users, but what Soltani calls abusability: the possibility that users could exploit their tech to harm others, or the world.

In my cynical opinion, companies don’t care about whether their products could cause social harm. It’s all about money.

Link

This Weird Trick Will Make Five Eyes Countries Hate You

Andrew Orr ·

Michael Grothaus argues that it’s the perfect time for Android iMessage thanks to Facebook’s plans to unify its messaging apps.

The iPhone maker’s messaging app is widely regarded as one of the best messaging apps ever, thanks to its clean, simple design, its ability to send and receive both encrypted iMessages and regular SMS text messages in the same interface, and its end-to-end encryption.

It’s not the first time this has been suggested, but I think Android iMessage would be great for users. We need an end-to-end encrypted messaging app from a company with a better track record than Facebook.

Link

Google Investigation Shows Apple Was Right About Face ID

Andrew Orr ·

Take this with a grain of salt because this tweet is all I’ve seen about this. But David Ruddock of AndroidPolice mentioned a Google investigation trying to determine if certain types of fingerprint sensors are secure.

Another CES Story: I’ve heard Google is currently investigating whether current optical fingerprint sensor designs are secure enough to be used for TrustZone auth (mobile payments, banking apps, etc). There is real concern optical FPRs may be too easy to spoof.

Although facial recognition came to Android first, it was there for convenience as a way to unlock your device. But Apple added it for security, and it looks like they bet on the right horse.