Security

There’s an Apple Store targeting crime wave going on in the San Francisco Bay area.

Click through to the article, watch the video. Security guards politely open the doors for the alleged thieves, then one of those same alleged thieves holds the door for the fleeing gang. It’s all so bizarre.

And technically, I suppose this is burglary, not robbery. Just saying.

If you haven’t heard about this story, here’s yesterday’s Loop post. Shocking stuff.

Apple’s reassuring response:

An Apple spokesman said the company’s information security personnel “discovered the unauthorized access, contained it, and reported the incident to law enforcement” without commenting further on the specifics of the case.

“We … want to assure our customers that at no point during this incident was their personal data compromised,” the spokesman said.

That last is so good to know.

Wow, just wow.

Electronic Frontier Foundation:

When a site you visit uses browser fingerprinting, it can learn enough information about your browser to uniquely distinguish you from all the other visitors to that site. Browser fingerprinting can be used to track users just as cookies do, but using much more subtle and hard-to-control techniques.

And:

By using browser fingerprinting to piece together information about your browser and your actions online, trackers can covertly identify users over time, track them across websites, and build an advertising profile of them. The information that browser fingerprinting reveals typically includes a mixture of HTTP headers (which are delivered as a normal part of every web request) and properties that can be learned about the browser using JavaScript code: your time zone, system fonts, screen resolution, which plugins you have installed, and what platform your browser is running on.

And:

When stitched together, these individual properties tell a unique story about your browser and the details of your browsing interactions. For instance, yours is likely the only browser on central European time with cookies enabled that has exactly your set of system fonts, screen resolution, plugins, and graphics card.

The linked/quoted article is long and detailed, an enlightening read. But the bits about browser fingerprinting are incredibly important. And this is as good an explanation as I’ve seen.

At WWDC, Apple declared war on browser fingerprinting and related techniques. From Apple’s Mojave press release:

As with all Apple software updates, enhanced privacy and security remain a top priority in macOS Mojave. In Safari, enhanced Intelligent Tracking Prevention helps block social media “Like” or “Share” buttons and comment widgets from tracking users without permission. Safari now also presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration.

And that’s a good thing.

ElcomSoft blog:

In the iOS 11.4 Beta, Apple introduced a new called USB Restricted Mode. In fact, the feature made its first appearance in the iOS 11.3 Beta, but was later removed from the final release. This is how it works:

“To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.”

And:

In other words, law enforcement will have at most 7 days from the time the device was last unlocked to perform the extraction using any known forensic techniques, be it logical acquisition or passcode recovery via GreyKey or other services.

It will be interesting to see if this mode survives through to the actual public release of 11.4. A chess move. Will the GreyKey folks have a follow-up? Or will all those $30K GreyKey devices become useless against updated phones?

Chance Miller, 9to5Mac, lays out his take on the best router and mesh alternatives, now that Apple has end-of-life’d their AirPort line.

Before you dig into Chance’s list, take a moment to read through the list of “features to look for” in Apple’s Choosing a Wi-Fi router to use with Apple devices support note.

My biggest concern about a third party solution is trust. If I buy an Apple branded product, I trust that there’s no malware embedded in the firmware/software. I trust that if a vulnerability is found, it will be patched quickly and that patch will make its way onto my device pretty quickly. I trust that if I do run into a problem with that device, I can turn to Apple, an Apple Store, or to the thriving and friendly on-line community to help solve it.

Apple selling a product does not bring the trust of an Apple-branded product. One case in point, the LG UltraFine 5K Display and the Wi-Fi interference problem. The problem was fixed, but the product was sold by Apple as it exited the display business.

My home network is the weakest point in my on-line security and the router the focal point for attempts to break in. Choosing a router I can trust is a critical decision. I hate that Apple has left this market. And no matter how recommended a router may be, I just won’t trust that my interests will come first with that company.

Motherboard:

The startup is called Crowdfense and is based in the United Arab Emirates. In an unusual move in the normally secretive industry of so-called zero-days, Crowdfense sent out a press release to reporters on Tuesday, advertising what it calls a bug bounty.

And:

Crowdfense’s director Andrea Zapparoli Manzoni told me that he and his company are trying to join that market, purchasing zero-days from independent researchers and then selling them to law enforcement and intelligence agencies.

And:

“When I think about government agencies I don’t think about the military part, I think about the civilian part, that works against crime, terrorism, and stuff like that,” Zapparoli told me in a phone interview. “We only focus on tools aimed at doing activities of law enforcement or intelligence, not aimed at destroying or deteriorating the functionality and effectiveness of the target systems—but only aimed at collecting intelligence.”

And:

The company has a budget of $10 million for this “bug bounty.” Its backers, for now, are also secret.

The mind reels. Unless I misread this piece, no part of their plan is to share any discovered vulnerabilities with Apple. This is straight, help us break the system, not make it better.

“Vetting customers is the most delicate part of our whole activity,” Zapparoli said.

I’m going to go out on a limb and guess that your customer list will remain a secret as well. This whole thing is chilling to me.

Motherboard:

Law enforcement agencies across the country are buying or have expressed interest in buying GrayKey, a device that can unlock up-to-date iPhones. But Grayshift, the company that makes the device, has attracted some other attention as well.

Last week, an unknown party quietly leaked portions of GrayKey code onto the internet, and demanded over $15,000 from Grayshift—ironically, the price of an entry-level GrayKey—in order to stop publishing the material. The code itself does not appear to be particularly sensitive, but Grayshift confirmed to Motherboard the brief data leak that led to the extortion attempt.

The mind reels. If some organization comes up with a golden key that unlocks all iPhones, that golden key will find its way into nefarious hands. This is living proof of that.

Some wisdom from Glenn Fleishman.

Long story short, take a minute to familiarize yourself with the details on this Apple Support article on two-factor account recovery.

Motherboard:

Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials.

And:

Regional police forces, such as the Maryland State Police and Indiana State Police, are procuring a technology called ‘GrayKey’ which can break into iPhones, including the iPhone X running the latest operating system iOS 11.

Is this whack-a-mole? Will Apple be able to change iOS to break GrayKey? And, if so, how long will it take for GrayKey, or another technology, to ship a replacement?

Ben Lovejoy, 9to5Mac:

A new web standard being recommended for adoption would open the way for both Face ID and Touch ID to be used to login to websites.

The API, known as WebAuthn, allows existing security devices – like fingerprint readers, cameras and USB keys – to be used for website authentication

And:

There’s as yet no word on Safari, but with all current and recent iPhones and iPads offering either Face ID or Touch ID, and the latter supported on the MacBook Pro too, this would be tailor-made for Apple. It cannot be used with other browsers without Apple’s support.

Very interesting.

Ina Fried, Axios:

A new page on Apple’s website details its efforts to make Macs and iPhones family friendly, including parental controls and other safety features. The move comes as Apple and other tech giants are under fire over whether their products are addictive, especially for children.

From this letter to Apple from a collective of Apple investors:

We have reviewed the evidence and we believe there is a clear need for Apple to offer parents more choices and tools to help them ensure that young consumers are using your products in an optimal manner. By doing so, we believe Apple would once again be playing a pioneering role, this time by setting an example about the obligations of technology companies to their youngest customers.

Apple’s new page is here. Definitely a step in the right direction, a single stop for learning about tools and resources for keeping your family safe.