Security

White hat hackers use Safari to pwn MacBook Pro, display message on Touch Bar

Written by

Tim Hardwick, MacRumors, on the CanMacWest security conference and the Pwn2Own hacking contest:

Independent hackers Samuel Groß and Niklas Baumstark landed a partial success and earned $28,000 after targeting Safari with an escalation to root on macOS, which allowed them to scroll a message on a MacBook Pro Touch Bar.

Check out the picture in the post. Imagine seeing a message like that crawling across your Touch Bar. On the positive side, these exploits have been turned over to Apple so they can be patched before the exploits are made public.

WikiLeaks: We’ll work with tech firms to defeat CIA hacking

Written by

Associated Press:

WikiLeaks founder Julian Assange says his group will work with technology companies to help defend them against the Central Intelligence Agency’s hacking tools.

In an online press conference, Assange acknowledged that companies had asked for more details about the CIA cyberespionage toolkit whose existence he purportedly revealed in a massive leak published Tuesday.

Assange said Thursday that “we have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out.”

The CIA has so far declined to comment on the authenticity of the leak.

Tech firms rush to assess damage from CIA leak

Written by

Wall Street Journal:

Just after 8 a.m. on Tuesday morning, mobile phones belonging to executives on Apple Inc.’s security team began to ring. WikiLeaks had just published a massive trove of documents, purportedly taken from the Central Intelligence Agency, that described the spy agency’s intrusion capabilities for computers and other gadgets, including iPhones.

Apple engineers quickly began calling colleagues to bring them up to speed on the data dump and to coordinate the company’s response to this new security threat, according to a person familiar with the situation.

WikiLeaks dumps, the rest of the world jumps.

Apple’s official comment on Wikileaks, CIA, and Apple product hacking tools

Written by

From the New York Times:

In what appears to be the largest leak of C.I.A documents in history, WikiLeaks released on Tuesday thousands of pages describing sophisticated software tools and techniques used by the agency to break into smartphones, computers and even Internet-connected televisions.

And from Business Insider:

According to the WikiLeaks files, it appears that the CIA has teams specifically dedicated to breaking into Apple products, including iOS, the software that runs on iPhones and iPads, and even Apple’s line of routers, AirPort.

The WikiLeaks files suggest that the CIA may have access to undiscovered and unreported bugs, or exploits, in iOS, the iPhone operating system.

Business Insider posted this official comment from Apple:

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.

Ever since this issue started to emerge, I’ve always felt that our interests and Apple’s are aligned, that Apple has our back here.

With your iPhone locked, ask Siri, “What’s my name?”

Written by

This is a bit of a public service announcement. I came across this tweet yesterday:

https://twitter.com/afronomics_/status/833784254848970756

The poster tells the story of finding someone’s iPhone and discovering that she could see all her information, including her home address, on the lock screen. To read through this yourself, tap the embedded tweet (the link just after “please read”).

Without judging the danger of having your phone number exposed on your lock screen, at the very least, it’s worth knowing if this info is exposed.

So take a moment and use an unregistered finger (so you don’t unlock the phone), press and hold your iPhone’s home button, and ask Siri, “What’s my name?”

If Siri says, “You’ll need to unlock your iPhone first”, cool, you’re all set. Now rinse and repeat for your kids iPhones, see what info is exposed on their locked devices.

To customize what Siri reveals on your iPhone, go to Settings > Touch ID & Passcode, enter your passcode, then scroll to the section labeled ALLOW ACCESS WHEN LOCKED:. To learn what each of the setting do in this section, jump to this Apple support page, then scroll about halfway down the page. You’ll find links for each of these settings that go into more detail.

And realize that someone who has your phone number can pretty easily find your home address. Know your settings, know what info is exposed on your lock screen.

Google AMP and the original URL

Written by

Google Developers Blog:

Today, we’re adding a feature to the AMP integration in Google Search that allows users to access, copy, and share the canonical URL of an AMP document.

My biggest issue with AMP is the difficulty in turning a Google-AMP formed URL back into a non-AMP URL I can share. For example, here’s an AMP formed URL from the Google News page:

https://news.google.com/news/amp?caurl=https%3A%2F%2Fwww.washingtonpost.com%2Famphtml %2Flocal%2Feducation%2Fsenate-to-vote-today-on-confirmation-of-betsy-devos%2F2017%2F02%2F06%2Ffd4b7e9c-ec85-11e6-9662-6eedf1627882_story.html#pt0-135000

As you can plainly see, the original URL is encoded, then wrapped. Only way to easily pass this along is to send your recipient through Google’s site, not to the site that wrote the story in the first place. The biggest issue I have here is that of supporting the creator here. They deserve the page views.

More from the Google blog:

Today, we’re adding support for this functionality in form of an anchor button in the AMP Viewer header on Google Search. This feature allows users to use their browser’s native share functionality by long-tapping on the link that is displayed.

This is an excellent first step. Basically, even if the URL is encoded (as shown above), you can still click on the anchor button to copy the original URL. However, if you click in Safari’s address bar, you’ll still see the encoded URL.

My 2 cents: I’d love it if Apple offered a way to opt out of AMP. As Google says in the blog, AMP opens the door to confusion, makes URL phishing harder to detect since all URLs are harder to read, and the original URL hidden from the user.

Apple removes tool to check if an iOS device is activation locked [UPDATED]

Written by

Benjamin Mayo, 9to5Mac:

Apple has inexplicably removed the iCloud Activation Lock status page, which used to exist at iCloud.com/activationlock, but that URL now leads to a 404 error instead. The utility let anyone type in the IMEI or serial number of an iOS device to find out if Activation Lock had been turned off, handy to verify the authenticity of a seller when buying a used iPhone online.

Not clear why this has happened. Wondering if the tool was being misused in some way. I suspect the story will emerge over the next few days. Keep an eye out.

UPDATE: And here’s the proof, a video that shows how to unlock an iPad by cloning the iPad drive and changing the serial number to a valid unlocked serial number, one checked/validated using the Apple activation lock tool (about 5:28 into the video).

Fake Apple chargers fail safety tests

Written by

BBC News:

Investigators have warned consumers they face potentially fatal risks after 99% of fake Apple chargers failed a basic safety test.

Trading Standards, which commissioned the checks, said counterfeit electrical goods bought online were an “unknown entity”. Of 400 counterfeit chargers, only three were found to have enough insulation to protect against electric shocks.

It comes as Apple has complained of a “flood” of fakes being sold on Amazon.

The article offers more details but, more importantly, gives some tips on how to detect a counterfeit charger. I also worry about the possibility of a bogus charger being used as a malware injection device.

San Francisco’s Muni Metro hacked, free rides for everyone

Written by

San Francisco Examiner:

Computer systems at San Francisco’s transit system, Muni, have been restored following a malware attack on Friday afternoon.

Payment systems across the agency’s subways read “OUT OF ORDER” in large red digital letters at Powell Station, Embarcadero Station and other stations across The City following the attack.

On Friday and Saturday, computers in station agents’ booths across the San Francisco Municipal Transportation Agency displayed “You Hacked, ALL Data Encrypted. Contact For Key([email protected])ID:681 ,Enter.”

Sidebar: We are on the cusp of quantum computing, which will potentially make computers capable of easily solving sophisticated problems used as the basis of today’s encryption. And that will mean more hacking, but could also mean sophisticated tools to break ransomware. Depends who gets there first.

Troubleshooting some nasty Safari malware

Written by

Jason Snell tells the story about trying to remote help his sister who is a victim of a particularly nasty bit of Safari malware.

The story itself is worth the read, unfolding like a mystery. But if nothing else, be sure to read the section titled “In the end, common sense wins”, which shows a bit of problem-solvery you should add to your own troubleshooting toolbox.

Emergency calling feature in iOS beta

Written by

If you press your iPhone’s power button 5 times in rapid succession (don’t try it until you finish reading this post), your iPhone will place an emergency call, presumably to 911 in the US.

Once you start the process, you’ll hear a loud alert siren and see a countdown appear, giving you an opportunity to cancel the call. To cancel the call, you’ll need to press the Stop button, then press the Stop Calling button that appears.

Here’s what this looks like on my phone:

emergencycall

Not sure how long this feature has been in place, but I thought it was worth sharing.

Behind the Internet of Things that threatens the internet

Written by

Jean-Louis Gassée:

You start with a basic Application Processor from Mediatek or one of its competitors. This gives you an ARM processor, a pared-down embedded Linux software engine, and a network stack — everything you need for Internet connectivity, with and without wires. Add your choice of sensors and drivers, hire a manufacturing contractor to assemble your security camera according to your own specs, and you’re in business.

And:

Your computer module suppliers have sold millions of identical building blocks to your competitors and other Consumer IoT dreamers: DVRs, smart locks, weather stations, lighting systems… Finished products are sold to technically unsophisticated consumers who ignore updates or forget their logins and passwords. The module makers have anticipated this predicament and designed in a backdoor, a login/password combination that allows tech support to remotely take control and make the user happy.

Yikes! A fascinating read. Jean-Louis does a nice job making this problem easy to follow. And he embeds one of my all-time favorite Joy of Tech cartoons to boot.

As artificial intelligence evolves, so does its criminal potential

Written by

John Markoff, writing for the New York Times:

Imagine receiving a phone call from your aging mother seeking your help because she has forgotten her banking password.

Except it’s not your mother. The voice on the other end of the phone call just sounds deceptively like her.

It is actually a computer-synthesized voice, a tour-de-force of artificial intelligence technology that has been crafted to make it possible for someone to masquerade via the telephone.

Such a situation is still science fiction — but just barely. It is also the future of crime.

Very believable to me. If they can stick a perfect simulation of Audrey Hepburn in a modern TV ad, it’s not a far stretch to imagine them simulating my mom’s voice.

Scary.

Yahoo’s official response to Reuters spy report

Written by

Sam Biddle, writing for The Intercept:

After Tuesday’s revelatory story by Reuters’ Joseph Menn that exposed an apparent vast, secret, government-ordered email surveillance program at Yahoo, the company has issued a brief statement through Joele Frank, a public relations firm.

Here’s a link to the Reuters article in question.

Yahoo’s email statement, via Jacob Silber of the Joele Frank communications firm:

Good morning –

We are reaching out on behalf of Yahoo regarding yesterday’s Reuters article. Yahoo said in a statement:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Best,

The Joele Frank Team

Sam Biddle:

This is an extremely carefully worded statement, arriving roughly 20 hours after the Reuters story first broke. That’s a long time to craft 29 words.

And:

It would mean a lot more for this denial to come straight from the keyboard of a named executive at Yahoo—perhaps Ron Bell, the company’s general counsel—rather than a “strategic communications firm.”

This feels like a disaster for Yahoo.

“Even if you uninstall Google Maps, Google Play’s background service is tracking your location 24/7”

Written by

Mustafa Al-Bassam tweets:

Yesterday I almost had a heart attack when I entered McDonald’s and I had a notification on my phone asking me to install their app.

And:

It seems that with the latest versions of Android, Google Maps is on 24/7, waiting to send you notifications, with no way to disable it.

And:

Even if you uninstall Google Maps, Google Play’s background service is tracking your location 24/7.

As proof, that last tweet includes some screen shots with the details.

Is this a bug? Intentional? Is this info saved on your phone? Does your location data ever leave your phone, headed for Google’s servers?

On the flip side, Apple exposes Location Services with a switch in Settings > Privacy > Location Services. That switch controls location data for my iOS device and my tethered Apple Watch. According to Apple, if that switch is off, the only time my location is used is when I place an emergency call.

Interestingly, the tweet above was retweeted by Edward Snowden.

Twitter’s battle against ever-increasing spambots

Written by

The Verge:

Twitter spam isn’t a new phenomenon, but over the past few weeks the amount of it has certainly increased. I use the social network on a daily basis, and not an hour goes by without a tweet of mine from months or even years ago being liked by a spambot. It’s a practice that generates a notification designed to make you click into the profile, where you’re met with what’s typically a pornographic pinned tweet and a link that will likely bury your PC into malware oblivion.

Yup. I see this on a regular basis. Always wondered what the end-game for the bot creators was. Are they rolled out by the bad guys in the hopes of sowing malware seeds? If I don’t click on the link, is there any other path to harm?

Twitter claims it has a variety of systems in place to detect spam on Twitter, and that the company responds to new forms continuously to combat spammers. Twitter also relies on users to report spammers, but it’s not clear how effective this route actually is.

If there was a UI for specifically reporting spambots, I’d definitely use it. But the spam reporting in the official Twitter client is buried under the … menu, then under the word Report, with the options:

  • I’m not interested in this Tweet
  • It’s spam
  • It’s abusive or harmful

I think Twitter would get more feedback/responses if they let me press and hold on a tweet and select Spambot from a popup menu. Much more direct.

Update your iOS 9.x devices now

Written by

If you haven’t already, take a few minutes to update all your iOS 9 devices to iOS 9.3.5. If you have an iOS 10 beta installed, best to keep up with the latest betas, but this message is really for folks running iOS 9.x or earlier.

Why the press to update?

From the Lookout security blog:

Citizen Lab (Munk School of Global Affairs, University of Toronto) and Lookout have uncovered an active threat using three critical iOS zero-day vulnerabilities that, when exploited, form an attack chain that subverts even Apple’s strong security environment. We call these vulnerabilities “Trident.” Our two organizations have worked directly with Apple’s security team, which was very responsive and immediately fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.

Update your iPhones and iPads, then make sure your family and friends know about this. Please pass this along.

How to set up Two-Factor Authentication (2FA) so you can use your Apple Watch to unlock your Mac

Written by

One of the features I’m most excited about in this new round of betas is the ability to use my Apple Watch to automatically unlock my Mac. To set this up yourself, you’ll need an Apple Watch running watchOS 3 and a Mac running Sierra. You’ll also need your iPhone and Mac to be using Two-Factor Authentication, as opposed to the older Two-Step Verification (2SV).

Click through to the original post for all the details that will get you through this process.

Tune up your two-step Recovery Key

Written by

Glenn Fleishman, writing for Macworld [AUTOPLAY]:

If you’re using Apple’s two-step verification system for logins, I have just one (not two) questions for you: do you know where your Recovery Key is?

A friend recently went through a multi-week set of interlocked problems when he was locked out of his Apple ID account on his iPhone, and couldn’t find his Recovery Key. He wasn’t ultimately able to get Apple to unlock his account. (During this period, his phone also locked up for a few days and he couldn’t receive texts or alerts, either.)

He had forgotten he’d enabled two-step verification, which is the older of Apple’s two methods of using a second piece of information to validate that you’re the accountholder. With the two-step system, Apple uses something akin to Find My iPhone to provide a code on your iOS devices or sends an SMS that you use to complete your login.

If you are not sure what kind of verification you have in place on your account, read this post.

A new way to fight back when hackers take your data hostage

Written by

The Washington Post:

Imagine having all the files on your computer — your documents, your photos, your videos — locked and held hostage by hackers who demand a payout just because you opened the wrong email attachment or clicked the wrong link. That’s the nightmare scenario facing victims of ransomware, a type of malware that quietly encrypts files on a computer so that only a digital key held by the attacker can release them.

But a new initiative called No More Ransom may offer a glimmer of hope for victims. The project, a collaboration among Europol, the Netherlands’s national police and cybersecurity firms Intel Security and Kaspersky Lab, launched a website Monday featuring tools that can help some victims decrypt their data without paying off the criminals.

Read on for more details.

Motorola confirms that they will not commit to monthly Android security patches

Written by

Ars Technica:

When we recently reviewed the Moto Z, we said that the device would not be getting Android’s monthly security updates. Motorola doesn’t make this information officially available anywhere, but when we asked Motorola reps at the Moto Z launch event if the company would commit to the monthly updates, we were flatly told “no.”

And:

Motorola has clarified the update situation of the Moto Z and Moto G4, calling Android’s monthly security updates “difficult” and deciding not to commit to them.

Tough to say no to an update that patches a known security vulnerability.

From Moto:

We strive to push security patches as quickly as possible. However, because of the amount of testing and approvals that are necessary to deploy them, it’s difficult to do this on a monthly basis for all our devices. It is often most efficient for us to bundle security updates in a scheduled Maintenance Release (MR) or OS upgrade.

That delay is no small thing, security-wise.

Stagefright malware for iOS and OS X: Just be sure to apply updates

Written by

Glenn Fleishman, writing for Macworld:

Talos found that maliciously constructed data saved as BMP, Digital Asset Exchange, OpenEXR, and TIFF image files could outwit the operating and allow code to be written and executed, including opening up a system to remote exploits. The ancient lossless image format TIFF using, however, is the worst culprit as Apple’s OSes will access a TIFF image to render a format in many cases without a user specifically opening a malicious file.

And:

The TIFF flaw affects unpatched current releases of every Apple OS: iOS 9, tvOS 9, watchOS 2, and OS X 10.11 El Capitan, as well as 10.9 Mavericks and 10.10 Yosemite.

Bottom line, this is a proof of concept at the moment. Apple has released protective updates for recent OSes, not yet for Mavericks or Yosemite. As always, keep your software updated.

Making money by abusing phone-based two-step verification

Written by

This is a bit hard to follow, but it is a pretty ingenious scheme. In a nutshell, the scammer sets up a pay phone line, a phone number that people have to pay to use. They then use that number as a verification number with Google, Facebook, Microsoft, etc. and take an action which causes that number to be called.

By automating the process, they bring in a nice little wave of money. That’s the theory, anyway. This was pieced together by a security researcher who raised the issue to get companies to put barriers in place to prevent this hack.

New Mac malware in the wild

Written by

In a nutshell, the malicious code is embedded in a Mac utility called EasyDoc Converter.app. Given that the app itself does not do what it says it will do (convert files from one format to another), this was a pretty obvious find.

But think of this example as a proof of concept. This malware could just as easily be embedded in a useful tool. If you are going to go outside the Mac App Store, be sure you are downloading a known, vetted product from a known, vetted source.

iOS 10 kernel breaks with tradition, is unencrypted

Written by

MIT Technology Review:

Some security experts who inspected that new version of iOS got a big surprise.

They found that Apple had not obscured the workings of the heart of its operating system using encryption as the company has done before. Crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see.

How to remove Flash on the Mac

Written by

Adobe rolled out another Flash security advisory on Tuesday. Thought this post from Peter Cohen was worth a revisit.

Hacker Lexicon: SQL injections, an everyday hacker’s favorite attack

Written by

Wired:

SQL injection vulnerabilities are among the most common vulnerabilities around and have consistently appeared at the top of vulnerability lists for years. The computer security firm Imperva calls it the “most pernicious vulnerability in human computer history” and says that between 2005 and 2011, SQL attacks accounted for 83 percent of data breaches during that period.

Read on to learn how this works.