Category Archives: apple

6.8% of the top 100,000 websites still accept old, insecure SSL versions

Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report. The Mac scareware appeared in sixth place in WatchGuard’s latest Q3 2018 report and is primarily delivered by email to trick victims into installing fake cleaning software. Researchers also found that 6.8 percent of the world’s top 100,000 websites still accept old, insecure versions of the SSL encryption protocol, … More

The post 6.8% of the top 100,000 websites still accept old, insecure SSL versions appeared first on Help Net Security.

Apple releases security updates for Macs, iDevices, AppleTV

Another month, another set of Apple security updates: if you’re using macOS, iOS, Shortcuts for iOS, tvOS, Safari, and iCloud and iTunes for Windows, it’s time to get patching. The updates The Safari, iCloud and iTunes updates have a lot of overlap – two Safari bugs that can lead to address bar or user interface spoofing, six WebKit issues that can be triggered by the processing of maliciously crafted web content to achieve remote code … More

The post Apple releases security updates for Macs, iDevices, AppleTV appeared first on Help Net Security.

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Smashing Security #107: Sextorting the US army, and a Touch ID scam

Fitness apps exploit TouchID through a sneaky user interface trick, tech giants claim to have a plan to banish passwords, and you won’t believe who was behind a sextortion scam that targeted over 400 members of the US military.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by ferret-loving ethical hacker Zoë Rose.

Apple quietly adds TRAI’s DND app to App Store

Apple adds India’s DND app to avoid iPhone ban in the country

Technology giant Apple’s war with the Telecom Regulatory Authority of India (TRAI) has been going on for some time now over the government-approved Do-Not-Disturb (DND) app.

In July, TRAI had threatened to ban iPhones from the country’s mobile networks, if Apple did not approve the DND app by January 2019.

For those unaware, TRAI has designed the Do-Not-Disturb (DND) app, which allows users to report spam marketing as well as promotional messages and calls. While the app has been available on Android since June 2016, Apple had refused to list it on its App Store citing that the app seeks permission to record user’s calls and messages, which is a breach of user’s data privacy.

Now, Apple has finally and quietly introduced the DND app on its iOS App Store, ending the standoff with the telecommunications regulator of India. The app has gone live in the iOS App Store from yesterday, which was confirmed by an Apple spokesperson in India (via VentureBeat).

The ‘TRAI DND – Do Not Disturb’ app allows users to flag unwanted calls and messages. According to some reports, an average person in India receives up to ten unwanted calls and messages in a day.

Once the user registers his or her mobile number, they can use the app to log complaints of unwanted calls and messages, which will be then sent to TRAI. For reported calls, the TRAI will receive information such as caller’s number and time of the call, and all the contents of the SMS for reported SMS.

The description of the TRAI DND app on the App Store reads as below:

TRAI DND App will help consumers to curb unwanted Telemarketing Calls/SMS by reporting to their respective telecom service provider (TSP). With this App, consumers will be able to:

1) Register their mobile number under DND (Do-Not-Disturb)
2) Report spam SMS/Calls, after DND registration.

Note:
Registration of mobile number under DND (Do-Not-Register) will take up to 07 days after putting the request with the respective telecom service provider (TSP).

For reporting spam Call/SMS, App will auto-create a complaint registration SMS, for sending it to respective TSP. Complaint registration SMS will be sent to toll-free number 1909.

TRAI DND App will not block any SMS/Calls from authentic businesses/entities that you have subscribed too, e.g your bank, food delivery apps, travel/taxi apps etc. However, the user will be responsible for any loss occurred if they report these Call/SMS.

If you are an iPhone user and wish to download the app, you can click here. In order to install the app, your device should be running the latest version of iOS 12.1.

The post Apple quietly adds TRAI’s DND app to App Store appeared first on TechWorm.

Apple Working On TV Streaming Dongle To Take On Chromecast, Fire TV Stick

Apple to make a low-cost streaming dongle, similar to Google Chromecast and Amazon Fire TV

Apple is reportedly planning to launch an affordable dongle similar to Google’s Chromecast and Amazon’s Fire TV Stick, according to a report by The Information, citing people familiar with the development.

Apparently, Apple who is expected to launch its TV streaming service sometime in 2019 will directly take on the likes of Netflix and Amazon Prime.

The service would be available for free to Apple device owners, which includes the Apple TV, iPhone, and iPad. Also, the dongle would be exclusive to Apple TV, iPhones and iPads only.

With the Apple TV costs $149 for the non-4K model and $179 for the 4K model, it does make sense for the company to come up with its own low-priced dongle and get people to subscribe to their streaming service in order to increase its consumer base.

Apple could either bundle the service as a standalone app or within the existing TV app, suggests rumors. It is expected to include a good mix of original programming content, third-party video services as well as the option to subscribe to TV channel packages.

Apple has already spent more than $1 billion to produce its original content for the TV streaming service.

The streaming service will launch in the U.S. first and will later be made available in more than 100 countries after a few months.

The new TV service is expected to launch sometime in 2019 and will include a TV series by the La La Land director Damien Chazelle, a drama starring Reese Witherspoon and Jennifer Aniston, a children’s show, and a science fiction show by Ron Moore among others.

What do you think about Apple’s low-cost dongle? Do let us know your thoughts in the comments section below.

The post Apple Working On TV Streaming Dongle To Take On Chromecast, Fire TV Stick appeared first on TechWorm.

Apple restarts iPhone X production over poor iPhone XS, XS Max sales

Poor iPhone XS, XS Max sales force Apple to restart production of iPhone X

Apple had halted the production of its 10th-anniversary smartphone, iPhone X to make way for its three new iPhones for 2018 – the iPhone XS, iPhone XS Max, and iPhone XR.

However, Apple has restarted the production of iPhone X in ‘certain markets’ due to poor sales of iPhone XS and XS Max, according to a report by The Wall Street Journal. Apple has also decided to cut production on all new iPhones.

According to WSJ, Apple had agreed to purchase a certain number of OLED display panels from Samsung. However, weak sales of the iPhone XS and iPhone XS Max has forced Apple to resume production of the iPhone X so that the company can fulfill the terms of its agreement with Samsung.

In other words, Apple will use iPhone X to compensate for the OLED panel demand gap caused by the decrease in sales of iPhone XS and iPhone XS Max. Also, as iPhone X’s components and manufacturing equipment are older, production costs will be lower and cheaper than the iPhone XS series.

Apple’s iPhone XS and XS Max that were launched in September this year haven’t seen a good sale due to its hefty price tag. Also, the affordable iPhone XR has not fared well, which prompted Apple to cut production orders for iPhone XR.

This could be attributed to the low price and popularity of iPhone 8 even after a year of its release. In order to boost sales of iPhone XR in Japan, the Cupertino giant has already provided sales subsidies to Japanese telecom operators, which in turn should reduce the price of the smartphone.

With Apple looking to restart production of iPhone X, it remains to be seen if this move will help the company recover from the setback caused by poor sales of iPhone XS and XS Max.

The post Apple restarts iPhone X production over poor iPhone XS, XS Max sales appeared first on TechWorm.

Chaining 3 zero-days allowed pen testers to hack Apple macOS computers

Dropbox team disclosed three critical zero-day vulnerabilities in Apple macOS, chaining them it is possible to take over a Mac computer.

Dropbox team disclosed three critical zero-day vulnerabilities (CVE-2017-13890, CVE-2018-4176, CVE-2018-4175) affecting the Apple macOS operating system, an attacker could chain them to remotely execute arbitrary code on a targeted Mac computer.

The attacker only needs to trick victims into visiting a specially crafted website.

The vulnerabilities were discovered by experts at cybersecurity firm Syndis that was hired by Dropbox to carry out a penetration test on the company’s IT infrastructure,

The experts also assessed the Apple software used by Dropbox

The flaws were reported to Apple security team in February and Apple quickly addressed it with the release of March security updates.

The vulnerabilities affected all systems running the latest version of the Safari web browser and operating system.

The CVE-2017-13890 vulnerability was affecting the CoreTypes component of macOS, by processing a maliciously crafted webpage may result in the automatic mounting of a disk image.

The CVE-2018-4176 flaw tied the way Disk Images handled .bundle files, mounting a malicious disk image may result in the launching of an application.

The last vulnerability tracked as CVE-2018-4175 could be exploited to bypass the macOS Gatekeeper security feature using a maliciously crafted application.

The issue allowed to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.

The experts were able to chain the vulnerabilities to take over a Mac system by tricking a victim into visiting a malicious web page with Safari.

“Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.” reads a blog post published by DropBox.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.

Below a video PoC published by DropBox:


Pierluigi Paganini

(Security Affairs – macOS, hacking)

The post Chaining 3 zero-days allowed pen testers to hack Apple macOS computers appeared first on Security Affairs.

Tech Rollover Sinks U.S. Stocks; Bitcoin Falls Below $5,000 as Collapse Continues

U.S. stocks booked huge losses on Monday, as plunging tech shares and wavering risk sentiment dragged the major indexes lower. The crypto bloodbath reached epic proportions Monday, as bitcoin slid below $5,000 for the first time since October 2017. Stocks Lurch Lower All of Wall Street’s major indexes headed for sharp losses, with the S&P […]

The post Tech Rollover Sinks U.S. Stocks; Bitcoin Falls Below $5,000 as Collapse Continues appeared first on Hacked: Hacking Finance.

Mac Virus: Apple and Android updates 17th November 2018

Bleeping Computer: iPhone X, Galaxy S9, Xiaomi Mi6 Fall at Pwn2Own Tokyo – “iPhone X, Samsung Galaxy S9, and Xiaomi Mi6 all fell at the hands of hackers that found bugs in various components and crafted exploits that allowed complete take over of the targeted device.”


 for ESET: Google’s data charts path to avoiding malware on Android
“How much higher are the odds that your device will be exposed to malware if you download apps from outside Google Play or if you use one of Android’s older versions? Google has the numbers”


Cyberscoop: Apple’s new security chip kills access to microphone – “In a security pamphlet released after Apple’s press event on Tuesday, the company revealed that the chip will completely cut off access to the device’s microphone when the MacBook lid is shut.”


The Register: Android fans get fat November security patch bundle – if the networks or mobe makers are kind enough to let ’em have it – “And Apple fixes Watch-killing security patch of its own”


Graham Cluley for BitDefender: Yes, you should update your iPhone to iOS 12.1, but its lock screen is *still* unsafe

John E. Dunn for Sophos: Another day, another update, another iPhone lock screen bypass


Sophos: Update now! Apple releases security fixes for iOS, MacOS, Safari, others


Brian Krebs: Busting SIM Swappers and SIM Swap Myths – “KrebsOnSecurity recently had a chance to interview members of the REACT Task Force, a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that has been tracking down individuals engaged in unauthorized “SIM swaps” — a complex form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims.”

David Harley

Advertisements




Mac Virus

iPhone X explodes after iOS 12.1 Update

Recently Apple Support has responded to a report of an exploding iPhone X, where the victim is claiming that while he was installing the new iOS 12.1 update the phone went hot and exploded.

The news is from the city of Federal Way (Washington) where a guy named “Rahel Mohamad” twitted about the incident.

He said that “This year early January I bought the iPhone and have been using it normally.” The iPhone X was in process of getting new iOS 12.1 update and when Mohamad put it on charging at a later stage, he observed a “Dark grey smoke started coming from the phone.

The update was completed and as soon as the phone turned on it immediately started to smoke and caught fire.”

He also said that he was using the official bundled Apple Lightning cable and a wall adapter to charge his iPhone(see the image below).

iphone x

However due to some reason he had to stop the charging of his iPhone which is just before the explosion.

Mohamad said, “When I held the phone it was very hot and I drop the phone immediately on the floor. Then it started to smoke.” he added.”

He reached out Apple which wishes to investigate the incident further by getting Mohamad to ship the iPhone X to them. In reply to his tweet, Apple Support also said that this is definitely not expected behavior and would wish to resolve it soon.

This is not the first incident of smartphones exploding. A few years back Samsung had to recall its Galaxy Note 7 after several of its units exploded while in use.

Just to recall, Apple’s iPhone X was launched last year and its design change marked the tenth anniversary of the company’s legendary iPhone range. Now, let’s see how soon they respond with the report of the actual reason for the incident.

Stay tuned for more. 

The post iPhone X explodes after iOS 12.1 Update appeared first on TechWorm.

Apple’s New Patent Hints At In-Display Selfie Camera

Next Apple iPhone may have a hole in its display, patent reveals

Apple who started the “notch” design standard that saw every other Android OEM incorporating in its smartphone is looking to trend set another legacy.

The Cupertino giant who had filed a patent back in June for a camera cut-out in the display has finally been approved. The patent titled “Integrated Camera Window” was approved by the United States Patent and Trademark Office (USPTO) on November 8.

The folks at LetsGoDigital who discovered Apple’s new patent shows an iPhone with a hole for the camera in the display. In other words, Apple is looking to place the iPhone’s front camera under the device’s screen in its future phones, thereby killing the notch design.

With this patent, Apple joins the list of companies such as Samsung, Asus, and LG who have filed similar patents in the past. However, Apple’s patent is a bit different from its contemporaries.

According to the patent, Apple wants to fit the camera window with a ‘cover glass’ where cover glass refers to the display. This display technology is presently applicable only to the LCD screen.

“Apparatus, systems, and methods for camera integration with a cover glass and for processing cover glass to provide a camera window for an electronic device are disclosed. A camera window can be integrated into the cover glass. The apparatus, systems, and methods are especially suitable for cover glasses, or displays (e.g., LCD displays), assembled in small form factor electronic devices such as handheld electronic devices (e.g., mobile phones, media players, personal digital assistants, remote controls, etc.,” the patent description reads.

Besides iPhones, other electronic devices such as portable computers, tablet computers, displays, monitors, televisions as well as iPads, MacBooks, and iMacs could see in-display camera technology soon.

While patents are filed all the time, it is not necessary that every patent is converted into a finished commercial product or even a prototype. Whether or not, Apple will go ahead and implement the display technology in its future devices, only time will tell.

The post Apple’s New Patent Hints At In-Display Selfie Camera appeared first on TechWorm.

iOS 12.1 Vulnerability

This is really just to point out that computer security is really hard:

Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users' contact information with no need for a passcode.

[...]

A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim's contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:

  • Select the Facetime icon
  • Select "Add Person"
  • Select the plus icon
  • Scroll through the contacts and use 3D touch on a name to view all contact information that's stored.

Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don't know the number, they can say "call my phone." We tested this with both the owners' voice and a strangers voice, in both cases, Siri initiated the call.

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

Smashing Security #103: An Instagram nightmare, crazy iPhone deaths, and election hack claims

One travel blogger finds you don’t have to be Kylie Jenner to be targeted by an Instagram hacker. When 40 iPhones at a hospital mysteriously die, what could be the explanation? And, surprise surprise, political parties in the USA are throwing around hacking accusations.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Mark Stockley.

How Safe and Secure are Wearables?

The ‘wearable technology’ market has been exponentially growing in recent years and is expected to exceed 830 million devices by 2020. One of the key drivers pushing this rapid expansion are fitness trackers, namely wristband tech and smartwatch apps which monitors our daily activity and health. But as we integrate wearables devices seamlessly into our everyday lives, what are the privacy and security risks they pose? How should wearable manufacturers and app developers be protecting consumers?

245 million wearables will be sold in 2019

Insurance company Vitality offers customers a heavily discounted Apple Watch to customers in return for their fitness routines and health data, the more activity you do each month, the greater your reward through a monthly discount. While this exchange of information for rewards provides a great incentive for consumers to improve their health, the personal data consumers are sharing in return has a tangible value for the insurance company. However, providing an insurance company with a daily data breakdown of one's health is an unacceptable tradeoff for some, regarding such a practice as an invasion of their privacy. 

As of May 2018, all EU citizen's privacy rights are legally protected by the General Data Protection Regulation (GDPR). GDPR compliance is required by all companies which process EU citizen data, including those based outside of the European Union. The privacy regulation requires wearable device and app providers to obtain each EU citizen's explicit consent before collecting their personal information, they must also clearly explain what types of personal information they intend to collect, how they intend to use the data, and inform consumers about any other organisation they intend to share their data with. If they don’t, wearable tech firms and app providers should brace themselves for heavy fines by European Information Commissioners.

For further details about the GDPR requirements and for Wearables Software Development Security Advice, read my IBM developerWorks 3 part guidance "A developer's guide to the GDPR" and my Combating IoT Cyber Threats

Wearable personal data is also of value to hackers and criminals, for instance, your fitness routine provides a clear picture of the best times to burglarise your home. With personal consumer data potentially at stake, fitness wearable manufacturers should incorporate both default privacy and security standards into the infrastructure of the device, to help ensure personal information remains safeguarded from known and future cyber threats.  ULa global safety science company, has developed testing for cybersecurity threats and offers security verification processes to assist manufacturers in assessing security risks and helping mitigate them before the product even goes to market. If the industry takes these steps, wearable consumers will feel safe and secure as they reap the intended benefits of this new innovation, while the wearables industry will be well positioned to meet the promise of its growth projections.

US intelligence chief says ‘no evidence’ of Chinese spy chips

Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."

Via: The Verge

Source: Cyberscoop

Apple CEO calls on Bloomberg to retract China surveillance report

Earlier this month, Bloomberg reported that San Jose-based server company Super Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed News.

Source: BuzzFeed News

The Dangers of Linking Your Apple ID to Financial Accounts

The digital wallets of Chinese citizens are under attack thanks to a few bad apples. A recent string of cyberattacks in China utilized stolen Apple IDs to break into customers’ accounts and steal an undisclosed amount of money, according to a Bloomberg report. Almost immediately, Chinese e-transaction giants Tencent Holdings and Alipay warned their customers to monitor their accounts carefully, especially those who have linked their Apple IDs to Alipay accounts, WeChat Pay or their digital wallets and credit cards.

While Alipay works with Apple to figure out how this rare security breach happened and how hackers were able to hijack Apple IDs, they’re urging customers to lower their transaction limits to prevent any further losses while this investigation remains ongoing. Because Apple has yet to resolve this issue, any users who have linked their Apple IDs to payment methods including WeChat Pay — the popular digital wallet of WeChat which boasts over a billion users worldwide and can be used to pay for almost anything in China — remain vulnerable to theft. Apple also advises users to change their passwords immediately.

This security breach represents a large-scale example of a trend that continues to rise: the targeting of digital payment services by cybercriminals, who are capitalizing on the growing popularity of these services. Apple IDs represent an easy entry point of attack considering they connect Apple users to all the information, devices and products they care about. That interconnectivity of personal data is a veritable goldmine for cybercriminals if they get their hands on something like an Apple ID. With so much at stake for something as seemingly small as an Apple ID, it’s important for consumers to know how to safeguard their digital identifiers against potential financial theft. Here are some ways they can go about doing so:

  • Make a strong password. Your password is your first line of defense against attack, so you should make it as hard as possible for any potential cybercriminals to penetrate it. Including a combination of uppercase and lowercase letters, numbers, and symbols will help you craft a stronger, more complex password that’s difficult for cybercriminals to crack. Avoid easy to guess passwords like “1234” or “password” at all costs.
  • Change login information for different accounts. An easy trap is using the same email and password across a wide variety of accounts, including Apple IDs. To better protect your Apple ID, especially if it’s linked to your financial accounts, it’s best to create a wholly original and complex password for it.
  • Enable two-factor authentication. While Apple works on identifying how these hackers hijacked Apple IDs, do yourself a favor and add an extra layer of security to your account by enabling two-factor authentication. By having to provide two or more pieces of information to verify your identity before you can log into your account, you place yourself in a better position to avoid attacks.
  • Monitor your financial accounts. When linking credentials like Apple IDs to your financial accounts, it’s important to regularly check your online bank statements and credit card accounts for any suspicious activity or transactions. Most banks and credit cards offer free credit monitoring as well. You could also invest in an identity protection service, which will reimburse you in the case of identity fraud or financial theft.

Stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listening to our podcast Hackable?, and ‘Liking’ us on Facebook.

The post The Dangers of Linking Your Apple ID to Financial Accounts appeared first on McAfee Blogs.

Stolen Apple IDs reportedly used for mobile payment theft in China

Users of two major mobile payment services in China -- Alipay and WeChat Pay -- have reported unauthorized Apple App Store spending in recent days, with some losing nearly $300 through fraudulent transactions. The companies say that stolen Apple IDs are to blame, the Wall Street Journal reports, and Alipay has asked Apple to investigate. In the meantime, Alipay is telling its customers to minimize potential losses by reducing how much money can be used from their accounts without a password.

Via: 9to5Mac

China reportedly carried out a ‘hardware hack’ on Apple and Amazon (updated)

Data center hardware used by Apple and Amazon may have been fitted with surveillance micro-chips by Chinese server company Super Micro, claims Bloomberg in a new report. Almost 30 US companies reportedly fell prey to the "attack," with the chips used to snatch intellectual property and trade secrets, according to Bloomberg's anonymous government and corporate sources. The report notes that no "consumer data is known to have been stolen."

Source: Bloomberg Businessweek

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Airplay Annoyance

I’ve never used Apple Airplay before.   I have an AppleTV that was free for paying  for a 3 month subscription with DirecTV Now.  But I hadn’t intentionally fired it up since cancelling that subscription.

This week I bought a new TV.   While watching The Dark Knight on Netflix, suddenly the TV changes inputs to the AppleTV and Katherines Ipad is requesting to perform remote control, and a PIN is displayed to be typed into the iPad.

Generally, I like to think I have a tight reign on my computer devices, but Apple has snuck this one up on me.

Apparently by default, via Bluetooth, my neighbors can connect to my AppleTV.   I’m guessing that with my old TV this would occur, and I just wouldn’t notice the AppleTV turn on, but the new TV is smart enough to switch to the new input.    So essentially Apple and Samsung have conspired to have my neighbor denial of service my movie watching.

First steps

  1.  Make sure the apple TV is on my wifi.   Pretty sure the neighbor hasn’t guessed my 100+ character pre-shared key.
  2. Disable Bluetooth.  Of course my generation of AppleTV cant do that.
  3. change the name of the AppleTV.  If everyone in the neighborhood is named the default “AppleTV”, no wonder people are accidentally clicking on the wrong device.   On my AppleTV, this was under Settings -> General -> About.  On newer models it is found under Settings -> Airplay.
  4. Under Settings -> Airplay -> Airplay, set Allow Access to “Anyone on the same network”.  The default is “everyone”.  I guess “it just works” trumps security.   Unfortunately I cant find good documentation if bluetooth users are considered on the same network.
    Set “Also Allow Nearby to Airplay” to off.  Again, having trouble finding description of this setting.  But it seems safe.
    Enable requiring a password for airplay.

    I then turned off wifi on my phone, and verified that no airplay devices were visible over Bluetooth

    And now that I”m looking further it seems my new Samsung is in perpetual discovery mode.   So any rando nearby can request to pair, and on the TV, I’ll be prompted to allow, deny or close.  Haven’t found a way to disable that yet.   Lovely.

The post Airplay Annoyance appeared first on Roger's Information Security Blog.

Cyber Security Roundup for May 2018

I'm sure the release of the GDPR on 25th May hasn't escaped anyone's attention. After years of warnings about the EU parliament's intended tough stance on enforcing the human right to privacy in the digital realm, a real 'game changer' of a global privacy regulation has finally landed, which impacts any organisation which touches EU citizen personal data. 

The GDPR's potential hefty financial penalties for breaching its requirements is firmly on the radar of directors at large enterprises and small businesses alike, hence the massive barrage of emails we have all have received in recent weeks, on changes to company privacy statements and requesting consent, many of which I noted as not being GDPR compliant as obtaining "explicit consent" from the data subject. So there is a long way to go for many organisations before they become truly GDPR compliant state based on what I've seen so far in my mailbox.

Cybercriminals have been quick to take advantage of the GDPR privacy emails deluge, using the subject matter in their phishing attacks to cheat access to accounts and con victims.
On a positive GDPR note, also on 25th May, IBM developerWorks released a three-part guidance series written by myself, aimed at helping Application Developers to develop GDPR compliant applications.

Developing GDPR Compliant Applications Guidance

Overshadowed by the GDPR coming in force, was the release of new NHS Data Security and Protection Toolkit, aimed at the NHS and their service providers, and the European NIS Directive (for telecom providers) went under the radar, but they are significant to those working in those industries.

Always make sure your Broadband Router\Hub does not permit remote administrative access (over the internet) and is always kept up-to-date with the latest security patches, otherwise, it will be at serious risk of being hacked and remotely controlled by cyber-criminals. As evidenced with month, after a DNS flaw in over 800,000 Draytek Routers has allowed hackers to take them over, malware called VPNFilter has infected 500,000 routers, and serious vulnerabilities has been reported in TP-Link EAP controllers.

IBM made headlines after banning its workers from using USB sticks, which I think is a good and reasonable policy. As quite frankly any modern enterprise, whether large or small, with a decent IT infrastructure and cloud services, staff shouldn't need to use USB devices to move data either internally or externally with third parties, so I see this as a rather smart business and security move to ban all USB devices, as it forces staff to use the more secure and more efficient technology made available.

As my @securityexpert twitter account crossed the 10,000 follower threshold Twitter advised 300 million users to reset their passwords after internal error. Apparently, the passwords for the Twitter accounts were accidentally stored in a database in their "plain text" value instead of using a hashed value for the password, as per best practice. I always strongly recommend Twitter users to take advantage and use the multi-factor authentication system Twitter provides, which reduces the risk of account hacking.

Breaches of note in May included a T-Mobile website bug which exposed personal customer data, Coca-Cola said an insider breached 8,000 accounts, and BMW cars were found to have over a dozen security vulnerabilities.

As always a busy month of new security patch releases, with Microsoft, Adobe, PHP, PGP, Google, Git, and Dell all releasing critical security updates to fix significant security flaws. Click the links for the full details.

Analysis of DDoS Attacks at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks
Some interesting articles about the Welsh Cyber Security Revolution and a review of the NHS a year on from the WannaCry outbreak

Reports of interest this month include the Thales Data Threat Report, which found UK businesses to be the most breached in Europe. The LastPass Psychology of Passwords Report which found 59% of people surveyed used the same passwords across multiple accounts, despite 91% of them knowing that using the same password for multiple accounts is a security risk. The 2017 Cylance Report stated the number of cyber-attacks on industries such as healthcare, manufacturing, professional services, and education rose by about 13.4% between 2016 and 2017.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Introducing Monitor.app for macOS

UPDATE 2 (Oct. 24, 2018): Monitor.app now supports macOS 10.14.

UPDATE (April 4, 2018): Monitor.app now supports macOS 10.13.

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the legendary Sysinternals Suite from Microsoft. Those tools only work on Windows though and we love macOS.

macOS has some fantastic dynamic instrumentation software included with the operating system and Xcode. In the past, we have used dynamic instrumentation tools such as Dtrace, a very powerful tracing subsystem built into the core of macOS. While it is very powerful and efficient, it commonly required us to write D scripts to get the interesting bits. We wanted something simpler.

Today, the Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. Monitor.app captures the following event types:

  • Process execution with command line arguments
  • File creates (if data is written)
  • File renames
  • Network activity
  • DNS requests and replies
  • Dynamic library loads
  • TTY Events

Monitor.app identifies system activities using a kernel extension (kext). Its focus is on capturing data that matters, with context. These events are presented in the UI with a rich search capability allowing users to hunt through event data for areas of interest.

The goal of Monitor is simplicity. When launching Monitor, the user is prompted for root credentials to launch a process and load our kext (don’t worry, the main UI process doesn’t run as root). From there, the user can click on the start button and watch the events roll in!

The UI is sparse with a few key features. There is the start/stop button, filter buttons, and a search bar. The search bar allows us to set simple filters on types of data we may want to filter or search for over all events. The event table is a listing of all the events Monitor is capable of presenting to the user. The filter buttons allow the user to turn off some classes of events. For example, if a TimeMachine backup were to kick off when the user was trying to analyze a piece of malware, the user can click the file system filter button and the file write events won’t clutter the display.

As an example, perhaps we were interested in seeing any processes that communicated with xkcd.com. We can simply use an “Any” filter and enter xkcd into the search bar, as seen in Figure 1.

Figure 1: Monitor.app User Interface

We think you will be surprised how useful Monitor can be when trying to figure out how components of macOS or even malware work under the hood, all without firing up a debugger or D script.

Click here to download Monitor.app. Please send any feature requests/bugs to monitorapp-bugs@fireeye.com.

Apple, Mac and MacOS are registered trademarks or trademarks of Apple Inc.