NC #565 Judiciary Hearing FBI vs Apple, Nuke and Pave vs OmniDiskSweeper, Security Bits

I watched the entire five hours of the Judiciary Committee Hearings in the case of the FBI vs. Apple, so you didn’t have to. I think you’ll like what you hear, it’s actually optimistic about our government officials. Next up I’ll tell you how I did not do a nuke and pave, and why you should do what I say, not what I do. Then we’ll have a monster Security Bits with Bart Busschots.


itunes
mp3 download


Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday March 6, 2016 and this is show number 565.

This week’s Chit Chat Across the Pond was episode 10 of Bart’s Programming By Stealth. I had SO much fun in this episode, he taught me how to make little piggy faces for bullets on unordered lists! Really fun lesson. I also had an epiphany in the middle of the night. Usually epiphanies turn out to be really dumb when you wake up fully but this was a good one. It occurred to me that I can very easily make the Programming By Stealth portion of Chit Chat Across the Pond it’s own separate podcast feed!

Right now when I’m done recording an episode of Chit Chat Across the Pond I:

  • Open up Feeder, the tool I use to create the Feeds for the different shows
  • Create a new item in the Chit Chat Across the Pond Feed
  • Write up a little blurb to show in the episode description on your podcatcher
  • Enter the url where the audio file is stored
  • Paste in the url for the blog post

So I could easily create another Feed for just the every other week episodes of Programming By Stealth and drag that new item into it every other week. I think I’d change the blog post to Bart’s site though so people wouldn’t have to go to my site and then get redirected over to bartb.ie/pbs each time. So a couple of copy/pastes and I’d be good to go! Bart even already created a logo for PBS so I’d just need to submit it to iTunes.

So then I started thinking about the OTHER every other week…and I got tired because I didn’t know what to call it. Chit Chat Across the Pond without Programming By Stealth? In any case, I think I’ll go ahead with the PBS series as a podcast since it’s easy to do. Let me know if you like this idea?

Blog Posts

I Watched All Five Hours of the Judiciary Committee Hearing re: FBI vs Apple

Nuke and Pave or Do it the Hard Way?

Amazon Affiliate link

The traditional holiday shopping season is over, so it’s time to spend some money on yourself. Maybe you want a shiny new SSD. Perhaps it’s time for a chainsaw. Maybe you’ve been wanting a new toilet brush. However you roll, you will most likely buy your toys on Amazon. If you went to podfeet.com first and tapped on the Amazon image in the upper left, a small percentage would go to help the show. Audio files cost money to store for podcasts, web servers cost money to maintain, and I’d sure appreciate some help paying those bills! Here’s an idea, create a bookmark to Amazon, put it in your web browser’s toolbar, but change the link to go to podfeet.com first so you don’t forget! Easy peasy, you get that new chainsaw and some of the costs get offset. Thanks for anything you can do and especially huge thanks to the tons of you who already do this! By the way I do plan on opening this up to Amazon for other countries, it’s just a matter of figuring out how to do it!

Security Bits

iOS 1970s Bug Update

Apple -v- FBI Update

  • Tim Cook follows up open letter with letter to employees and public FAQ – www.imore.com/…
  • FBI Director James Comey publishes open letter – www.macobserver.com/… & daringfireball.net/…
  • Apple secures the services of legendary attorney Ted Olsen – www.imore.com/…
  • FBI director admits Apple case could set precedent – www.macobserver.com/…
  • San Bernardino police chief admits that there's a "reasonably good chance that there is nothing of any value on the phone" – arstechnica.com/…
  • The US DOJ has 9 more iPhones they want unlocked, and Manhattan DA Cyrus Vance says he has about 175 he wants unlocked – www.nytimes.com/…
  • Apple file their response to the court order, citing both first and fifth amendment rights – tidbits.com/…
  • Apple & FBI testify before congress – www.macobserver.com/… & nakedsecurity.sophos.com/…
  • Apple files a formal objection to court order (in addition to their previous filed response) – www.imore.com/…
  • A judge in a similar case in NY finds that the FBI can't use the All Writs Act to force Apple to create a custom OS to facilitate hacking – www.macobserver.com/…
  • Congressman Jolly (Republican, FL) has introduced a bill to ban the government from buying Apple phones – arstechnica.com/…
  • A French law maker has proposed a law that would fine Apple & Google €1m if they refuse to hack smartphones – www.thelocal.fr/…
  • The San Bernardino District Attorney invents a baseless "dormant cyber pathogen" that might exist on the phone, though provides zero evidence to substantiate his invented concept – arstechnica.com/… & arstechnica.com/…
  • Amicus Briefs and letters start flowing in in support of Apple – Apple start an online list so we can all keep track – www.apple.com/…
  • Samsung state their position, which is in line with Apple's, but do not explicitly support Apple – www.imore.com/…
  • A few amicus briefs also filed in favour of the FBI, but not many Philip Elmer-DeWitt collates a list of amicus briefs both for and against Apple – ped30.com/…

Correction/Clarification on iCloud Encryption

In last week's show, Allison asked me an off-script question about iCloud backups – thinking on my feet, and knowing the backups are encrypted, I assumed the FBI would have to brute-force them, but that is not correct.

Apple do encrypt your iCloud data, but, they also hold the keys to that encryption. The one important exception to this is iCloud Key Chain, which has been very carefully engineered so as to make it impossible for Apple to recover that data – they simply do not have the keys.

Why do Apple have the keys to the encryption on your iCloud data? Simple – if they didn't, password resets without data loss would be impossible.

Dave Hamilton wrote a great piece for The Mac Observer outlining where the keys are for many popular online services – www.macobserver.com/…

If you are prepared to accept the fact that losing your password will lose you your data, then you might want to consider some of the services on the list that do not hold a copy of the encryption keys for you.

Apple Accidentally Mark Ethernet Driver as Malicious

Apple accidentally pushed an updated list of known-bad kernel modules to Macs running OS X 10.11 El Capitan. This list is used by SIP (Security Integrity Protection) to prevent known-bad kernel modules from loading. Having realised their mistake, Apple pushed an updated to the update which removed the ethernet drive from the blacklist.

Like the XProtect list of known bad apps, this list of known-bad (in theory anyway) kernel drives gets pushed to your Mac in the background. It does not rely on users running software update.

This blacklist is used to filter kernel extensions as they are loaded, so having the updated file did not immediately disable your ethernet card, it would only be disabled next time the kernel tried to load the driver. A reboot will definitely cause a reload, but it seems that some other things do too. Allison was affected by this (you can hear about it on last week's show), but she did not reboot, so clearly something else caused the driver to be re-loaded. Perhaps waking from sleep?

Another possible complication is that websites as large as Apple's do not publish content directly, they use content delivery networks, or CDNs. Updates take time to ripple through a CDN. This means that while Apple may have changed the list very quickly, the CDNs could have pushed the bad version for some time yet. This might explain why Allison appears to have downloaded the bad file after Apple said they published and update fixing the problem.

The only sensible explanation I've heard is that this was a timing issue – the next version of OS X may contain a new ethernet driver, perhaps fixing a security bug in the current one. This update to the blacklist was perhaps released too early by mistake.

Finally, reports are circulating that wifi users may not be able to launch Mac App Store apps until they get the updated blacklist – www.macobserver.com/…

Links:

Important Security News

  • Linux Mint servers hacked, downloads for Linux Mint 17.3 Cinnamon redirected to a malicious server, which bundled a malware into the distro (added your machine to a botnet). Forum DB also hacked, along with user data and private messages. Recommend updating password – nakedsecurity.sophos.com/… & arstechnica.com/…
  • ASUS settle with the US FTC. After a mass-hack of their products in 2014, the FTC charged that ASUS had "failed to protect consumers as required by federal law". As part of the settlement ASUS will implement a comprehensive security program that will be subject to independent audits for the next 20 years – arstechnica.com/…
  • Nissan took their connected car app offline after it was discovered that it was catastrophically insecure – it required ZERO authentication to execute actions on a car – arstechnica.com/…
  • PCs and Macs are being hacked using a Silverlight bug – if you have silverlight installed, either patch it, or remove it – arstechnica.com/… (not sure if you have Silverlight, if this test video works, you do: www.microsoft.com/…)
  • Brian Krebs reveals that the IRS's response to the massive increate in refund fraud – security PINs for users who were impersonated before, are already being bypassed by the fraudsters – krebsonsecurity.com/…
  • Brazilian police arrested FaceBook VP Diego Dzodan because WhatsApp are refusing to hand over data they do not have to Brazilian police (the arrest was for "repeated non-compliance with court orders", but Whats App say it does not store the messages, and that they are end-to-end encrypted, so it CANNOT comply) – nakedsecurity.sophos.com/…

Notable Breaches

  • About 10,000 Twitter user's data was exposed by a password reset bug – Twitter have informed the affected users – nakedsecurity.sophos.com/…
  • uKnowKids – a site that allows parents to monitor their kids online interactions was found to have mis-configured one of their database servers so it was accessible from the web without any authentication. About 0.5% of their users data was on that server. The server appears to have been open for at least 48 days. Once notified, the server was secured within 90 minutes. The company then decided to respond to their own blunder by attacking the security researcher – nakedsecurity.sophos.com/…
  • The US IRS has revised upwards the number of citizens affected by a weakness in their website, they now say at least 724,000 citizens had their tax data stolen – krebsonsecurity.com/…
  • Reuters find that Amazon quite removed full disk encryption from their Fire Tablets last year – www.macobserver.com/…

Suggested Reading

  • A nice human-friendly description of the key OS X security features – www.intego.com/…
  • A nice description of how iOS security and privacy features have evolved over time – www.intego.com/…
  • German police given permission to start using an updated version of their Federal Trojan (seriously, they officially user state-run malware) – nakedsecurity.sophos.com/…
  • A paper from Georgia Tech computer scientists shows how app developers can reverse-engineer the apps served to their customers to profile their customers – in effect, the ads the app networks choose to show leak the massive profile ad networks have built up to app developers – nakedsecurity.sophos.com/…
  • Beware in-flight WiFi – it's like open wifi in coffee shops, only WORSE – arstechnica.com/…
  • Security researchers demonstrate more side-channel attacks on crypto using magnetic sensors – the good news is that newer versions of iOS use crypto libraries that have been designed not to leak this kind of info (though apps can still use the vulnerable algorithms of course) – this is cool science, but no need to set your hair on fire – arstechnica.com/…
  • Another SSL vulnerability – DROWN – nothing end-users can do, server admins need to fix their servers – arstechnica.com/…
  • Newly detected Mac malware suggests the controversial malware company HackingTeam are back in business (they were famously breached last year) – arstechnica.com/…

Bonus Topic

Back blaze have released their latest hard drive reliability report: www.backblaze.com/…

HGST perform by far the best with only a slightly greater than 1% failure rate. Western Digital bring up the rear with a 7% failure rate.

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at allison@podfeet.com, follow me on twitter @podfeet. Check out the NosillaCast Google Plus Community and our Facebook group at podfeet.com/facebook. If you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

Leave a Reply

Your email address will not be published.

Scroll to top