NC #597 Credit Card Mixup at Apple, Easy Pill, Clean Install of macOS, Security Bits

Something appears to be fishy with Apple’s databases, based on my story of how someone else’s credit card got into my account. Mark Pouley of Twin Lakes Images gives a great review of the Easy Pill medication tracker and reminder for iOS. I’ll tell you why I think doing a clean install of your OS from time to time and not using Migration Assistant is a good idea, but I’ll follow that up with all the little fiddly bits I’ve had to modify to get things running again. Bart Busschots is back with Security Bits where he gives us an update on the security of the Internet of Things and more information that’s been coming out, along with all of the rest of this week’s security news.


itunes
mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday October 16, 2016 and this is show number 597.

Chit Chat Across the Pond

Bart Busschots is back with installment 23 of his Programming By Stealth series. Last time we learned how to change what elements on a web page looked like, but this week we learn how to actually change and create them. He’s using a real world example of changing whether links on a web page open in a new tab or replace the existing page. If we’re good and do our homework, next time we’re going to actually build a clock! He picked this example because the clock on podfeet.com/live broke when we went to https and without it no one knows if it’s 5 o’clock at my house and therefore time for the live show! It’s a fun episode so don’t forget to subscribe to Chit Chat Across the Pond in your podcatcher of choice.

Blog Posts

How Did Someone Else’s Credit Card Get in My Apple ID?

Easy Pill Medication Tracker and Reminder

Clean Install of macOS is a LOT of Work, Is it Worth It?

Security Bits

Followup – Mirai (IoT Botnet)

In the last instalment we reported on the botnet made up of Internet of Things devices that took down Brian Krebs’ website with a record-breaking Distributed Denial of Services (DDOS) attack. That attack has continued to make news, and to focus minds in the security community.

Brian Krebs has examined the Mirai source code (released two weeks ago) and reverse-engineers a list of vulnerable devices based on default username/password combinations present in the source-code – it’s mostly cameras, DVRs, and routers. What’s very worrying is that many of the devices on the list can be accessed by both a web interface and telnet/SSH, and changing the default password in one, often does not change it in the other, so even people who think they have changed the password may not have actually removed access via the default passwords. If that sounds bad, some devices made by Dahua are even worse – they have hard-coded SSH/Telnet passwords that cannot be changed by the user AT ALL!

Security maven Bruce Schneier has argued that the only solution to situations like this, when markets are clearly failing to protect customers, and indeed the entire internet, is government regulation. The European Commission seems to be thinking along similar lines. They are said to be working on a new official rating system for IoT security built around the model of European Energy Efficiency ratings. Devices would be tested against a set of rules, and they would earn a rating depending on how secure they are.

To highlight the depth of the problem, a Hungarian security researcher went public with a laundry list of spectacular flaws in internet connected cameras from Taiwanese tech company AVTECH (not the same as a US company with the same name which makes environmental monitoring equipment). These devices spew out their config to anyone who asks – the config page does not check if the user is logged in. The login checking has many more holes, allowing some files that should not be public to be downloaded from the devices without logging in. A number of URLs on the device don’t get properly sanitised, so you can inject terminal commands into the device through URLs – i.e. easy remote code execution. The devices also don’t check TLS certs when contacting their cloud service, so they may as well not have HTTPS at all. Passwords are stored in plain text, so when you combine that with the problem that they spit out private files they shouldn’t you get a really big problem.

Akamai also highlighted another problem they are seeing with IoT devices – many of them have poorly configured SSH deamons that allow them to be recruited into botnets without ever needing to be hacked at all. SSH can act as a kind of proxy, which is normally a good thing. However, of poorly configured, SSH can allow proxying by users that are not logged in, and millions of IoT devices are poorly configured in this way. To try highlight the point, and get the problem addressed, Akamai have given it a catching name SSHowDowN (from the terminal command to exploit this misconfiguration ssh -D -N).

Meanwhile, the US government-backed ICS-CERT is warning of problems with Cellular Gateways used to connect automotive and industrial equipment to the internet – arstechnica.com/…

Links:

Security Medium – Cryptographic Trapdoors

Cryptographers have found a long-theorised, but never before realised, trapdoor in the discrete logarithm problem, the maths at the heart of many encryption algorithms. If an attacker can choose the prime number at heart of the encryption, they can make the encryption easier to crack by four orders of magnitude (10,000x). This brings 1024 bit crypto into the danger-zone, but 2048 bits is still safe.

There is no way to tell by looking at any given prime, whether or not it has a trapdoor in it. This is not a problem for many kinds of crypto – for example, SSH keys and TLS certs both use prime numbers chosen by the creator of the key or the requester of the cert. The person running the server being connected to does not need to break crypto to see what is happening on their server, they are at the end of the encryption, so they see the stuff in plain-text anyway! The only way these trapdoor could cause problems for HTTPS or SSH would be if people accepted private keys created for them by others. However, other encryption algorithms depend on a handful of standardised primes which are written into the standards, but often of unknown origin. This will have to change going forward. Any standard that relies on pre-defined primes will have to show where those primes came from, so we can be sure they are safe. There are plenty of ways of doing this.

This was always a theoretical possibility in the back of cryptographers heads. Now, it is a reality. There is no need to panic though. In the short term, we need to finish the move to 2048bit encryption that is already well under way, and perhaps accelerate the decommissioning of 1024bit crypto. In the long term we need to make sure that all new standards the rely on standardised primes show how the primes were arrived at so we can be confident they are truly random, and hence, safe.

Links:

  • arstechnica.com/…
  • Security Now Episode 81 contains a good description of the issue, and some ways we could be sure of our standardised primes in the future – www.grc.com/…

Important Security Updates

  • Google have released their latest monthly security update for Android, patching 78 bugs, 7 of which are rated critical (as usual, the big question is, will most phones ever get these updates?) – nakedsecurity.sophos.com/…
    • Verizon have clarified that Google Pixel phones they sell will get all security updates immediately “much like iOS” (Editorial by Bart: I really hope this attitude spreads through the industry very quickly indeed) – arstechnica.com/…
  • Patch Tuesday has been and gone, including fixes for Acrobat and Flash from Adobe, and patches to fix five zero-day vulnerabilities from Microsoft. The Zero-days are in IE, Edge, Office,and Windows. This Patch Tuesday is the start of a new era for Windows users – no more pick-and-choose patching, Microsoft will be pushing a single “rollup” update to bring systems fully up-to-date – krebsonsecurity.com/…

Important Security News

  • Apple start to treat macOS Sierra as a security update, and if your Mac is set to automatically download and/or install updates, and if you have enough free disk space, Sierra will be automatically downloaded, and you’ll then be asked if you want to update. You can control this behaviour in your software update settings – www.idownloadblog.com/…
  • Yahoo make the news again, and for all the wrong reasons – it has been revealed that they created a bespoke email wiretapping service to monitor all email accounts in real time for the US government, and that CEO Marissa Mayer decided not to fight the request. Apple, Microsoft, Google and others have said they have neither received such requests, nor did such surveillance. Yahoo have replied with a denial that is being described in the security community as “a non-denial denial” – theintercept.com/… & theintercept.com/…
    • Related – instructions from iMore on how to delete your Yahoo account – www.imore.com/…
    • Yahoo suspend email forwarding, a move seen by many as an attempt to make it harder to leave their service – nakedsecurity.sophos.com/…
  • Documents released by the ACLU and Open Whisper Sync (OWS, the creators of the Signal private messaging protocol) show that they received an overly broad subpoena from the US government, which they successfully fought – https://nakedsecurity.sophos.com/2016/10/05/feds-secretly-subpoenaed-encrypted-chat-app-signal/
  • Yahoo have filed a patent for advertising billboards with cameras and mirophones that spy on passers by to target ads at them – nakedsecurity.sophos.com/…
  • Since firing its human curators, FaceBook has repeatedly trended bogus news items – nakedsecurity.sophos.com/…

Notable Breaches

  • Data storage and database hosting company Modern Business Solutions appears to have lost control of their customer database, leaking data on 58million customers including names, IP addresses, birth dates, e-mail addresses, vehicle data, and occupations – arstechnica.com/…

Suggested Reading

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top