Security Bits – 15 October 2017

Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only

A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.

Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….

Followup

Security Medium – steal.password

Security researcher Felix Krause has published research describing a potentially highly effective new phishing attach against iOS users – fake iCloud password popups.

Because iOS has us all well trained to enter that bloody password over and over again, if a website or app puts up a very convincing copy of that interface, many of us are likely to unthinkingly enter our passwords.

The threat is real – if someone tried an attack like this for real they would almost certainly get a lot of usernames and passwords from iOS users. Apple definitely need to take note of this research and figure out ways of tweaking iOS’s behaviour to mitigate against this threat.

But, before you set your hair on fire, remember that this is not reporting on actual real-world attacks, but a proof of concept to draw attention to a potential future problem. As a result, we as users are forewarned and hence forearmed, and so is Apple.

As users, the most critical question for us is whether or not there is a way to tell the difference between a real dialogue box and a fake one? Thankfully, the answer is a resounding YES!

Fake dialogue boxes are confined within a single app or web page, if you switch apps or pages, the dialogues will vanish. Only true system-level dialogues can persist as you move between apps, or, back to the home screen. The advice from Krause is very simple – just hit the home button, if the dialogue vanishes, it was fake, if it stays, it’s real!

Now, let’s address the elephant in the room here – the App Store. At first glance you might imagine it would be impossible to get a malicious app like this into the app store. The real world is much greyer than that. Firstly, the app reviewers are all humans, and they have a finite amount of time to check every app, they simply cannot find everything. Secondly, if a developer wanted to be really sneaky they could write their code such that the phishing only activates after a certain date, or, when a certain file on a certain web server gets a certain value, or, if the iOS device is within a given IP range, or even, a given geographic area. The App Store is a hurdle to malware, but it is not insurmountable, and never will be. Like a seat belt, it makes us safer, but like a seat belt, it won’t save everyone all the time.

What the App Store will always give Apple is the ability to respond and blunt the damage done by a malicious app that manages to sneak in. Apple have the power to pull the app’s cert, and hence, kill it dead in its tracks. They also have the registration details of the developer who published the app, so they know where to send the police to start their investigations too!

Finally, just to say that this is yet another situation where 2FA provides a useful extra layer of protection. If you’re tricked into entering your password into a dialogue box like this, it’s of infinitely less use to an attacker if your account has 2FA enabled, because it still leaves them one factor short! However, if you re-use that password anywhere else where you don’t have 2FA, then you’re vulnerable. And, what is to stop a more determined attacker putting up another fake dialogue for your 2FA code? They would need to use that code in real-time to attack you there and then, but it’s not technically impossible. Again, having 2FA is much better than not having it, but it’s not a panacea – nothing is!

Links

Notable Security Updates

  • Apple released an emergency supplemental update for Disk Utility in MacOS Sierra (no change version number) – rather embarrassingly it was found that when using Disk Utility to create an encrypted APFS volume, Disk Utility was saving the actual password into the password hint field instead of the hint — www.intego.com/… & www.imore.com/…
  • Microsft’s Patch Tuesday updates for October are out, and include fixes for 62 vulnerabilities in Windows and Office, including a nasty zero-day in versions of Office dating back to 2007 — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • Google have released the October security update for Android. For the first time, Google have also started to push special monthly security updates for their Pixel and Nexus devices — nakedsecurity.sophos.com/…

Notable News

  • Yahoo! has admitted that it’s mega breach was not ‘limited’ to ‘just’ 2 billion accounts, but actually affected all accounts, so that puts the total at about 3 billion! — nakedsecurity.sophos.com/…
  • The US Department of Homeland Security (DHS) gave notice of a rule change that will go into effect on 18 October that will see tracking of social media increased, expanding it to include legal permanent residents and even naturalised citizens — nakedsecurity.sophos.com/…
  • The US DOJ continue their attack on encryption with a new euphemism for back doored encryption — say good bye to Golden Keys , and say hello to Responsible Encryptionarstechnica.com/… & nakedsecurity.sophos.com/…
  • BuzzFeed reporting alleges that the US Office of Intelligence Analysis (OIA) has “been systematically breaking the law and spying on US citizens for years”www.buzzfeed.com/… & nakedsecurity.sophos.com/…
  • After a reviewer discovers that his new Google Home Mini has been listening permanently to everything he said for days, Google have pushed out an update to disable the physical button on the devices. The problem seems to be down to a faulty button — the button in question can be used to activate the assistant, and for what ever reason, the devices is interpreting it as being permanently pressed, so it just keeps listening! — www.androidpolice.com/… & uk.businessinsider.com/…
  • Google’s Project Zero has released details of another bug in some Broadcom Wifi chips that’s very similar to the so-called BroadPwn bug from earlier this year. The bug affects a number of Android devices and iPhone 7. The good news for iPhone users is that the bug was patched in the latest versions of iOS. A fix is also included in the September 2017 security patch for Android, so if your Android phone gets updates, you’re fine, if not, you’ll need to figure out whether or not you have this buggy chip to know if you’re in danger — nakedsecurity.sophos.com/…
  • It looks to be official: Windows Phone OS is dead – no more new software features, and no more hardware, though security patches will continue for now — www.windowscentral.com/…
  • Google is continuing it’s campaign to push the web towards HTTPS everywhere:
    • From Chrome 62 on any HTTP page into which form data is entered will be marked as insecure, and all HTTP pages will be marked as insecure when using incognito mode — nakedsecurity.sophos.com/…
    • As a domain registrar, Google owns 45 top-level-domains (including .ads & .app), and it’s now announced it will force all website on domains under those TLDs to use HTTPS with HSTS preload — nakedsecurity.sophos.com/…
    • In other news, The World’s Biggest Military Contractors Don’t Encrypt Their Websites motherboard.vice.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top