Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only
A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.
Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….
Followup
-
DreamHost Have Won Their Challenge to an Overly Broad Warrant from the Trump Administration – nakedsecurity.sophos.com/… — the key quote from the judgement:
while the government has the right to execute its Warrant, it does not have the right to rummage through the information contained on DreamHost’s website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in protected First Amendment activities
- More Equifax News
- Equifax: 2.5 million more Americans may be affected by hack — www.chicagotribune.com/…
- It now appears the breach affected millions of UK residents too – initial reports were of hundreds of thousands of UK victims, but that was soon followed by reports of 15.2 million UK victims — Equifax Hackers Stole Info on 693,665 UK Residents — krebsonsecurity.com/… & Equifax: up to 15 million more at risk — nakedsecurity.sophos.com/…
- Equifax site found hosting malware in the form of a fake Flash updater — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
- (US) IRS awards Equifax no-bid, $7.25 million contract after hack — arstechnica.com/… (Editorial: 😲 talk about failing up 🙁)
- Equifax Breach Fallout: Your Salary History — krebsonsecurity.com/…
- Suggested Listening: Planet Money episode 798 ‘Bad Credit Bureau’ explains the history of credit bureaus in general, and Equifax in particular — www.npr.org/…
Security Medium – steal.password
Security researcher Felix Krause has published research describing a potentially highly effective new phishing attach against iOS users – fake iCloud password popups.
Because iOS has us all well trained to enter that bloody password over and over again, if a website or app puts up a very convincing copy of that interface, many of us are likely to unthinkingly enter our passwords.
The threat is real – if someone tried an attack like this for real they would almost certainly get a lot of usernames and passwords from iOS users. Apple definitely need to take note of this research and figure out ways of tweaking iOS’s behaviour to mitigate against this threat.
But, before you set your hair on fire, remember that this is not reporting on actual real-world attacks, but a proof of concept to draw attention to a potential future problem. As a result, we as users are forewarned and hence forearmed, and so is Apple.
As users, the most critical question for us is whether or not there is a way to tell the difference between a real dialogue box and a fake one? Thankfully, the answer is a resounding YES!
Fake dialogue boxes are confined within a single app or web page, if you switch apps or pages, the dialogues will vanish. Only true system-level dialogues can persist as you move between apps, or, back to the home screen. The advice from Krause is very simple – just hit the home button, if the dialogue vanishes, it was fake, if it stays, it’s real!
Now, let’s address the elephant in the room here – the App Store. At first glance you might imagine it would be impossible to get a malicious app like this into the app store. The real world is much greyer than that. Firstly, the app reviewers are all humans, and they have a finite amount of time to check every app, they simply cannot find everything. Secondly, if a developer wanted to be really sneaky they could write their code such that the phishing only activates after a certain date, or, when a certain file on a certain web server gets a certain value, or, if the iOS device is within a given IP range, or even, a given geographic area. The App Store is a hurdle to malware, but it is not insurmountable, and never will be. Like a seat belt, it makes us safer, but like a seat belt, it won’t save everyone all the time.
What the App Store will always give Apple is the ability to respond and blunt the damage done by a malicious app that manages to sneak in. Apple have the power to pull the app’s cert, and hence, kill it dead in its tracks. They also have the registration details of the developer who published the app, so they know where to send the police to start their investigations too!
Finally, just to say that this is yet another situation where 2FA provides a useful extra layer of protection. If you’re tricked into entering your password into a dialogue box like this, it’s of infinitely less use to an attacker if your account has 2FA enabled, because it still leaves them one factor short! However, if you re-use that password anywhere else where you don’t have 2FA, then you’re vulnerable. And, what is to stop a more determined attacker putting up another fake dialogue for your 2FA code? They would need to use that code in real-time to attack you there and then, but it’s not technically impossible. Again, having 2FA is much better than not having it, but it’s not a panacea – nothing is!
Links
- The original article from Felix Krause — krausefx.com/…
- Can apps steal your passwords? What you need to know! — www.imore.com/…
- Beware of sketchy iOS popups that want your Apple ID — arstechnica.com/…
Notable Security Updates
- Apple released an emergency supplemental update for Disk Utility in MacOS Sierra (no change version number) – rather embarrassingly it was found that when using Disk Utility to create an encrypted APFS volume, Disk Utility was saving the actual password into the password hint field instead of the hint — www.intego.com/… & www.imore.com/…
- Microsft’s Patch Tuesday updates for October are out, and include fixes for 62 vulnerabilities in Windows and Office, including a nasty zero-day in versions of Office dating back to 2007 — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
- Google have released the October security update for Android. For the first time, Google have also started to push special monthly security updates for their Pixel and Nexus devices — nakedsecurity.sophos.com/…
Notable News
- Yahoo! has admitted that it’s mega breach was not ‘limited’ to ‘just’ 2 billion accounts, but actually affected all accounts, so that puts the total at about 3 billion! — nakedsecurity.sophos.com/…
- The US Department of Homeland Security (DHS) gave notice of a rule change that will go into effect on 18 October that will see tracking of social media increased, expanding it to include legal permanent residents and even naturalised citizens — nakedsecurity.sophos.com/…
- The US DOJ continue their attack on encryption with a new euphemism for back doored encryption — say good bye to Golden Keys , and say hello to Responsible Encryption — arstechnica.com/… & nakedsecurity.sophos.com/…
- BuzzFeed reporting alleges that the US Office of Intelligence Analysis (OIA) has “been systematically breaking the law and spying on US citizens for years” — www.buzzfeed.com/… & nakedsecurity.sophos.com/…
- After a reviewer discovers that his new Google Home Mini has been listening permanently to everything he said for days, Google have pushed out an update to disable the physical button on the devices. The problem seems to be down to a faulty button — the button in question can be used to activate the assistant, and for what ever reason, the devices is interpreting it as being permanently pressed, so it just keeps listening! — www.androidpolice.com/… & uk.businessinsider.com/…
- Google’s Project Zero has released details of another bug in some Broadcom Wifi chips that’s very similar to the so-called BroadPwn bug from earlier this year. The bug affects a number of Android devices and iPhone 7. The good news for iPhone users is that the bug was patched in the latest versions of iOS. A fix is also included in the September 2017 security patch for Android, so if your Android phone gets updates, you’re fine, if not, you’ll need to figure out whether or not you have this buggy chip to know if you’re in danger — nakedsecurity.sophos.com/…
- It looks to be official: Windows Phone OS is dead – no more new software features, and no more hardware, though security patches will continue for now — www.windowscentral.com/…
- Google is continuing it’s campaign to push the web towards HTTPS everywhere:
- From Chrome 62 on any HTTP page into which form data is entered will be marked as insecure, and all HTTP pages will be marked as insecure when using incognito mode — nakedsecurity.sophos.com/…
- As a domain registrar, Google owns 45 top-level-domains (including
.ads&.app), and it’s now announced it will force all website on domains under those TLDs to use HTTPS with HSTS preload — nakedsecurity.sophos.com/… - In other news, The World’s Biggest Military Contractors Don’t Encrypt Their Websites motherboard.vice.com/…
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ In the US, October has been designated National Cyber Security Awareness Month
- ⭐️ Brian Krebs raises serious privacy and security concerns about the implementation of the USPS’s new cool-sounding Informed Delivery service – if you live in an area where this service is available you may want to sign up simply to project yourself from others signing up in your name, because they can, very easily, and that would leave you vulnerable — krebsonsecurity.com/…
- ⭐️ Zero-day exploits under active exploitation have been discovered in three popular WordPress plugins (Appointments by WPMU Dev, Flickr Gallery by Dan Coulter & RegistrationMagic-Custom Registration Forms by CMSHelpLive). Fixes are available for all three, so if you run any of them, patch ASAP — nakedsecurity.sophos.com/…
- How to Use Emergency SOS on the iPhone — www.macobserver.com/…
- How Flash works with Safari 11 in macOS High Sierra — www.imore.com/…
- Worried about Google’s Your Timeline? Here’s how to disable tracking — nakedsecurity.sophos.com/…
- Notable Breaches & Privacy Violations
- ⭐️ A problem in a API on T-Mobile’s website exposed sensitive customer data that made it possible for attackers to hijack users phone numbers, totally undermining SMS-based 2FA — T-Mobile customer data plundered thanks to bad API — arstechnica.co.uk/…
- 17.5M Disqus accounts were exposed, including SHA–1 salted password hashes — the company responded quickly and reset all affected passwords and found no evidence of unauthorised logins — nakedsecurity.sophos.com/…
- Hyatt Hotels Suffers 2nd Card Breach in 2 Years — krebsonsecurity.com/…
- News
- FBI’s secret iPhone hacking tool must stay under wraps, court rules — nakedsecurity.sophos.com/…
- Government demands for Apple and Google data keep on climbing — nakedsecurity.sophos.com/…
- How anyone could have stuffed your Flickr account with photos — nakedsecurity.sophos.com/…
- Google embarrassed by fake adblocker that served ads — nakedsecurity.sophos.com/…
- Hackers steal restricted information on F–35 fighter, JDAM, P–8 and C–130 — nakedsecurity.sophos.com/…
- Opinion & Analysis
- Propellor Beanie Teritory
- ⭐️ Followup: last time I included news that a study found a surprisingly large number of Macs have out of date, and hence vulnerable, EFI firmware. We’ve since learned that macOS High Sierra added a new security feature that checks the firmware’s integrity once a week — www.macobserver.com/…
- ⭐️ Researchers: Uber’s iOS App Had Secret Permissions That Allowed It to Copy Your Phone Screen — gizmodo.com/… (Editorial: it doesn’t look to me like there was anything nefarious going on here — just a bodge to work around some shortcomings in Apple’s APIs applied in cooperation with Apple)
- ⭐️ How Israel Caught Russian Hackers Scouring the World for U.S. Secrets — www.nytimes.com/… (Thanks to listener Lynda for bringing this to my attention)
- What’s the fuzz about? Microsoft unveils its latest security tool — nakedsecurity.sophos.com/…