Security Bits – 27 August 2019

Followups

• GitHub joins WebAuthn club — nakedsecurity.sophos.com/…
• Human Review of Voice Assistant Recordings:
  • Facebook got humans to listen in on some Messenger voice chats — nakedsecurity.sophos.com/…
  • Microsoft have humans review your conversations, and they’re not up for changing that fact: Microsoft won’t shift on AI recordings policy — nakedsecurity.sophos.com/…
  • Humans may have been listening to you via your Xbox — nakedsecurity.sophos.com/…
  • An interesting opinion piece describing an alternative approach companies like Apple could take: Why Can’t Users Teach Siri about Its Mistakes? — tidbits.com/…
  • Apple contractors allegedly listened to 1,000 Siri recordings per shift — www.imore.com/…
    

Security Medium 1 — Bad Cables

At this year’s DEF CON security conference a security researcher generated a lot of media buzz by re-implementing something we’ve known about for a long time — a malicious cable.

Using only relatively cheap components and working at home in his kitchen the security researcher was able to take a legitimate Apple cable an seamlessly insert a malicious chip in it to allow him to remotely trigger attacks on the Mac the cable was connected to. At all times the cable would function like a regular USB to lightning cable, but, it would also be listening over WiFi waiting to be commanded to take action. When triggered the implant would become active, interacting with the Mac over USB and allowing the attacker to run commands on the Mac, including opening a remote terminal into the Mac.

Fundamentally there is nothing new here. We’ve known about malicious cables for years. This caught the media’s eye because technology has progressed to the point that the implant can be seamlessly hidden in a legitimate Apple cable.

What should we learn from this? IMO, the key take-home is that every time you plug a cable into a device you are expressing trust in that cable. You should ask yourself, where did this cable come from? Is it yours? Does it belong to a trusted friend, colleague, or acquaintance? Or did a strange person or organisation provide it? If it is yours, did you buy it from a trusted source for a believable price, or did you grab it from some random reseller with no reputation for an unrealistically cheap price? This is yet another way in which something that looks too good to be true could well be too good to be true!

How much of a real-world risk this is for your will really depend on who you are, where you are, and what you are doing. If you’re a high-profile person with control over something of value you should probably be more suspicious than the average person. If you’re travelling in a foreign country with an authoritarian or police-state streak, you really should be extra suspicious. If you’re in a situation where industrial espionage could be a problem, be more suspicious! And of course, if you’re at a security conference like DEF CON or BlackHat, just say no to anything or any shape that plugs into anything electrical what so ever 🙂

Links

• These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer — www.vice.com/…
• Security researcher says this modified Lightning cable can hack your Mac — www.imore.com/…

Security Medium 2 — The Bluetooth KNOB Attack

Security researchers discovered a problem with the Bluetooth spec which they’ve dubbed KNOB, for Key Negotiation of Bluetooth. This vulnerability in the spec made it possible for fully compliant Bluetooth devices to be tricked into negotiating an encryption key with just one byte of entropy. Keys with so little entropy are trivial to brute-force, so the attack effectively allowed an attacker to silently disable encryption.

It’s important to note that the window of opportunity for this attack is very small — attacks can only be launched while devices are in the process of pairing, and only by an attacker within bluetooth range of the victim devices.

The flaw has been acknowledged and the spec updated to address the problem. It’s now up to software and hardware vendors to update their drives and firmware to abide by the improved spec.

An important silver lining here is that the attack only works if both devices are vulnerable, so OS update will nip this problem in the bud even if many devices never get updated because the vendors don’t bother releasing updated firmware and/or users don’t bother installing the updates.

Apple have patched the vulnerability in their latest OS updates. I haven’t seen updates of any other OS updates yet.

Links

• New Attack exploiting serious Bluetooth weakness can intercept sensitive data — arstechnica.com/…
• Serious Bluetooth security flaw officially acknowledged; now patched by Apple — 9to5mac.com/…
• Apple Blocks KNOB Attack on Bluetooth — tidbits.com/…

Security Medium 3 — Contrasting Visions for Tracking Protection

Both Apple and Google have recently shared their updated visions for tracking prevention, and the contrast could not be more stark!

Starting with Apple, they laid out their new policy on their website. It’s not long, and it’s written in human-friendly language. The bottom line is simple — Apple will treat tracking like malware, and will do everything in their power to prevent it, even if that breaks some things.

Apple explicitly acknowledged Mozilla’s policy, saying their new policy was “was inspired by and derived from” Mozilla’s.

Google on the other hand took a very different tack. They released a blog post outlining an idea (not a product or feature, at least not yet) — a ‘privacy sandbox’ that will allow some tracking, but not too much. Websites will get a tracking budget which will let them insert only so much tracking data before Chrome will step in and block further tracking.

This sounds utterly un-workable to me, and seems to be a case of Google the ad company coming into direct conflict with Google the browser vendor. I’m far from alone in that view!

Links

• Apple’s new tracking policy for WebKit — webkit.org/…
• Mozilla’s tracking policy — wiki.mozilla.org/…
• Google’s blog post: Building a more private web — www.blog.google/…
• A good writeups TMO & iMore — www.macobserver.com/… & www.imore.com/…
• Opinion:
  • John Gruber’s take — daringfireball.net/…
  • Google defends tracking cookies—some experts aren’t buying it — arstechnica.com
  • Deconstructing Google’s excuses on tracking protection — freedom-to-tinker.com/…

Notable Security Updates

• Apple have issued emergency patches for all their operating systems to re-patch a patch that their last patch accidentally un-patched! The so-called regression bug returned a previously known exploit to iOS enabling jailbreaking of the most up-to-date version for the first time in many years — tidbits.com/…
• Patch Tuesday has been and gone yet again. The most note-worthy patches fix some very scary wormable vulnerabilities in RDP (Remote Desktop Protocol) — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
  • Update now! Microsoft patches its Android RDP app to fix flaw — nakedsecurity.sophos.com/…
• FireFox just pushed out a fix for a nasty bug in their new built-in password manager — nakedsecurity.sophos.com/…
• Google patches 8 security holes in Nest cameras — nakedsecurity.sophos.com/…
• PSA for owners of HP, Brother, Kyocera, Lexmark, Ricoh & Xerox Printers — check for firmware updates: Serious flaws in six printer brands discovered, fixed — nakedsecurity.sophos.com/…

Notable News

• The Better Business Bureau is warning that scammers are now using search result manipulation with voice assistants into giving customers the wrong customer support numbers — their advice, never use a voice assistant to get a customer support number, it can’t be done safely! — nakedsecurity.sophos.com/…
• In a presentation at DEF CON Google Project Zero security researchers warn of the dangers of pre-installed malware on Android phones, particularly at the lower end of the market where manufacturers are not making much if any money from the sale of the devices themselves, and need other avenues for monetisation — nakedsecurity.sophos.com/…
• Since 2015 Kaspersky AV has been injecting JavaScript into all web pages viewed by their users (even HTTPS pages) that contains an un-changing unique ID, creating an un-removable super tracking cookie. The software has been updated so the ID is now unique to the version of the product rather than the user, but that’s a security risk! (Editorial by Bart: this just confirms my opinion that 3rd-party AV does more harm than good these days. My advice remains to just use Windows Defender!) — arstechnica.com/…
• Researchers at Kaspersky Labs have found an app in the Google Play Store with 100 million downloads that was updated to add a malicious payload — arstechnica.com/…
• 🇮🇪 🇪🇸 🇰🇷 Facebook has started to roll our their data deletion tool in Ireland, Spain & South Korea. Unfortunately, it doesn’t actually delete anything! The tool allows all users to disassociate the data Google has collected on them from their accounts, but deletes nothing — nakedsecurity.sophos.com/…
• 🇺🇸 Big Telecom, Every U.S. State Vow to End America’s Robocall Hell — gizmodo.com/…
• 🇺🇸 AT&T and T-Mobile will now verify phone calls between their networks — www.engadget.com/…

Suggested Reading

• PSAs, Tips & Advice
  • ⭐️ Safari, Chrome, Firefox: Which is the most private browser for Mac? — www.intego.com/…
  • ⭐️ MacBook Setup Essentials for College Students — coolinfographics.com/…
  • Keep These Apps Off Your Kid’s Phone — offspring.lifehacker.com/…
• Notable Breaches & Privacy Violations
  • ⭐️ MoviePass error allegedly exposed credit card info, customer names, and more — www.imore.com/… & Massive MoviePass database found exposed on public server — nakedsecurity.sophos.com/…
  • Hostinger upgrades password security after 14m accounts breached — nakedsecurity.sophos.com/…
  • Cybersecurity Firm Imperva Discloses Breach — krebsonsecurity.com/…
  • 🇬🇧 Major breach found in biometrics system used by banks, UK police and defence firms — www.theguardian.com/…
  • 🇺🇸 Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards — krebsonsecurity.com/…
• News
  • More Facebook scandal:
    • ⭐️ Did Facebook know about “View As” bug before 2018 breach? — nakedsecurity.sophos.com/…
    • ⭐️ A document unearthed by NBC’s Dylan Byers shows that contrary to what Mark Zuckerberg testified to the US congress, Facebook had evidence that there might be a problem with Cambridge Analytica back in 2015 — https://link.nbcnews.com/view/57c09634487ccd31218b6128amnse.5g5/46de4778 — link.nbcnews.com/…
    • Trauma Counselors Were Pressured to Divulge Confidential Information About Facebook Moderators, Internal Letter Claims — theintercept.com/…
    • 🇺🇸 Facebook facial recognition: class action suit gets court’s go ahead — nakedsecurity.sophos.com/…
  • Apple, Google, and Mozilla Team Up to Block Kazakhstani Surveillance — tidbits.com/…
  • Google removes option to disable Nest cams’ status light — nakedsecurity.sophos.com/…
  • 🇺🇸 NSA Wants Congress to Reauthorize Section 215 Permanently — www.macobserver.com/…
• Opinion & Analysis
  • ⭐️ Glass half empty or glass half full? Google have announced that their Password Checkup feature added to Chrome earlier this year has encouraged 26% of users to change their un-safe passwords, and 60% of those chose strong passwords: Password Checkup Helping Users Stay Safer — www.macobserver.com/… or Chrome users ignoring warnings to change breached passwords — nakedsecurity.sophos.com/…
  • ⭐️ Forced Password Reset? Check Your Assumptions — krebsonsecurity.com/…
  • ⭐️ A timely reminder to be wary of iTunes vouchers that look too good to be true, if they’re fraudulent they could get you locked out of your account: Apple locked me out of its walled garden. It was a nightmare — qz.com/…
  • ⭐️ The GDPR has created an interesting new avenue for attackers to try trick companies into handing over personal data. A security researcher did some experiments and found that many companies ‘comply’ with subject access requests, or SARs (the GDPR mechanism for asking for all data an organisation has on you) without properly validating the identity of the person making the request — nakedsecurity.sophos.com/…
  • ⭐️ 🇺🇸 ARF: The Price Consumers Put On Their Data — www.mediapost.com/…
• Propellor Beanie Territory
  • Hacked devices can be turned into acoustic weapons — nakedsecurity.sophos.com/…
  • The Google Chrome Incognito Mode detection cat-and-mouse-game continues: Chrome Incognito mode detection fix busted by researchers — nakedsecurity.sophos.com/…
  • Multiple HTTP/2 DoS flaws found by Netflix — nakedsecurity.sophos.com/…
  • Serious Security: Phishing in the cloud – the freemium way — nakedsecurity.sophos.com/…
  • Ruby 11 Libraries Found to Contain Backdoors — www.macobserver.com/…

Suggested Listening

• 🎧 A great short little history of the last cryptowar — Darknet Diaries Ep 12: Crypto Wars — overcast.fm/…
  • I also recommend their episode on Stuxnet: Darknet Diaries Ep 29: Stuxnet — overcast.fm/…
  • Actually — I recommend subscribing to the entire show 🙂

Palate Cleansers

• From Allison: Guess why we’re moving to 256-bit AES keys — blog.1password.com/…

Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.