Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 18 February 2024

  • by Bart Busschots
  • One Comment

    • Feedback & Followups

    Deep Dive 1 — Beware the Difference Between Rates and Levels! (Not Such Good News on Ransomware After all 🙁)

    Last time we learned that the rate of ransomware payment had fallen dramatically, with ransomware negotiation firm Coveware reporting that only 29% of victims were paying ransoms, down from a whopping 85% in 2019. Since ransomware is a financially motivated cybercrime I happily opined that the end of the ransomware may be near.

    Imagine my surprise when just a few days later I read a story citing ransomware payments had reached a record high level of $1.1Bn in 2023 according to blockchain intelligence firm Chainalysis.

    Which story is true? Surely they can’t both be? Actually, they can, and they are!

    Intellectually I know it’s really important to always ask yourself “is this number a rate or a level”, and remember that cherry-picking one over the other could completely flip the impression the data gives.

    If the number of companies victimised by ransomware and the average payout amount had remained constant, then a fall in the rate of payment would have meant the market was contracting and the economics were turning against the cybercriminals. But, If either of those were not constant, then the rate of payment and the overall level of the market become uncoupled.

    So, did the number of attacks remain constant? Nope!, it went up 🙁

    What about the average payout amount, did it remain consistent? Nope!, it also went up 🙁

    This means when you have more victims and a rising average ransom payment, then even if the percentage of victims that choose to pay falls to a record low, the total amount paid to the cybercriminals can still grow, which is exactly what happened.

    So — I retract my optimism, with a growing market, there’s absolutely no reason to expect any kind of respite from ransomware anytime soon 🙁

    There’s also a second statistical lesson lurking in the Chainalysis report — the graph showing the global market over time. In 2022 the market was only $0.6Bn, and in 2023 it jumped to $1.1Bn. You could factually write a shouty headline that ransomware payments doubled in 2023, but that would be very misleading because you always have to ask the question “Are the two data points being compared normal, or are either or both unusual”.

    Chainalysis did not shout about a doubling, because they are a reputable firm, and, because 2022 was not a normal year. For various economic and political reasons, it was a very abnormal year, so while 2023 was a new high, it was mostly just a return to the previous slowly growing trend — in 2020 the market was about 0.9Bn, in 2021 it was nearly $1Bn, then we had the odd-ball year 2022, and in 2023 it was $1.1Bn.

    So, in the grand scheme of things, this story is actually a big ‘nothing burger’ — ransomware continues its slow growth trend, but there is a shift from more smaller ransoms to fewer larger ones, and the total number of attacks is growing faster than the market value.

    Links

    Deep Dive 2 — Apple Details visionOS Privacy Protections

    As a baseline, visionOS gives the same privacy protections as Apple’s other OSes, but because it has so many more sensors, and is so much more aware of both your surroundings and you, it adds extra protections on top of that baseline.

    Apple call out the following as additionally protected:

    1. Your surroundings
    2. The people around you
    3. Your hand gestures
    4. Your eye movements
    5. The 3D persona visionOS builds to represent you in video streams

    An interesting point to note is that Apple have split the rules into two distinct categories regular apps that sit in the shared environment, and apps that provide a fully immersive experience. No apps get access to raw sensor data, but regular apps get even less situational data than immersive apps.

    VisionOS itself has to have a real-time map of your surroundings, and it has to track what your hands and eyes are doing at all times in order to offer its magic-feeling blend of the real and the virtual, but apps can only get access to that data through APIs, and that’s where Apple asserts control and adds privacy protections.

    Firstly, there is no API offering any access to eye-tracking info. Only the OS knows what you’re looking at second to second, but it doesn’t share that info with anyone, not even Apple. What visionOS shares with apps is the same kinds of events iOS and macOS share — the ‘user clicked this button’, ‘the user dragged this slider’, and so on. Note that the OS shows you the thing you would interact with if you made a gesture, so buttons, sliders etc. highlight as you move your eyes around, but apps don’t get to know what’s highlighted unless you make a gesture and actually interact with it.

    Note that this level of privacy protection is a tradeoff — it does make some kinds of apps impossible, but it also cuts off a wide spectrum of dystopian possibilities, which seems like a wise choice!

    Similarly, even though visionOS looks for people around you, and merges them into your mixed reality as needed, that’s all done on-device, the information never leaves the device, and no API exposes that information to any app.

    Something to note is that any app that offers an immersive experience gets real-time access to your head position. Without this, these kinds of experiences would be impossible, so this is not surprising. A nice tought though is that this API is only available to immersive apps.

    Finally, visionOS provides a dedicated guest mode allowing you to safely let others use your headset.

    Protecting your Surroundings

    You’re likely to use your Vision Pro in very private spaces, so your surroundings could say a lot about you! The most important thing to know is that no app gets this information without your explicit consent, and only certain types of apps (immersive environments) can even ask. Even then, the OS gives a mesh representing the shape of things rather than the raw images, and the mesh only goes out to 5 meters.

    Protecting your Hand Gestures

    No apps get raw images of your hands, so they can’t try to profile you based on skin colour or tattoos, or jewelry. All any app gets is basic game-like wireframes describing the movement and shape of hands in terms of the positions of your joints. Even then, apps have to explicitly ask for permission to access this API, and only immersive apps can even do that.

    Protecting Your Persona

    The underlying model used to generate the live feed of you as your persona is built on-device, encrypted, and never leaves. Neither Apple nor any apps get access to it.

    What the OS makes available via APIs is just a video feed, basically a virtual camera, and the OS protects it like it does real cameras.

    Because people could use your persona to imitate you, the OS won’t allow it to be enabled unless you’ve authenticated yourself, ideally with Optic ID. In fact, if Optic ID is set up on the device your persona can’t be used without it verifying your identity.

    Links

    ❗ Action Alerts

    Worthy Warnings

    • 🇫🇷 CNIL (France’s data regulator National Commission on Informatics and Liberty) have warned that 33M French citizens have been caught up in data breaches at two major healthcare payment providers (Viamedis and Almerys), and have instructed the companies to be sure to inform all affected users (note the future tense!) – www.bleepingcomputer.com/…

      • The population of France is 66.7M, so this affects about half the country!

      • “Although the exposed data does not include financial info, it is still enough to raise the risk of phishing scams, social engineering, identity theft, and insurance fraud for the exposed individuals.”

      • “‘Although contact data was not affected by the breach, it is possible that the data involved in the breach could be combined with other information from previous data leaks,’ warns CNIL”

      This is an excellent point that we need to bear in mind for all data breaches — there is already a lot of stuff about us all out there, a breach doesn’t have to leak everything if it leaks enough to connect jigsaw pieces that are already known to potential attackers.

    • 🇺🇸 Bank of America warns customers of data breach after vendor hack — www.bleepingcomputer.com/…

      • “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.”

      • Based on the above, it seems like individual affected users can’t have been reached out to give personal warnings, so many affected customers may be none-the-wiser — if you bank with Bank of America, best be extra vigilant!

    • If you use Facebook Marketplace take note: 200,000 Facebook Marketplace user records leaked on hacking forum — www.bleepingcomputer.com/… (Facebook ads are a popular choice for local businesses, small businesses and sole traders, so likely affect some NosiallaCastaways)

    Notable News

    Interesting Insights

    Palate Cleansers

    • An especially cool Astronomy Picture of the Day that really shows the physical arrangement that gives us the phases of the Moon and proves we live on a round planet in a particularly down-to-earth way — apod.nasa.gov/…

    • From Allison: If you like history and science, you probably find Charles Darwin interesting. A person who goes by @OddPride on TikTok tells the story of Charles Darwin’s early life in a delightful and humorous style — www.tiktok.com/…

    • From John F Braun on the Mac Geek Gab 1024 episode – he recommends watching the YouTube Channel Scammer Payback to watch them explain how they attack scammers.

    Legend

    When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    📊 A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
    💵 A link to an article behind a paywall.
    📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

    1 thought on “Security Bits — 18 February 2024

    1. Steve Davidson - February 20, 2024

      During the discussion of DuckDuckGo’s secure synchronization, Bart contrasted it with Apple’s approach, citing that Apple, to be more user friendly, manages the keys (whereas DuckDuckGo shares QR codes, which puts the burden on the user). Therefore we must trust that Apple won’t “sneak in another private key” in order to respond to a subpoena (or for a nefarious reason, but we trust Apple not to be evil).

      But it occurred to me: Apple also has Advanced Data Protection < https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web > where “[our] trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it with end-to-end encryption.”

      So, would think that if ADP is enabled, Apple could not “sneak in an extra private key,” and it is every bit as protected as DuckDuckGo. Am I understanding it correctly?

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top