Security Bits – 15 October 2017

Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only

A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.

Here is a nice article showing how to control the feature in the two OSes that do support it:….

Continue reading “Security Bits – 15 October 2017”

Security Bits – 30 September 2017

From Allison: I’ve just decided that it might be a nice enhancement to the podcast and blog if you could see Security Bits as a stand-alone blog post. Makes it easier to find and more importantly easier to reference when sharing with others. Bart will be shown as the author (since he IS the author) but I’ll write the excerpt for each post.

In this week’s action-packed Security Bits, Bart brings some follow-up on the Equifax breach and more details about Apple’s Face ID. We have three security mediums this week. We cover the CCleaner compromise which infected over 2 million machines. Then we talk about the macOS Keychain vulnerability that was announced this week for macOS (something for everyone). In the third “medium” Bart explains cookies from inception and why they’re needed, through their evolution to help us into something that can track us. He walks us through all of this so we can understand how the changes Apple made in Safari 11 are reducing the tracking and why it’s making some types of advertisers cranky at Apple. Finally, Bart goes through Notable Security Updates, Notable News, Suggested Reading and has a couple of nice palette cleansers. Continue reading “Security Bits – 30 September 2017”

Open post
Anker 2 port UK USB charger

Anker USB Charger Solves a Lot of Problems

The problem to be solved is that I regularly need to charge multiple things at the same time in my kitchen, and I don’t want to waste too many wall outlets, or, be constantly plugging things in and out.

I need the ability to charge Apple devices like my iPhone and my iPad, and, to be able to charge my Bluetooth speaker, my Bluetooth headphones, and my wide array of bike lights from CatEye. The iDevices all have lighting connectors, and the speaker, headphones and the bike lights are all Micro-USB.

Continue reading “Anker USB Charger Solves a Lot of Problems”

Open post
NosillaCast Logo

NC #621 Health Tracking Update, Aira Visual Interpreter, American Printing House Accessible Calculator, Magnet, Spectacle & Security Bits

Hi folks, welcome to episode 621 of the NosillaCast, a technology geek podcast with an ever so slight macintosh bias. This the show for Sunday April 2nd 2016, and I’m your guest-host Bart Busschots.

mp3 download

Continue reading “NC #621 Health Tracking Update, Aira Visual Interpreter, American Printing House Accessible Calculator, Magnet, Spectacle & Security Bits”

Open post
Chit Chat Across the Pond Lite logo

CCATP #481 – Dermot Daly from Tapadoo

I’m your guest host Bart Busschots, and this week I’m on conversation with Dermot Daly from Tapadoo, a mobile app development company based on Dublin, Ireland. We talk about what it’s like being a developer witting apps for iOS and Android, how App Store and Google Play store differ from each other, and the state of the app business in general. We also look at what some of the recent changes to the app store really mean for developers.

mp3 download

NC #572 Apple did not Admit to Planned Obsolescence, PRC & Hardcore History

This show is guest-hosted by Bart Busschots. The show starts with a little rant about how Apple did not accidentally admit to practicing Planned Obsolescence, no matter what the tabloid press (or Irish radio) say. Allison teleports in from the past with an interview with PRC from CES 2016, Bart recommends the Hardcore History podcast, and finally, Bart does a solo Security Bits.

mp3 download

Continue reading “NC #572 Apple did not Admit to Planned Obsolescence, PRC & Hardcore History”

Hardcore History – A Podcast Recommendation

Bart again back with another guest post while Allison is away.

I want to share a podcast recommendation with you. Well – I say podcast – the content is delivered as a podcast, but it’s anything but a typical podcast actually. The content is meticulously scripted, performed, and produced, making it more like a collection of high quality audio books than a podcast. The schedule is also very atypical – a three to four hour show about four times a year. Some of the topics covered stretch over multiple shows, so they can build into 15 or even 18 hour epics – a meticulously produced 18 hour story with a well defined beginning, middle, and end – that really is an audio book IMO.

The show is called Hardcore History, and the brains behind it is Dan Carlin – a self-professed ‘history fan’. Dan is quick to point out that he is not an academic historian. He does not do original research – instead, he reads as much of the work put out by academic historians as he can, and then builds all that knowledge into a compelling story. The magic ingredient in my opinion is Dan’s ability to teleport you into the past. It’s not just a bunch of stuff that happened, it’s fully rounded human beings living in a fully colourised world having to make tough decisions. Dan spends a lot of time and effort trying to get into the minds of ancient peoples – trying to understand what made them tick, and hence, understand why they did what they did, why they reacted to situations in the way they did, etc.. Another very important part of what makes Hardcore History work is Dan’s understanding of the importance of context. Dan tends to start a new topic by going back in time to before the story he wants to tell so we can understand the world in which the action starts, and then watch that world transform as the events unfold. A story generally ends by projecting forward, contrasting the word before with the world after.
Continue reading “Hardcore History – A Podcast Recommendation”

Estimated Usage does not equal Planned Obsolescence

In case you can’t tell from the tone of this post, this is Bart here standing in for Allison this week.

This morning I was listening to the radio, like I always do when getting ready for work. I listen to RTÉ 1, Ireland’s national radio station for serious adults (lots of talk, very little music), and at the time I’m getting ready for work, I get to listen to the first half of Ryan Tubridy’s show.

The news came on at the top of the hour, we still don’t have a government, and then Ryan got stuck into his hour. His first main topic was Apple – ruh roh – I always get a little nervous when RTÉ take on tech topics. In my experience they have generally proven to be about as technologically literate as my cat. Ryan had a supposed tech expert come on to explain that in their environmental report, Apple had accidentally admitted to practicing planned obsolescence. In case anyone didn’t understand what that was, they explained that in the early years of the last century the lightbulb manufacturers had a cartel which they used to artificially shorten the lifespan of light bulbs to boost sales. The implication was clear, Apple is doing the same kind of thing, designing their iPhones to die early so they can sell more.

Really? Could this really have happened and it not show up on any of the many tech news sites I read? Colour me VERY sceptical.

Continue reading “Estimated Usage does not equal Planned Obsolescence”

eDellRoot – Dell’s Certificate Fiasco

What Happened:

Dell logo with a red scary line through it

  • This week it emerged that Dell started rolling out an updated version of it’s Dell Foundation Services software (or crapware as I call it) that comes with a root certificate that gets installed into Windows. The certificate shows up in the Windows Certificate Manager as eDellRoot.
  • Initially it was thought it only affected laptops sold since August, then it emerged that it was on Desktops too, and the last shoe to drop was that the cert was also being pushed to people with older Dell computers via updates to the Dell software.
  • This root cert is installed with its ‘PRIVATE’ key, and all computers have certs with the same private key, and the password ‘protecting’ that private key is dell.
  • A second, similar cert was found later in the week also from Dell called DSDTestProvider.
  • Continue reading “eDellRoot – Dell’s Certificate Fiasco”

The LastPass Breach – Don’t Panic!

lastpass logoWhen I do Security Lite with Allison as part of our Chit Chat Across the Pond segment I often tell people that there is no need to set your hair on fire. This is one of those times. Before I explain what happened and why it’s not a catastrophe, I want to start with a simple list what LastPass users should do now:

  1. Change your master password
  2. When setting your new password, make sure that your password hint is as cryptic as possible

It should not be possible to determine your password from your hint!

So, what happened?

The short version is that attackers were found to have accessed LastPass’s user authentication database, and that gave them access to email addresses, password hints, and very well protected master passwords. It’s important to note that people’s encrypted password databases were not in the breached database.

So, what of value did the attackers actually get?

Almost nothing!

The reason is that LastPass did a great job designing their architecture, so people’s data is very safe, even when attackers gain access to such a sensitive-sounding database. The reason people like Steve Gibson recommend LastPass is that their design is robust. The system was designed to keep your data protected, even if the LastPass servers were breached. Given that sooner or later every system gets hacked, that was very much the right thing to do.

Lets dig into the specifics – LastPass never store your actual master password, instead, they store an irreversibly encrypted version (more on how they do that later). When you need to prove you are who you say you are, the password you submit is irreversibly encrypted, and then that encrypted version of your password is compared to the encrypted version on file. Since LastPass don’t actually have your password, they can’t lose it!

The only thing the attackers can do with the protected passwords they have is guess what the password is, run it through the encryption process, then check if the encrypted version of their guess matches what was in the database they stole.

To make this as hard as possible, LastPass got two very important things right.

Firstly, every single LastPass users’s password is one-way-encrypted using a different random number known as a salt. This means that the password ‘open123’ encrypts to a different value for every user, so attackers have to re-do all their work for each user. Passwords protected in this way are referred to as hashed and salted.

Secondly, they did not just store the plain salted hashes, they ran them through a process designed to be computationally hard. A legitimate user doesn’t need their password validated often, so it’s not a problem that it takes a lot of CPU power each time. Attackers have to test trillions and trillions of password guesses, so the extra computational complexity really adds up for them.

This kind of password inflating is known as password based key derivation, and LastPass run the salted hashes of users passwords through 100,000 iterations of a password based key derivation known as PBKDF2. This is ten times more than the currently accepted best-practice of 10,000 iterations of PBKDF2.

Basically – LastPass were not just doing things by the book, they were doing things even better than that!

What this means is that even weak passwords will stand up to a lot more of an attack than you might expect.

Finally, once you change your password, the data the attackers have becomes useless, so, the inflated salted hashed passwords only have to stand up to attack for the short time window between the breach happening, and users resetting their passwords. So, if you are a LastPass user, go rest your password NOW as a precautionary measure.

Let’s talk about password hints

I do want to draw your attention to one subtle detail – the attackers got users’ password hints. We have seen from past breaches that some users do very silly things with password hints – there is the infamous example from the Adobe breach where some clown used the password hint ‘rhymes with assword’. The only people who need to panic here are those with dumb password hints. Given that a hint is shown whenever you can’t remember your password, those accounts were ALWAYS in danger, and they have been made even more vulnerable by the breach.

Bottom Line

To me the biggest take-away from this is that LastPass have been tested, and they have not been found wanting – their good design has paid off, and protected their users. Secondary to that, this breach serves as a reminder to be very careful when setting password hints on anything – if you make the hint too obvious, you have effectively published your password!

For more details, see this excellent Naked Security article:

Posts navigation

1 2 3
Scroll to top