{"id":16451,"date":"2018-09-23T13:53:05","date_gmt":"2018-09-23T20:53:05","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=16451"},"modified":"2018-09-23T13:56:04","modified_gmt":"2018-09-23T20:56:04","slug":"sb-2018-09-22","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2018\/09\/sb-2018-09-22\/","title":{"rendered":"Security Bits  &#8211; Cold Boot Attack, Apple&#8217;s Anti-Fraud Trust Score, EU Copyright Act Amendments"},"content":{"rendered":"<h1>Security Bits \u2013 21 Sep 2018<\/h1>\n<h3>Followups<\/h3>\n<ul>\n<li>Following on from Apple&#8217;s belated removal of <em>Adware Doctor<\/em> for steal users browser history, Apple have now booted three apps from TrendMicro for doing the same, specifically <em>Dr. Cleaner<\/em>, <em>Dr. Antivirus<\/em>, and <em>Dr. Archiver<\/em>. TrendMicro insist it was an innocent mistake due to code re-use, and not malicious or nefarious in any way \u2014 <a href=\"https:\/\/tidbits.com\/2018\/09\/14\/trend-micro-mac-apps-stole-users-browser-histories\/\">tidbits.com\/\u2026<\/a> &amp; <a href=\"https:\/\/arstechnica.com\/?p=1371873\">arstechnica.com\/\u2026<\/a><\/li>\n<li>Following on from the two big recent UK hacks (Ticket Master &amp; British Airways), the same criminal gang have struck again, this time breaching all credit card transactions on NewEgg for a month \u2014 <a href=\"https:\/\/www.macobserver.com\/link\/newegg-data-breach\/\">www.macobserver.com\/\u2026<\/a><br \/>\n<!--more--><\/li>\n<\/ul>\n<h3>Security Medium 1 \u2014 A New <em>Cold Boot<\/em> Attack Against Almost All Laptops<\/h3>\n<p>Security researchers have discovered a new variant of the old so-called <em>cold boot<\/em> attack that affects most laptops. The attack exploits a flaw in how motherboards deal with reboots from devices that are asleep. Or, to be more specific, devices that are in the shallowest of the two sleep states, i.e. devices that are <em>suspended<\/em>. Devices that are in the deeper <em>hibernation<\/em> level of sleep are not vulnerable.<\/p>\n<p>If an attacker can get physical access to a laptop that&#8217;s currently suspended they can force it to reboot into a special OS of their devising that prevents RAM being scrubbed on reboot, and then uses almost no memory itself, preserving the data from the previously running OS in memory, including the decryption key for full disk encryption. With that key the attacker can then decrypt the disk and help themselves to all the data on the disk.<\/p>\n<p>There are two obvious silver linings, firstly, an attacker needs to physical access to the targeted device while it is in the less deep of the two sleep modes, and they need that access for some time. Secondly, this is not like some previous FireWire-based attacks that could steal memory in seconds simply by plugging a dongle into a laptop for a few seconds and then removing it. You&#8217;ve not going to be able to execute this attack while the victim turns their back for a few seconds to get something form a shelf!<\/p>\n<p>The simplest way to protect yourself is not to let your laptop out of your sight while it&#8217;s suspended. OS vendors are working on work-arounds, but that may not be so straightforward since the problem is with the very design of the power management APIs used by motherboards.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/arstechnica.com\/?p=1374349\">New modification of the old cold boot attack leaves most systems vulnerable \u2014 arstechnica.com<\/a><\/li>\n<\/ul>\n<h3>Security Medium 2 \u2014 Apple&#8217;s <em>Trust Score<\/em> Anti-Fraud Feature<\/h3>\n<p>Apple updated it&#8217;s privacy statement for iOS 12 to inform users that it now calculates something it calls a <em>Trust Score<\/em> to help battle fraud on their stores. This score is a single number that is calculated on-device, and then sent to Apple&#8217;s servers where it is kept for a limited amount of time.<\/p>\n<p>Apple do not detail the exact algorithm they use to generate this score. There&#8217;s a very good reason for that, if they did then bad guys could easily fake <em>&#8216;good&#8217;<\/em> behaviour and utterly defeat the whole purpose of the feature. While they don&#8217;t tell us everything that goes into the algorithm, let alone how all that information does get translated into the final score, they do tell us that the data used includes information about calls and emails. Apple stress that all calculation is done on-device, and only the final numeric score is ever sent to Apple. That score cannot be reverse-engineered to reveal call or email information, and is only kept for a short time.<\/p>\n<p>This seems eminently sensible to me, and it seems to me that Apple have done this right \u2014 do it on the device, and only upload the final answer to the cloud. I think it&#8217;s significant that Apple were completely up-front about this, and laid out what they are trying to achieve, and what data they are using. We know about this because Apple told us, not because someone caught them doing something in secret, and I think that matters a lot in how I feel about it.<\/p>\n<h4>Links<\/h4>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/link\/device-trust-score\/\">Apple Uses Your Phone Calls and Emails for a Device Trust Score \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Notable Security Updates<\/h3>\n<ul>\n<li>Patch Tuesday has been and gone with important security updates form Microsoft  Adobe including updates to Windows and Flash \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/09\/patch-tuesday-september-2018-edition\/\">krebsonsecurity.com\/\u2026<\/a>\n<ul>\n<li>The Windows patch includes a fix to a zero-day that is being actively exploited in the wild, so update promptly! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/13\/update-now-microsofts-september-2018-patch-tuesday-is-here\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple releases iOS 12, watchOS 5, tvOS 12 &amp; Safari 12, all of which are security updates as well as feature updates \u2014 <a href=\"https:\/\/www.us-cert.gov\/ncas\/current-activity\/2018\/09\/17\/Apple-Releases-Multiple-Security-Updates\">www.us-cert.gov\/\u2026<\/a> <\/li>\n<li>Apple locks out Safari Extensions \u2013\u2013 <a href=\"https:\/\/developer.apple.com\/safari\/whats-new\/\">developer.apple.com\/&#8230;<\/a>\n<ul>\n<li>Safari 12 includes improved tracking prevention \u2014 <a href=\"https:\/\/www.securityweek.com\/how-apples-safari-browser-will-try-thwart-data-tracking\">www.securityweek.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/product-news\/safari-12-macos-ad-tracking-security\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Notable News<\/h3>\n<ul>\n<li>&#x1f1fa;&#x1f1f8; It is now free to freeze and un-freeze your credit file in all states in the US \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/09\/credit-freezes-are-free-let-the-ice-age-begin\/\">krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>&#x1f1ea;&#x1f1fa; The EU Parliament has approved a somewhat amended version of the controversial new EU-wide copyright act. At issue are articles 11 and 13 which require a so-called <em>link tax<\/em>, and <em>upload filters<\/em> \u2014 <a href=\"https:\/\/www.theverge.com\/2018\/9\/12\/17849868\/eu-internet-copyright-reform-article-11-13-approved\">www.theverge.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; New US defence policies allow the US military to <em>defend forward<\/em> and launch pre-emptive cyber attacks. (<strong>Editorial by Bart<\/strong> This is some impressive, in all the wrong ways, Orwellian newspeak!) \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/20\/us-military-given-the-power-to-hack-back-defend-forward\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Security researchers are warning of a subtle URL re-writing bug in Safari. TL;DR \u2013 don&#8217;t enter any information into a page of the loading bar has not completed, or if there is no padlock \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/14\/browser-security-hole-on-macs-and-iphones-just-how-bad-is-it\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Unrelated to the above bug, another Safari bug has been found that allows some maliciously crafted HTML+CSS to crash iPhones &amp; Macs \u2014 <a href=\"https:\/\/www.macobserver.com\/news\/css-iphone-hack\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li>Google has added a built-in password generator and manager to Chrome \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/10\/google-chrome-will-now-generate-unique-passwords-for-you\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Belgian security researchers have found a significant vulnerability in Tesla Key-fobs \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/11\/drive-away-a-tesla-today-even-if-it-isnt-yours\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; Four major US cell carriers (AT&amp;T, Verizon, T-Mobile &amp; Sprint) have gotten together and announced their plans to build an online identity system which they are calling <em>Project Verify<\/em>. Users will be able to use project verify either as an alternative to passwords, or as a second factor, on sites that choose to implement the technology \u2014 <a href=\"https:\/\/krebsonsecurity.com\/2018\/09\/u-s-mobile-giants-want-to-be-your-online-identity\/\">krebsonsecurity.com\/\u2026<\/a> &amp; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/14\/major-us-mobile-carriers-want-to-be-your-password\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; The CA state senate has passed a bill which makes a start at regulating the security of IoT devices. The bill is now awaiting the governor&#8217;s signature or veto \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/13\/california-bill-regulates-iot-for-first-time-in-us\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>Owners of WesternDigital MyCloud NAS drives beware, security researcher reveal that the company has failed to patch a serious vulnerability in these drives for over a year \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/20\/western-digital-goes-quiet-on-unpatched-mycloud-flaw\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h3>Suggested Reading<\/h3>\n<ul>\n<li>PSAs, Tips &amp; Advice\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/airdrop-passwords-ios\/\">iOS: How to AirDrop Passwords Between Devices \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/ios-12-security-guide\/\">The iOS 12 Security Guide is Out Now \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/19\/ios-12-is-here-these-are-the-security-features-you-need-to-know-about\/\">iOS 12 is here: these are the security features you need to know about \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.macobserver.com\/tips\/quick-tip\/how-to-enable-password-autofill-ios-12\/\">How to Enable AutoFill Passwords in iOS 12 \u2014 www.macobserver.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> <a href=\"https:\/\/www.macobserver.com\/cool-stuff-found\/1password-ios-12-password-autofill\/\">1Password Adds iOS 12 Password AutoFill Support \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/www.imore.com\/amber-alerts-your-iphone-what-they-are-and-how-manage-them\">AMBER Alerts on your iPhone: What they are and how to manage them \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; In the UK, <em>Action Fraud<\/em>, a joint initiative between the London Met and the National Fraud Intelligence Bureau is warning of an on-going phishing attack targeting Netflix users. Be on the lookout, and don&#8217;t ever enter any passwords or other sensitive information into a page you opened by clicking a link in an email! \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/21\/warning-issued-as-netflix-subscribers-hit-by-phishing-attack\/\">nakedsecurity.sophos.com\/\u2026<\/a> <\/li>\n<\/ul>\n<\/li>\n<li>Notable Breaches &amp; Privacy Violations\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/13\/veeam-leaves-mongodb-database-wide-open-exposes-445m-records\/\">Veeam leaves MongoDB database wide open, exposes 445m records \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/krebsonsecurity.com\/2018\/09\/govpaynow-com-leaks-14m-records\/\">GovPayNow.com Leaks 14M+ Records \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/19\/years-on-third-party-apps-still-exposing-grindr-users-locations\/\">Years on, third party apps still exposing Grindr users\u2019 locations \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>A misconfigured MongoDB database exposed over 43GB of data on over 10m users. Its not clear who the database belonged to, but there is circumstantial evidence it was discount site <em>SaverSpy<\/em> \u2014 <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/19\/here-we-mongo-again-millions-of-records-exposed-by-insecure-database\/\">nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>News\n<ul>\n<li>Election-related Security News:\n<ul>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/10\/only-paper-ballots-by-2020-call-experts-after-election-tampering\/\">\u2018Only paper ballots by 2020!\u2019 call experts after election tampering \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/arstechnica.com\/?p=1372123\">Georgia says switching back to all-paper voting is logistically impossible \u2014 arstechnica.com<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/apnews.com\/7f101802563c425c825e0843ca3fa49b\">Lawmaker: US Senate, staff targeted by state-backed hackers \u2014 apnews.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/19\/how-facebook-wants-to-protect-political-campaigners-from-hacking\/\">How Facebook wants to protect political campaigners from hacking \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/12\/microsoft-purges-3000-tech-support-scams-hiding-on-technet\/\">Microsoft purges 3,000 tech support scams hiding on TechNet \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li>&#x1f1fa;&#x1f1f8; <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/18\/state-department-scores-an-f-on-2fa-security\/\">State Department scores an F on 2FA security \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/18\/91-child-friendly-android-apps-accused-of-exploitation\/\">91 \u201cchild friendly\u201d Android apps accused of exploitation \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/21\/bitcoin-flaw-could-have-allowed-dreaded-51-takeover\/\">Bitcoin flaw could have allowed dreaded 51% takeover \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Opinion &amp; Analysis\n<ul>\n<li>&#x2b50;&#xfe0f; <a href=\"https:\/\/tidbits.com\/2018\/09\/10\/mojaves-new-security-and-privacy-protections-face-usability-challenges\/\">Mojave\u2019s New Security and Privacy Protections Face Usability Challenges \u2014 tidbits.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Propellor Beanie Territory\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/09\/18\/intel-releases-firmware-update-for-me-flaw\/\">Intel releases firmware update for ME flaw \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Security Bits \u2013 21 Sep 2018 Followups Following on from Apple&#8217;s belated removal of Adware Doctor for steal users browser history, Apple have now booted three apps from TrendMicro for doing the same, specifically Dr. Cleaner, Dr. Antivirus, and Dr. Archiver. TrendMicro insist it was an innocent mistake due to code re-use, and not malicious [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14958,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[46,2487,1656,50,569],"class_list":["post-16451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-apple","tag-eu","tag-laptops","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2018\/04\/Security-Bits-Logo_1000px.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=16451"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16451\/revisions"}],"predecessor-version":[{"id":16454,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/16451\/revisions\/16454"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/14958"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=16451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=16451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=16451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}