Topic: Security
NSA Windows Exploit Leak Latest Example of Risks of Government Hacking (Apr 14, 2017)
This content requires a subscription to Tech Narratives. Subscribe now by clicking on this link, or read more about subscriptions here.
Apple fans, Android world scramble to patch Broadcom’s nasty drive-by Wi-Fi security hole – The Register (Apr 6, 2017)
There are two interesting things here, both worth discussing briefly. Firstly, Broadcom, which provides chips for many popular smartphones including the iPhone, has a vulnerability in its WiFi element which can be hacked, allowing a way into the device. Apple issued a patch this week to deal with the issue, and Android vendors will be working to close the vulnerability too, though there’s no specific timeframe yet, highlighting yet another challenge with Android’s fragmented ecosystem. The second thing that’s interesting here is that the vulnerability was discovered by Google’s Project Zero team, which is set up to discover and fix vulnerabilities like this, and has been doing great work lately doing just that, including on non-Google devices like the iPhone. Vulnerabilities like this are always worrying, and it’s great to have Google out there with what seems like a strong team detecting these and notifying vulnerable vendors so they can patch the issues.
via The Register
Samsung’s TV and watch OS is reportedly full of security holes – The Verge (Apr 4, 2017)
We’re talking here about Tizen, Samsung’s alternative operating system which it uses for smartwatches, TVs, and to a lesser extent phones, and some security researchers are claiming there are widespread security vulnerabilities in that software. Some of the characterizations in this article seem like a bit of a stretch – it would be very odd indeed if Samsung had done as little to provide security in Tizen as the researcher quoted suggests. But these allegations are becoming part of a pattern recently in relation to Samsung, between the Wikileaks smart TV story, the more recent (and more serious) story on smart TV hacking through broadcast signals, and now this. It’s particularly problematic for Samsung because it has worked so hard over the last few years to develop Knox, its enterprise security solution, which is best in class in the Android world. It simply can’t afford to get a reputation for poor security when it’s trying to become the de facto standard for Android devices in the enterprise, and needs to address these vulnerabilities – and the broader claims – quickly and definitively.
via The Verge
Intel Security finally spins out as independent McAfee – VentureBeat (Apr 4, 2017)
This makes tons of sense – there’s never been any meaningful synergy between the core Intel chips business and the McAfee business, and separating it off frees Intel up to focus entirely on its core, where it has plenty of work to do already given the maturity of the PC industry, its struggles to break into mobile and other newer areas, and the new threats in its data center business.
via VentureBeat
Samsung Smart TV Hacked With Manipulated Broadcast Signal – Variety (Apr 3, 2017)
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
via Variety
Apple Extortionists Seemingly Trading Media Exposure for More Accounts – Motherboard (Mar 28, 2017)
This story has been somewhat misreported, although this article does a decent job. It appears a hacking collective is claiming to have lots of username / password sets for iCloud accounts, though it appears that the source of the data is a hack of some other site or sites rather than any of Apple’s own. That breach then seems to have allowed the hackers to take iCloud.com email addresses and the passwords used on other sites and use them to access iCloud services as well. In other words, this isn’t an Apple hack at all, and is only effective because people are reusing passwords on multiple sites. Using two-factor authentication and unique passwords is therefore still the best defense against this kind of thing, although Apple still has to deal with the headache of both false claims and threats from this hacking group.
via Motherboard
After the London terror attack, a top U.K. official says Facebook needs to open up WhatsApp – Recode (Mar 27, 2017)
This is a worrying (though not altogether unexpected) resurfacing of the arguments from early 2016, when the FBI was trying to get into an iPhone owned by one of the San Bernardino shooters. In this case, UK Home Secretary Amber Rudd (whose role has no direct counterpart in the US, but is responsible for domestic law enforcement and counter-terrorism among many other things) has made calls for WhatsApp to “open up” and specifically referred to encryption. That’s because WhatsApp was allegedly one of the apps used by the terrorist behind last week’s attack in London, though there’s no evidence yet that he used it to plan the attack or coordinate with others. The bigger issue, as with last year’s Apple-FBI fight, is of course that once the government can get in, there’s no guarantee others won’t use the same methods, whether that’s because of hacks like the one that hit Cellebrite a few weeks ago, or exposures of government tools like the Wikileaks CIA hack. Encryption is a fact of life at this point, and essential for secure communication and protection of privacy for millions of law-abiding users, and no government back door can solve the law enforcement problem without also compromising that essential function. And the Rudd quote in the closing paragraph of this story suggests she doesn’t actually understand the FBI-Apple situation at all, which is not surprising from a government official but worrisome nonetheless.
via Recode
Google Provides an Update on Android Security (Mar 23, 2017)
This is a year-in-review post from the Android security team, and it’s supposed to be reassuring on the state of Android security. However, there are several fairly worrisome data points in here worth pulling out. Google says 0.71 percent of all Android devices had a “potentially harmful app” installed at the end of 2016, so almost 1% of the roughly 1.5 billion Android devices in use, which amounts to almost 11 million actual devices, and that number has risen rather than fallen in the past year. Secondly, even though Google has been working with carriers and OEMs to push security updates to devices outside the very slow OS upgrade cycle, about half of devices in use at the end of 2016 had not received a platform security update in the previous year. Given how frequently Android exploits are discovered, that’s pretty worrying. On the plus side, Google has reduced installations of malware from the store by around 50% across several categories, which is obviously good news, but the fact that it acknowledges some of the apps installed from the official store still contain malware is a sign that it isn’t doing its verification job well enough.
via Google
Nest cameras can be easily blacked out by Bluetooth burglars – The Register (Mar 22, 2017)
This isn’t the worst example yet of an IoT / smart home vulnerability, but it’s bad enough, given that it allows burglars to defeat a security system if they happen to know how. More worrying, it appears the researcher who discovered the vulnerability shared findings with Nest back in October, but Nest didn’t notify customers or push out a patch until now, when it says it has a fix rolling out to customers soon. The more of these devices we have in our homes, the more potential points of vulnerability there will be for hacking of one kind or another, and makers of both systems and ecosystems need to bake really tight security in from the get-go to prevent as many of them as possible.
via The Register
US Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar 15, 2017)
The stories that broke immediately before this press conference and announcement from the US DoJ suggested only that Russian nationals were involved, but the formal announcement makes clear that these were Russian agents and not just citizen hackers. That’s a good reminder that state-sponsored attacks are among the biggest things all online service companies have to worry about in our day and age, whether the state behind the hacking is Russia, China, North Korea, or some other country. Yes, ordinary hackers will still try and occasionally succeed in breaching these systems, but state sponsorship can put massively more resourced behind a hack like this and often have more success. That, in turn, raises the bar for companies vulnerable to this kind of hacking in terms of their security defenses, but should also make users think about what information they’re entrusting to these systems.
Apple hires Jonathan Zdziarski, an active forensics consultant & security researcher in the iOS community – 9to5Mac (Mar 14, 2017)
Zdziarski was in the news a lot a year ago, when Apple was fighting the FBI over the iPhone used by the San Bernardino shooter, because he was frequently quoted and cited as an expert who backed Apple’s stance. As such, it’s not altogether surprising that he should end up at Apple – he’s been both one of its staunchest supporters around some security and privacy issues and someone who has discovered vulnerabilities in its code. On the one hand, that makes him a useful person to have inside the company – this hire feels a lot like Apple’s hire of Anand Shimpi, another prominent outside expert who was brought inside – but Apple will lose the benefit of having a vocal independent advocate on these issues. It’s also interesting to note Zdziarski’s comments about his hiring and why he’s joining Apple – he cites its privacy stance, which is of course closely tied to security concerns, as a strong motivating factor.
via 9to5Mac
CIA Leak Reveals Gaps in Patchwork of Android Software – WSJ (Mar 11, 2017)
The CIA leak taught us nothing new about the slow rate of Android adoption, but it did perhaps serve as a reminder of its consequences for security. Android adoption is notoriously slow, and it’s something I’ve written about quite bit (see here for my most recent deep dive into the numbers). It takes roughly two years on average for a new version of Android to reach 50% adoption among the base, and no version ever gets above about 40% adoption before a new version begins eating into its share. Compare that to iOS, which typically gets to about 70% adoption within a few months of release, and whose two most recent versions usually account for over 90% of the total base. In the past, this was very problematic, because it meant security vulnerabilities weren’t patched and users were left open to hacks and malware. However, more recently Google and its partners have separated some of the security patches from major OS updates and fast tracked these through a separate update process with the carriers. It’s not a universal solution, but it has helped mitigate some of the security impacts that result from slow OS updates. However, Android in general continues to be far more vulnerable to malware than iOS both because of the slow update issue and because of its overall architecture.
via WSJ
The Next iPhone Could Put 15,000 Repair Companies Out of Business – Motherboard (Mar 8, 2017)
This piece reminds me of the analysis iFixit always does when a new iPhone comes out, giving each phone a “repairability” score and generally hammering iPhones and other similar devices for being hard for ordinary people to repair. Those always strike me as being so fixated on this one aspect of a device that they often sound as if they take it as a personal affront that these devices are tough to fix, as if Apple and other vendors had somehow set out to spite them. This piece has somewhat the same tone, and again acts as if Apple has no object in mind in designing its Touch ID and Secure Enclave than thwarting third parties’ attempts to repair iPhones. It’s worth noting that Apple doesn’t void warranties on devices fixed by third parties unlike lots of other manufacturers, which has to be the strongest possible indication that it doesn’t object in principle to the practice. Rather, it designs the Secure Enclave and Touch ID to be as secure as possible, a level of security which has risen over time and made it possible for earlier iPhones with Touch ID to be hacked in a way newer ones can’t be. This is central to Apple’s commitment to the privacy and security of its phones, and any impact on third party repair is purely incidental. Apple likely doesn’t even consider the impact on third party repair shops, but it certainly doesn’t deliberately set out to make their lives harder.
via Motherboard
Wikileaks Could Still Release CIA Hacking Tool Code – USA Today (Mar 8, 2017)
Though the CIA leaks from Wikileaks earlier this week are worrisome in their scope and bad news for the vendors whose devices and platforms have been compromised, there’s at least some comfort in the knowledge that these tools have at least theoretically been subject to due process in the past. However, Wikileaks claims that it has the code for the hacking tools themselves and is debating releasing that code, which would make it available to any hacker who wanted to use it, dramatically increasing the potential for misuse for hacking regular individuals. Again, Apple has said (and Google also confirmed this evening finally) that most of the vulnerabilities have already been patched in recent versions of their respective software, so that should be some defense. But as I’ve said already this week, what a vindication of Apple’s refusal to cooperate with the FBI a year ago over hacking an iPhone.
via USA Today
Apple says it’s already fixed many WikiLeaks security issues – USA Today (Mar 8, 2017)
I suggested this was the case in my coverage of the leak yesterday, but Apple has now issued an official statement to that effect as well. I would guess Apple is still digesting all the information leaked – there’s a lot of it – but it has said that most of the vulnerabilities outlined have already been patched in the latest versions of its software, and fixes for the rest should be coming soon. Samsung has also issued a statement on its TV vulnerabilities, but it’s far less reassuring – it only says it’s aware of and is looking into these hacks. In fairness, though, the Samsung hack appears to require a USB stick plugged into the TV to install it, which means that if you’re a victim you likely have far bigger things to worry about than your TV listening to you – this isn’t a large-scale remote hack that would affect the population as a whole.
via USA Today
No, WikiLeaks Didn’t Just Reveal That The Government Has Access To Your Secure Messaging Apps – BuzzFeed (Mar 7, 2017)
This is one of those stories where lots of publications are rushing to publish the most frightening headline without doing their reporting first, so kudos for BuzzFeed here for debunking right away one of the big tropes that’s doing the rounds. There’s nothing about secure messaging apps being compromised in the documents – rather, devices have allegedly been compromised, and of course once a device is compromised everything on it is too. However, even those claims of devices being broadly compromised are being disputed by some security experts – see here, for example. And Business Insider also argues that those on the latest version of iOS (79% on iOS 10 and another 16% on iOS 9) are safe from all the exploits listed. I suspect there will be lots more to come here, and as usual being on the latest version of Android is a lot harder than on iOS so the same protections don’t necessarily apply, but everyone should be trying to understand first, publish second when it comes to this data dump. And of course all this just reinforces arguments Apple and others have made about not trusting the government with back doors for encryption and the like.
via BuzzFeed
Cellebrite director says firm now doing ‘lawful’ extraction of data through iPhone 6 – AppleInsider (Feb 23, 2017)
This is the same firm that was recently hacked, supposedly exposing some of the tools it uses to crack iPhones, and now it’s boasting that it can crack iPhone 6 models in addition to the earlier models it has long been able to crack. I’ve still never seen any kind of official commentary on the hack of Cellebrite itself, but if that really did happen the fact that the company is getting ever better at hacking iPhones while leaving itself open to hacking should be worrying to lots of people. And if US law enforcement is still regularly paying Cellebrite to do this work without ensuring that it is able to keep the hacks secure, then it shares part of the blame by funding this work which ultimately puts regular users at risk.
via AppleInsider
Why Verizon Decided to Still Buy Yahoo After Big Data Breaches – WSJ (Feb 21, 2017)
There was some reporting around this last week, though with several different figures for the discount on the original deal price, so I decided to wait until the new agreement was official to comment on it. The $350 million discount is not actually all that significant, which likely reflects the fact that security breaches like this don’t end up having all that much long-term impact on customer satisfaction or usage. It’s interesting that the two companies will split the cost of any future fallout other than SEC and shareholder investigations and lawsuits – I would have thought Yahoo would have picked up the tab for all costs relating to the breaches, but I guess it must have balked at that. Ironically, now the big question once again becomes whether Verizon can actually craft something compelling out of these various bits of yesteryear’s Internet. Verizon is said to be aiming to go head to head with Google and Facebook, which is a real stretch when it comes to well-targeted advertising, and I’m still very skeptical that these assets combined can ever be more than a second tier player in the online advertising market.
99% of Mobile Malware Targets Androids Because of Open Store and Infrequent OS Updates – F-Secure (Feb 15, 2017)
This data comes from the blog of F-Secure, a European cyber-security company which tracks malware. The key finding here shouldn’t be a surprise – Android sees 99% of malware activity on mobile, for three simple reasons: it has by far the largest share, its app stores are open and often weakly policed, and Android devices are often very slow to get OS updates and software patches, although it has been doing better on that last point recently. Interesting, there’s still far more malware being created for Windows PCs than Android, even though there are fewer of them, but the range of malware being created for Android is approaching that which targets PCs, even though the main focus is still trojans. All of this, of course, only serves to reinforce the narrative about Android being insecure.
via F-Secure
Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite – Motherboard (Feb 2, 2017)
Given that Apple argued precisely that security backdoors almost always make their way into the hands of evildoers, this news is great validation of Apple’s refusal to cooperate with the FBI early last year, even if it’s a private firm rather than the government that’s been hacked in this case. Indeed, that seems to have been the hacker’s motivation in this case. It’s also worrying from an Apple perspective that a provider like Cellebrite should have had such lax security that a hacker could breach its systems and access these tools, assuming the claims being made here are in fact legitimate.
via Motherboard