NC #595 Two-Factor Authentication with Apple Watch and Apple TV, Android Apps on Chrome OS, Security Bits

This week starts with a rant about how “interesting” it was to try to set up the Apple Watch to unlock a Mac, otherwise known as an adventure in changing two-step verification into two-factor authentication. Then we take a break and listen to George from Tulsa tell us about how ChromeOS now supports Android apps and gives his thoughts on how well this works. We get back into two-factor authentication when I explain the impact this had on my Apple TVs. The good news is it all works out in the end. Bart Busschots joins us with another installment of Security Bits.

mp3 download

Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Macintosh bias. Today is Sunday October 2, 2016 and this is show number 595. If you’ve got the new iOS 10, you’ve probably been playing around with stickers and balloons and animated GIFs inside the new Messages app. If you haven’t you’re really missing out on some silly fun.

This week my daughter Lindsay discovered the coolest thing (to our family at least). If you go into Messages, tap into the text entry field to a friend, and then tap the chevron to the left, you should see an A for applications. Tap on that, and you should see a bunch of dots down below showing that you can swipe between screens. In the US at least, one of the screens will say “find images and videos” and you can get animated GIFs.

Now here’s where it’s fun for our family. If you search for beer, the fourth image on the left is a Ballast Point Sculpin. That’s fun for us because Lindsay’s husband Nolan is the director of product operations for Ballast Point! Sculpin is their signature IPA, and if you add it to a message, the little fishy actually swims off the label! I know this is silly but we thought it was cool.

Chit Chat Across the Pond

Bart’s back this week with another episode of Programming By Stealth. This week was just as fun as last time. In this episode Bart explains how to embed JavaScript into a webpage, how to control when JavaScript executes and then teaches us about the browser event model. Using this model he teaches us how we can change things on a web page when the user clicks or after a defined length of time, or at time intervals. It’s our first time outside of the sandbox so it’s great fun to manipulate web pages and have them do our bidding!

Blog Posts

Enabling Two-Factor Authentication to Allow Apple Watch to Unlock Your Mac

Will Android Apps on ChromeOS be a Game Changer?

Thanks George, as always this was really an eye opener. As much as I’m a Mac fanatic, i have to admit that the Chrome OS is really becoming a contender, especially if you’re trying to manage devices someone else is messing around with like at a school. I like to hear that they’ve effectively sandboxed the Android Apps from Chrome OS. That will certainly stymie some people in how to use it but the increase in security of the device is probably worth it.

One small thing, the Flip increased in price on Amazon from $269 to $335 in the time it took me to post George’s review, but that’s still such a small price, it’s crazy. Think about it – it’s 1/3 the price of the cheapest MacBook you can buy! My advice though is if you have the luxury of waiting, keep an eye on the price for big changes. George points out that at Asus direct it’s still $269. Thanks again, George, this was great!

You May Not Want to Turn on Two-Factor Authentication If You Have an Apple TV 2 or 3

Patreon

This show isn’t ad supported, it’s supported by you, through Patreon. Patreon lets you pledge whatever you feel the show is worth, and you get billed that amount every time I publish a NosillaCast. We only launched the Patreon a few weeks ago and already the response has been fantastic. George Smith jumped on board this week and I couldn’t be more pleased.

I like not being ad supported, because a) it’s less boring, and b) you get to decide the value you get from the show. Head on over to podfeet.com/patreon and pledge whatever you think it’s worth. And when you do, you can call yourself a Patron of the Arts!

Security Bits with Bart Busschots

Update on the OS X DropBox story

Last time we talked in detail about how the Dropbox app for OS X granted itself accessibility access without asking your permission – bypassing the standard OS UI and warnings. A change in how MacOS Sierra protects system files makes this kind of bad behaviour impossible – applehelpwriter.com/…

Important Security Updates

• Tesla have patched a bug that could allow attackers to remotely turn on the brakes while the car is driving – arstechnica.com/…
• Apple released macOS Sierra, including fixes for 65 security vulnerabilities – not all of these have been patched on earlier versions of OS X yet, they may or may not get patched there in future (Editorial by Bart: it seems clear to me that Apple are moving to the iOS and Windows 10 policy of rolling updates – get used to updating straight away, or, to being insecure) – www.intego.com/…
• Apple released Safari 10 for El Capitan & Yosemite which includes 21 security fixes – www.macobserver.com/…
• A subtle bug in how FireFox and the TOR browser deals with certificate pinning has been fixed in recent updates to both browsers – arstechnica.com/…

Important Security News

• The Pirate Party force the European Court of Justice to rule on the liability of open wifi providers – the court finds that those running open wifi are not liable for copyright infringement, but they can be forced to secure an open network and collect information to de-anonymise users – nakedsecurity.sophos.com/…
• NAND flash mirroring is no longer a theoretical way of breaking into an iPhone 5C – a security researcher has used the technique to successfully break into an encrypted iPhone like the one used by the San Bernardino shooter – making the FBI’s statement that it couldn’t be done look rather silly – arstechnica.com/…
• Google backtracks, and roll back the privacy features promised for Allo – the app launched with poorer privacy protections than those announced at the Google I/O conference earlier this year – www.theverge.com/…
• Naked Security is reporting that attackers posted malware-infected USB drives to random people in Victoria state in Australia. If you receive a USB stick in the post (that you did not order), absolutely do not plug it into your computer! – nakedsecurity.sophos.com/…
• A troubling new era of internet censorship may be dawning – independent security journalist Brian Krebs was attacked by a record-breaking DDOS attack that takes things to a whole new scale – the attack was too much for mega-CDN Akami to handle, and they shut down Krebs On Security. The botnet unleashed on Brian Krebs was made up of hacked IoT devices, and the source code behind the botnet has now been revealed, making future attacks inevitable (Editorial by Bart: the terrible security of the IoT is now putting the entire internet in danger, not just the personal security of the brave/foolish customers – I think we need laws to make the shipping of insecure devices punishable in the same way that the sale of unsafe food is punishable. While it remains legal to ship utterly insecure junk, this problem will only get worse, because the financial incentives are driving companies to ship early, and to skimp on security) – krebsonsecurity.com/…, arstechnica.com/…, arstechnica.com/… & krebsonsecurity.com/…
• Apple have acknowledged a bug in the security of encrypted backups of iOS 10 devices made to local Macs or PCs via iTunes. The bug reduces the calculations needed per password guess, speeding up brute-force password guessing by four orders of magnitude. The attacker needs access to your Mac or PC to attack the local backup though. Full disk encryption provides some protection, as it keeps the data safe while your computer is switched off. Apple have promised to release a fix soon. – www.forbes.com/…
• FireFox have responded to a number of serious breaches of the code of conduct certificate authorities are supposed to abide by removing trust from future certificate issued by Chinese CA WoSign, and from StartCom, the Israeli CA they took over. This means that existing certs will continue to work until they expire, but new certs will not be trusted by FireFox. WoSign back-dated certs, incorrectly issues certs for major domains like github.com due to a bug, concealed that fact, failed to revoke all certs, and failed to properly disclose their acquisition of StartCom. Meanwhile, StartCom also improperly issued at least one cert. (Editorial by Bart: because any CA can issue a cert for any domain, the entire system is only as strong as the weakest CA – the safety of the entire internet is at stake when CAs are not held to account. The other browser and OS vendors need to follow FireFox’s lead here) – arstechnica.com/… & nakedsecurity.sophos.com/…
• Security researchers report finding 400 more malicious apps in the Google Play store – arstechnica.com/…
• The Intercept published a story stating that, when presented with a court order, Apple hand over their logs of iMessage lookups. When you type a number or email address into messages, it turns green or blue – that is done by contacting Apple’s servers to find out if the message recipient is on iMessage or not – this lookup is absolutely needed for the system to even possibly work. Apple keeps a log of these lookups for 30 days. The log does not tell you who messaged who, just who typed what number/address into the to-field in messages. No message content is logged (nor can it be since it is end-to-end encrypted). (Editorial by Bart: this is not surprising – communication metadata is stored all over the place – your IP address is in logs all over the internet, even when you browse over HTTPS, your phone number is in logs each time you place a call or send an SMS, and probably much more often than that – e.g. each time your phone initiates communication with a cell tower. You could argue Apple should keep the log for a shorter time, but message dispatch is hard, and Apple have gotten it wrong in the past, and gotten badly dinged for it. From a technical point of view, a rotating 30 day log seems eminently justified to me. The best coverage I’ve seen of this sensationalised story is from iMore. For completeness, I’m linking to the original story, and the iMore FAQ) – theintercept.com/… & www.imore.com/…

Notable Breaches

• Science journal EurekAlert targeted by hackers, taken off-line, and all users forced to re-set their passwords – nakedsecurity.sophos.com/…
• Payment processor Regpack gave the world a lesson on the dangers of logging too much data. According to credit card industry rules, a CVV number should never ever ever be saved in any form what so ever. Regpack saved it in debug data. Then, someone accidentally posted the debug log onto a public web server, where it was snagged, revealing 340,000 CVV2 numbers (thankfully without the full version of the accompanying credit card number) – nakedsecurity.sophos.com/…
• It has been revealed that 500M Yahoo accounts were stolen by a state actor in 2014 – the data stolen includes “names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers”. Yahoo learned of the breach two years ago, but Marissa Mayer decided not to tell users, or to force password resets. (Editorial by Bart: if the security questions were not encrypted, the hashing of the password becomes irrelevant, and what is not said is how poorly protected the passwords not protected with bcrypt were – was it MD5? Also, as bad as the hack is, Yahoo’s decision not to protect their users by forcing an immediate password change is infinitely more damning in my mind – IMO, Marissa Mayer should resign over this, or better still, be fired. I can’t see how else Yahoo could ever earn back our trust.) – lifehacker.com/…, nakedsecurity.sophos.com/… & www.nytimes.com/…
• An SQL injection vulnerability that is leaking plain-text passwords has been fund in i-Dressup, a social network for teens, including those under 13. 2.2 million user accounts with plain-text passwords have already been leaked, and there is nothing protecting the remainder of the 5.5 million accounts. Ars Technica tried to report the problem to the site’s operators, but as Ars went to press, they had not received a reply in 5 days, and the bug remained unfixed. As we go to press, there is no update on the story indicating that the bug has been fixed. Ars advise users to delete their account immediately, to re-set their passwords on all other sites they re-used the same details, and to be vigilant for targeted scams made possible by the exposed account data – arstechnica.com/…

Suggested Reading

• A nice article from iMore explaining the SOS feature on watchOS 3 (Editorial by Bart – please take a moment now to set this us, or, to double-check you have it set up the way you want) – www.imore.com/…
• A nice rundown of the security & privacy features in macOS Sierra from Intego – www.intego.com/…
• Some good security advice for students heading to college or university this month – nakedsecurity.sophos.com/…
• MacOS Sierra ships with a new version of SSH, and with a more secure default configuration – this could cause SSH and SFTP connections to some servers to fail. Panic (makers of the Transmit FTP client) have a great blog explaining what is going on, and how to resolve connection issues (TL;DR, you need to update your server keys to be more secure, or re-configure SSH on your Mac to allow less secure connections, the former being infinitely preferable) – library.panic.com/…
• The US Federal Trade Commission has released an instructional video to help victims of data breaches – www.us-cert.gov/…
• A cautionary tale – be careful where you leave your iPads, and be aware that allowing Siri on the lock screen is dangerous – an iPad in the house + lock-screen Siri + a ‘smart’ door lock + poor sound insulation = total insecurity – shouting at Siri from outside the front door let a neighbour in! – nakedsecurity.sophos.com/…
• The US Department of Transport has issues guidelines for cybersecurity and privacy for self driving and highly automated cars – nakedsecurity.sophos.com/…
• A coalition of civil liberties organisations, including the EFF, ACLU & NAACP have launched a campaign to reign in local law enforcement’s out of control use of warrantless surveillance – nakedsecurity.sophos.com/…
• Twitter says government data requests continue to increasing – nakedsecurity.sophos.com/…
• Facebook ordered to stop collecting WhatsApp user data in Germany – nakedsecurity.sophos.com/…
• The FBI probes possible recent (within the last month) hacks of Democratic Party phones – nakedsecurity.sophos.com/…

That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.