This week I was on the Clockwise Podcast (Clockwise #205: Candy-Coated Vegetables on relay.fm) and on Brett Terpstra’s Systematic podcast (201: Not the Man I Thought He Was with Allison Sheridan on esn.fm). I interview Bart about the security implications of Face ID on the new iPhone X. I give you what I hope is a different view on the Apple announcement. Security Bits is really huge this week with three Security Mediums thanks to companies like AT&T and Equifax.
Hi this is Allison Sheridan of the NosillaCast Mac Podcast, hosted at Podfeet.com, a technology geek podcast with an EVER so slight Apple bias. Today is Sunday, September 17, 2017, and this is show number 644. This week’s Security Bits isn’t “bits” at all, I’m afraid it’s more like gobs what with Equifax and AT&T U-verse making our lives miserable. Because of that I’ve only got one segment by me, and an interview I actually did with Bart on another subject, and then we’ll tuck into Security Gobs.
So Many Appearances!
But first, I’ve been having a blast being on other people’s podcasts in the last couple of weeks.
Clockwise
I was on Clockwise with Dan Moren and Mikah Sargent on their September 6th episode Clockwise #205: Candy-Coated Vegetables on relay.fm. Shelly Brisbin and I specifically asked them to schedule us together and it was great fun. We talked about keeping an eye on apps when they ask your permission for things like location, camera, and microphone. Then I asked what everyone’s biggest tech speculation blunders were (I won that one with the dumbest predictions). We, of course, talked about speculation on the Apple event since it hadn’t occurred yet, and then we talked about what we load our tech up with when we’re forced to go offline on vacation. If you haven’t listened to Clockwise before, the theme is four tech topics, four hosts and it’s all in 30 minutes. Super fun show I never miss.
Systematic with Brett Terpstra
I had the great honor of being interviewed by Brett Terpstra on his show Systematic. 201: Not the Man I Thought He Was with Allison Sheridan on esn.fm. If you don’t know Brett, he’s a brilliant technologist whose brain works differently and at vastly increased rates from the rest of humanity. that’s my description of him at least. You may know him as the guy who invented Marked, a Markdown app that aficionados of that language adore.
The interview is all over the map, from talking about my podcasts to musical anhedonia to what we use to keep our dishes clean. I was super nervous going into this interview but Brett made me feel really comfortable so it sounds like old friends getting to know each other better.
Chit Chat Across the Pond
In Chit Chat Across the Pond this week Bart is back with another installment of Programming By Stealth. This week we go over the JavaScript homework for our cellular automaton, and then we get our very last HTML lesson. We learn about HTML5 Form validation and how it will make our JavaScript lives so much easier. It eliminates a lot of tests we would otherwise have to do for valid form entry by users. I enjoyed it so much I’ve already started on the homework! You can find this episode in your podcatcher of choice under Programming By Stealth or the full Chit Chat Across the Pond feed.
Blog Posts
Face ID Security Questions with Bart Busschots
A (Hopefully) Different View on the Apple Announcements
Patreon and Amazon
One of the best ways to support the Podfeet Podcasts is through Patreon. Here’s a feature I bet you wouldn’t think I would even tell you about. Let’s say you’re feeling generous and you set up a recurring donation to the show via Patreon. But later on you think that maybe you’ve over-extended yourself.
Did you know you can lower your pledge? Out of all the people who have pledged to support the show, only two people have done this but it actually made me feel good that they had the control of how this works for them.
Maybe I’m an idiot for telling you about this feature, but it’s what makes Patreon such a good way to support podcasters. Of course I would be remiss if I didn’t point out that you can also increase your pledge if you’re feeling flush at a later date!
To support the show through Patreon, go to podfeet.com/patreon and choose an amount that works for you and your family.
Security Bits with Bart Busschots
Followup
Security Medium 1 – SharknAT&To
A security researcher has revealed a whole suite of very nasty bugs in a number of routers provided to US broadband customers by AT&T. There are four vulnerabilities of varying severity – some of the scariest of which allow what should be impossible – direct access from the internet through the NAT router into any arbitrary devices on the LAN using a poorly secured HTTP reverse proxy on the router. The simplest of the vulnerabilities are also shockingly amateurish like hard-coded SSH root passwords accessible via the WAN interface. I’m no lawyer, but I have to wonder at what point rank incompetence becomes criminal negligence?
The security researcher who released this research also provided some workarounds affected customers can use to protect themselves from some of these vulnerabilities, but ultimately, you’ll want either new firmware or a new router from AT&T (or a new ISP that sucks less!). Steve Gibson suggested affected users run their own router behind the AT&T router and connect as many of their devices as they can behind that router, bearing in mind that AT&T-provided hardware like phones and set-top-boxes probably won’t work behind your own router, so they may have to stay exposed.
Links
- The original research – www.nomotion.net/…
- Bugs in Arris Modems Distributed by AT&T Vulnerable to Trivial Attacks – threatpost.com/…
- Security Now Episode 627 – www.grc.com/…
Security Medium 2 – Ultrasonic Voice Control Attacks
Security researchers have demonstrated an interesting attack against Siri and Alexa – they were able to use ultra-sonic transmitters to successfully issue commands to these digital assistants that can’t be heard by humans.
By being a little clever they were able to hide their attacks better than you might think at first glance – for example, they were able to use the commands to lower the volume and dim the screen to make it much less obvious that the devices were acting on un-heard orders.
The attackers were able to do things like turn victim phones into bugging devices by inducing the devices to make an out-going call.
While there are obvious real-world dangers here, the technique also has some significant limitations. The most obvious limitation being the need for physical proximity. Another is that modern phone OSes limit what the voice assistant can do while the phone is locked. The fact that their have been so many lock screen bypasses over the years does lead to a little cause for concern though.
If you’re worried about this, the solution is very simple – disable your voice assistant on your lock screen!
Personally, I find the concept of a porous lock screen to be deeply flawed and dangerous, so I have all inputs disabled on my lock screen, and have had since the moment Apple started punching holes in its lock screen. With Touch ID and Siri on the Apple Watch, the inconvenience is minimal, but the added security is significant.
Links
- Your voice assistant can hear things you can’t – such as a hacker – nakedsecurity.sophos.com/…
- Siri, Alexa Susceptible to Ultrasonic Voice Commands – www.macobserver.com/…
Security Medium 3 – The Equifax Breach
Equifax is one of the so-called big three credit reporting agencies in the US (the other two are Experian & TransUnion). They keep track of pretty much every line of credit taken out in America, and how promptly and completely the borrower made their repayments. Based on this data these agencies produce credit reports and credit scores which are used by US financial institutions when deciding whether or not to approve applications for new lines of credit. To say these companies have vast quantities of very sensitive data is putting it very mildly indeed!
While Equifax is one of the big three American credit agencies, it doesn’t only hold data on Americans – some UK & Canadian citizens are also caught up in this breach, but Equifax are not letting us know how many.
What we now know is that back in May attackers gained access to Equifax’s systems. Equifax noticed the breach in at the end of July, but did not disclose the breach until now. Equifax are not disclosing how many users are affected, but the consensus seems to be that we’er talking about hundreds of thousands of people. What Equifax did share is that the attackers accessed users “names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers”.
We also know that in addition to the data listed above, 209K credit card numbers were stolen, as well as files relating to disputes which contain detailed personal information on another 182K people.
Equifax do say that they’ve found no evidence that their core database of credit lines was breached so that’s something I guess.
While Equifax won’t reveal how many customers are affected, and while their website for testing if you are affected has been found very badly wanting, they are offering free identity theft protection and credit monitoring to all US customers, even those not affected by the breach. The sting in the tail is that the fine print in the TOS for the site where you can check if you’re affected and sign up for the free protection contains wording that implies that simply by using the special website, you’re waiving your right to join in a class action lawsuit against Equifax. Equifax says that wording doesn’t apply to stuff related to the breach, and the consensus among legal experts seems to be that the TOS would never stand up in court anyway.
One of the best ways to protect yourself from one of the worst forms of identity theft – someone else taking out credit in your name – is to put a freeze on your credit file. Some US states have legislation in place to ensure citizens can’t be charged for this, but most don’t, so there is likely to be a fee to both freeze and, if needed, un-freeze your report. The obvious down-side to freezing your report is that no one can take out a line of credit in your name, not even you! That’s a big problem for a lot of people at a lot of stages in their lives!
To add insult to injury, Equifax’s process for freezing your credit file includes the generation of a PIN that acts as a key for un-freeing your report later, and the generation of that PIN was shockingly insecure – it was not a random number at all – it was simply a timestamp in MMDDYYhhmm
format! Despite much idiotic complaining that there was nothing wrong with this process, Equifax did back down and make their pins actually random.
With the spotlight now firmly focused on Equifax, other security vulnerabilities are being found – for example, Brian Krebs discovered a poorly secured portal used by Equifax employees in Argentina that left sensitive data at risk. Expect to hear more headlines about Equifax’s security being found wanting.
If you think you might be affected by this, and if you’re an American adult who has taken out at least one line of credit at least once in your life, you could well be, what can you do? The consensus advice seems to be to:
- Check your credit report to make sure nothing bad has already happened
- Freeze your credit file, not just with Equifax, but with all the agencies.
- Ask Equifax if you are affected
- Consider taking out identity theft protection – it’s not all that likely to save you from bad things happening, but will really help you put the pieces back together if things do go wrong
Lots of people took the advice to freeze their credit files, resulting in the websites for doing so getting overloaded to the point of going down a few times. Also, credit agency TransUnion changed their website, making it harder to find the right place to apply for a freeze on your file.
This breach is not just about one agency messing up, it also serves to highlight a bigger problem with the whole system, and even with the concept of social security numbers themselves. The last two links below are to opinion pieces that look at the bigger picture.
Links
- ⭐️ The Equifax Breach: What You Should Know – krebsonsecurity.com/…
- Everything You Should Know About the 2017 Equifax Breach – www.macobserver.com/…
- ⭐️ Equifax: four simple steps to secure yourself – nakedsecurity.sophos.com/… (includes links to apply for freezes on your files with all the agencies)
- Here’s How to Find the TransUnion Credit Freeze Page – www.macobserver.com/…
- Equifax: woeful PINs put frozen credit files at risk – nakedsecurity.sophos.com/…
- Brian Krebs’ description of the problems with the special website Equifax created to allow customers query whether or not they were affected by this breach – krebsonsecurity.com/…
- Equifax: researchers find leaky customer help portal in Argentina – nakedsecurity.sophos.com/…
- Who are the three major credit bureaus? – www.thebalance.com/…
- A look at what we know about the technical aspects of the breach – nakedsecurity.sophos.com/…
- Equifax: highlighting the problems with social security numbers – nakedsecurity.sophos.com/…
- You Can’t Protect Yourself from the Equifax Breach – tidbits.com/…
Notable Security Updates
- Patch Tuesday has been and gone with critical updates from Microsoft and Adobe including patches for Windows & Flash. The Windows fixes include a patch for the second so-called FinSpy zero-day exploit – krebsonsecurity.com/… & nakedsecurity.sophos.com/…
Notable News
- A security researcher has publicly disclosed serious vulnerabilities in a number of D-Link routers without first privately disclosing the details to D-Link. The flaws are serious enough that the advice is that owners should stop using the routers immediately, and since the models in question are no longer on sale, it’s not clear there will ever be patches released – nakedsecurity.sophos.com/…
- US District Court Judge Lucy Koh in the Northern District of California rules that the threats presented by the possibility of future identity theft are real enough to give data breach victims standing to sue under US law. The ruling came in a case relating to the massive Yahoo! breach-cluster of the last few years, but it could have much broader ramifications – nakedsecurity.sophos.com/…
- Security researchers reveal a new security problem for Android – bugs in many of the boot loaders used by the various chip manufacturers who make Android devices. The collection of separate vulnerabilities has been given the catch name BootStomp. Thankfully exploitation of these bugs is quite difficult, so, at least for now, ordinary users don’t appear to be in much danger, with targeted attacks against high-value targets being much bigger concern – nakedsecurity.sophos.com/…
- Facebook admit they sold US political ads to foreign agents, something expressly forbidden under US election laws (for obvious reasons) – daringfireball.net/…
- The US government has banned the user of Kaspersky software on government computers over Russian espionage fears (we’ve seen this before with bans on hardware from Chinese companies like Huawei) – www.washingtonpost.com/… & arstechnica.com/…
- This year’s Windows 10 update (dubbed the Creators Update) will boost the OS’s privacy controls, bringing it more into line with what we’v come to expect from mobile OSes like iOS and modern versions of Android – arstechnica.com/…
- iOS 11 will require a passcode be entered to initialise a connection to a computer – biometrics will not be sufficient. This is being seen as a fresh barrier to government overreach – nakedsecurity.sophos.com/…
- The US Cert issued a warning about BlueBorne, a critical Bluetooth vulnerability that allows an attacker take control of affected devices. The vulnerability affects Windows, iOS, Android, and Linux. Patches are available for each of those OSes, but many Android phones and Linux-based IoT devices may never receive those patches – www.kb.cert.org/…
- Facebook has announced that it will pull its disaster-related tools together into a single Crisis Response Hub – nakedsecurity.sophos.com/…
- Put a pin in this one – The ACLU & the EFF have teamed up to sue the US DHS over warrantless device searches at the US border – nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ How to back up your Mac to the cloud – www.imore.com/…
- If you have the WordPress plugin Display Widgets installed on your site, you probably want to remove it ASAP – nakedsecurity.sophos.com/…
- News
- Lenovo settles lawsuits with 32 states over Superfish – nakedsecurity.sophos.com/…
- Orfox app brings Tor’s security slider to Android – nakedsecurity.sophos.com/…
- Concerns raised over claim that neural networks can detect sexuality – nakedsecurity.sophos.com/…
- Fears raised about accuracy of new forensic DNA techniques – nakedsecurity.sophos.com/…
- Smart pumps used by hospitals in IV drips vulnerable to attacks – nakedsecurity.sophos.com/…
- Opinion & Analysis
- ⭐️ Apple Explains How It’s Making Siri Smart Without Endangering User Privacy – www.fastcompany.com/…
- ⭐️ Who Is Marcus Hutchins? – krebsonsecurity.com/…
- London police’s use of facial recognition falls flat on its face – nakedsecurity.sophos.com/…
- What’s under the hood of the new Brave browser? – nakedsecurity.sophos.com/…
- Governments must fix the digital identity mess, says think tank – nakedsecurity.sophos.com/…
- India’s Aadhaar digital ID scheme: what could possibly go wrong? – nakedsecurity.sophos.com/…
- Propellor Beanie Teritory
- Would-be cyberattackers caught by malware with a sting in the tail – nakedsecurity.sophos.com/…
- Unsecured databases are (still) the low-hanging fruit of the internet – nakedsecurity.sophos.com/…
- When is a bug not a bug? When Microsoft says “it’s a feature” – nakedsecurity.sophos.com/…
- ⭐️ Important High Sierra Changes for IT Admins – tidbits.com/…
- ⭐️ Azure Confidential Computing will keep data secret, even from Microsoft – arstechnica.com/…
- ⭐️ Google’s Differential Privacy May be Better Than Apple’s – www.macobserver.com/…
That’s going to wind this up for this week. Don’t forget to send in your Dumb Questions, comments and suggestions by emailing me at [email protected], follow me on twitter @podfeet. Remember, everything good starts with podfeet.com/. podfeet.com/patreon, podfeet.com/facebook, podfeet.com/googleplus, podfeet.com/amazon! And if you want to join in the fun of the live show, head on over to podfeet.com/live on Sunday nights at 5pm Pacific Time and join the friendly and enthusiastic NosillaCastaways. Thanks for listening, and stay subscribed.