Security Medium 1 — No, FaceID isn’t Broken, but it Does Have Limits
A snazzy demo to the press had headlines all over the press screaming about how FaceID had been broken. But as is so often the case with stories like this, the devil is very much in the detail.
What the hackers really found was that it’s bloody difficult to trick FaceID — it takes a lot of time and effort, and even after you put all that investment in, your spoof only works in very carefully controlled circumstances.
The hackers started by creating a detailed 3D scan of a person’s face, then 3D printing that scan, replacing the eyes, nose, and mouth with latex, and then setting everything up on a jig so they could get the distances and angles just right so they could fool FaceID.
This is an even less practical attack that the fake fingers that got similar press in the early days of TouchID. These attacks are just not practical in the real world, and while they make good headlines, they don’t actually break the security of FaceID. Apple never claimed it was perfect, probably because nothing is. We use locks on our houses that are not perfect, but we know they are a heck of a lot better than nothing. We use TouchID despite knowing it’s not perfect, because we know that a strong passphrase made tolerable by TouchID is a much more secure alternative to a PIN.
Also — note that no one is claiming to have hacked FaceID, just to have spoofed it. What’s the difference? A hack would extract data from the secure element, exfiltrating private keys and/or biometric data. Nothing like that has even been claimed here.
Now, while intentional spoofing is proving very difficult, Apple’s warnings that the statistical probability of a false positive is much lower between close family members is proving to be true, with specific examples making the news, including British brothers, and perhaps a little more surprisingly, a mother an son.
If you share a house with close relatives who look like you, and, who you absolutely don’t want accessing your phone, you might want to consider giving FaceID a miss, or, at the very least, testing it on your family members to see whether or not your phone trusts them!
Links
- ⭐️ Face ID hasn’t been hacked: What you need to know — www.imore.com/…
- ⭐️ Watch a 10-Year-Old Beat Apple’s Face ID on His Mom’s iPhone X | WIRED — www.wired.com/…
- Face ID Hacked, But it Isn’t as Big a Deal as You Think — www.macobserver.com/…
- These spoofers claim that they tricked Face ID with a simple mask — www.imore.com/…
- Hackers say they broke Apple’s Face ID. Here’s why we’re not convinced — arstechnica.com/…
Security Medium 2 — 79 USB Bugs in the Linux Kernel
A Google researcher released details of another 14 bugs in the Linux kernel’s USB implementation recently, bringing his total since last December to 79.
These bugs are getting patched, so our usual advice applies — stay patched!
Many IoT devices use Linux, and many will never see updates, so something else to bear in mind is that these exploits all require physical access to the device — to trigger these vulnerabilities you need to plug some kind of booby-trapped device into the USB port of the device you’re attacking. That simple fact alone means these bugs can’t turn into an internet-destroying worm.
To attack someones device remotely you’d need to trick them into plugging some random USB thingy into their devices. Sadly, its been shown time and again that that’s easy to do — just hand out free booby-trapped USB thumb drives or power banks, or, throw some thumb drives around the car park. This leads to a second take-away — don’t do that!!! Don’t plug stuff you find lying around into you computers!
Links
Security Medium 3 — More Problems with Intel Chips
Security researchers have promised to unveil an attack against the so-called Management Engine inside Intel’s CPUs. They say the attack they will demonstrate will give god mode control over affected computers.
Intel have acknowledged the problem, released a tester app, and patches which will be making their way out to users as firmware updates from their hardware manufacturers. Since there are so many vendors involved, it’s impossible to give useful generic instructions or advice.
This affects just about every CPU from Intel in the last two years, covering their Core, Xeon, Atom, Celeron, and Pentium product lines.
Links
- Intel’s security advisory — www.intel.com/…
- US-CERT’s advisory — www.us-cert.gov/…
- Worries over Intel’s Management Engine grow after new flaws found — nakedsecurity.sophos.com/…
Security Medium 4 — Meet Quad9
The Domain Name System, DNS, use used to convert human-friendly domain names into the IP addresses computers actually use to communicate with each other over the internet. This means that the first step in getting infected with all sorts of malware is a DNS query to resolve an malicious domain name to an IP address. This provides an obvious opportunity for nipping a whole bunch of attacks in the bud before they can really get going — a DNS service that’s aware of current cyber threats could simply reply to all requests for known-malicious domains with an error response (an nxdomain
response for all you DNS nerds out there).
That’s exactly what Quad9 was set up to do. They are providing a free DNS service that responds with nxdomain
errors to all request for know-bad domain names. To use the services you simply have to configure your computer or your router to use 9.9.9.9
as your DNS server (hence the name).
This sounds great, but before we get too excited we need to follow the money!
Thankfully, when we do we find good news — Quad9 is a not-for-profit organisation, and their privacy policy clearly states that they do not track individual users. IP addresses are never stored. The only data collected is global counts of attempts to access each malicious domain. This data will be used to help security companies track the effectiveness of individual pieces of malware.
Links
- New “Quad9” DNS service blocks malicious domains for everyone — arstechnica.com/…
- Security Now 638 — twit.tv/…
Notable Security Updates
- Patch Tuesday has been and gone with updates from Microsoft and Adobe for Windows, Office, Flash, Photoshop, Reader, and more — krebsonsecurity.com/…
- Amazon’s Echo & Google Home have been patched against the so-called BlueBorne vulnerabilities — nakedsecurity.sophos.com/…
Notable News
- Now is a good time to give FireFox another go – with release 57 Mozilla completely re-invented the UI, making it much faster and leaner, and, added new tracking protections (black-list based) — nakedsecurity.sophos.com/…
- Note that FireFox 57 is also a security update — www.us-cert.gov/…
- The German government has banned smart watches aimed at kids that include the ability to eves-drop on kids — nakedsecurity.sophos.com/…
- WhatsApp’s Delete for Everyone feature turns out not to actually delete the messages from people’s devices after all — nakedsecurity.sophos.com/…
- Twitter have updated the policies behind their blue verified badges – users who incite hate are no longer eligible for such badges — nakedsecurity.sophos.com/…
- Security researches find a way to jam Amazon’s smart lock system for letting delivery people into our house – Amazon have promised that a fix is on the way — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ Meet StartPage, the World’s Most Private Search Engine — www.intego.com/…
- ⭐️ How criminals clear your stolen iPhone for resale — www.zdnet.com/… & Fraudsters are using iCloud phishing to steal iOS devices — www.imore.com/…
- iOS 11: How to Remove Photo Metadata for Anonymous Images — www.macobserver.com/…
- How to Opt Out of Equifax Revealing Your Salary History — krebsonsecurity.com/…
- Notable Breaches & Privacy Violations
- ⭐️ Uber suffered massive data breach, then paid hackers to keep quiet — nakedsecurity.sophos.com/… & Uber Paid Hackers to Delete Stolen Data on 57 Million People – Bloomberg — www.bloomberg.com/…
- ⭐️ Androids caught secretly reporting location data regardless of opt-out — nakedsecurity.sophos.com/… & Google collects Android users’ locations even when location services are disabled — qz.com/…
- Brian Krebs warns about privacy problems with the Free Application for Federal Student Aid (FAFSA) application process — krebsonsecurity.com/…
- Forever 21 informs customers of a potential data breach — nakedsecurity.sophos.com/…
- News
- ⭐️ Google study reveals how criminals break into Gmail accounts — nakedsecurity.sophos.com/…
- ⭐️ Western Union scam victims can now reclaim their lost money — www.imore.com/…
- Government attacks on Encryption Continue
- FCC chairman Ajit Pai unveils his proposals to end net neutrality in the US (FCC vote scheduled for December):
- Google and Twitter turn their backs on Russian media over fake news — nakedsecurity.sophos.com/…
- DHS says it remotely hacked a Boeing 757 sitting on a runway — nakedsecurity.sophos.com/…
- Opinion & Analysis
- What Face ID Means for Accessibility — www.stevensblog.co/…
- Two former FaceBook execs attack FaceBook:
- Google’s chief lawyer blogs about two important European cases regarding the so-called right to be forgotten — Defending access to lawful information at Europe’s highest court — www.blog.google/…
- Propellor Beanie Teritory
Palate Cleansers
- The Complete History of the IBM PC (long-form article)
- Part 1 — arstechnica.co.uk/…
- Part 2 — arstechnica.com/…
- 12 Ways to Open Files on a Mac — www.intego.com/…