Security Medium 1 — Apple Card is not Magic
A story made a lot of news this week because it involved a physical Apple Card being skimmed. It underlines the fact that people do not understand that when they fall back to using the physical card or entering the virtual number into a website manually, they are back to using the obsolete and dangerously insecure credit card infrastructure of old. That’s why Apple went to so much trouble to make Apple Pay the default way to use the card, and why they describe the physical card and the virtual number as fallback mechanisms for when Apple Pay can’t be used.
We’ve seen two distinct types of fraud against Apple Card — cloning attacks against the magnetic strip (not the chip for “Chip & PIN”), and leaking of the virtual number after entering it online.
It’s impossible to protect the magnetic strip — that’s why most of the planet abandoned it years ago! This isn’t a problem with the Apple Card, but with the payment industry!
With the virtual number Apple Pay users have a little more control than users of more traditional cards because they have the power to change the virtual number themselves without having to get a new card issued by their bank.
It’s also vital to remember that from a legal point of view, customers are not liable for fraudulent transaction on any credit card — so it’s American banks that literally pay the price for their own failure to move with the times!
Links
Security Medium 2 — Safari is Not Sending URLs from Non-Chinese Browsers to Tencent 🧯
Confusion reigned for a while when Apple updated the wording of their Safari privacy statement in a way that could be interpreted as saying they send all browsing data to Chinese firm Tencent as part of their phishing protections. To cut a long story short, no, that’s not what’s happening. Chinese iPhones use Tencent for phishing protection, and other iPhones use Google.
This story revolves around an important security protection that’s enabled by default on all versions of Safari. The feature, named Fraudulent Website Warning, protects users from known phishing URLs but putting up a warning when they browse to one.
The feature relies on blacklists maintained by search providers. Google’s Safe Browsing API is probably the most comprehensive such blacklist, hence its use by just about every major browser (except Edge). Google’s API is not available in China, hence Chinese iPhones having to use an alternative service. The most comprehensive Chinese blacklist is the one maintained by Tencent, so it makes sense Apple would use it in China.
Apple have made clear that they only use Tencent in China, but we don’t have to take their word for it — security researchers have peeped under Safari’s bonnet and confirmed that the code does what Apple says it does.
The APIs for these services are also surprisingly privacy-aware. No cookies are sent, and the browser never actually sends the URLs to the blacklist providers for testing.
The way it works is that the browser periodically asks the blacklist provider to send a list of hashes of URL prefixes on which phishing URLs exist. These are hashes of parts of URLs. The browser keeps this list internally, and checks every website the user visits against it. Most of the time the prefix won’t match so the browser doesn’t need to do anything more to verify that the site is not blacklisted. If the prefix hash does match the browser asks the blacklist provider for hashes of all the full known-bad URLs with the matching prefix. The browser then checks a hash of the full URL against that more detailed list of hashes.
So, what does the provider know? Just two things: your IP address, and the prefix of a URL you visited, but not the full URL. No cookies are included in the API calls either.
IP addresses make very poor tracking identifiers — many humans share individual IPs, and individual humans move around between many different IPs. There simply isn’t a good mapping from single humans to single IP addresses, so they’re just not suited to reliable tracking!
I can’t see any scandal here, or indeed any cause for concern. The benefits of phishing protection far outweigh the very small privacy concerns over the purely hypothetical very inaccurate tracking the blacklist providers could deploy.
Links
- Here’s Apple’s statement on Safari Fraudulent Website Warning and Tencent — www.imore.com/…
- Code Reveals Tencent Only Gets Your Data if Your Device’s Region is Set to China — www.macobserver.com/…
Notable Security Updates
- Patch Tuesday has been and gone yet again with critical updates from Microsoft and Adobe for Windows & Acrobat, including a fix for a nasty vulnerability in the Windows Remote Desktop client — krebsonsecurity.com/…, nakedsecurity.sophos.com/… & www.us-cert.gov/…
- Signal quickly patched a serious bug that was very similar to the recent high-profile FaceTime bug — nakedsecurity.sophos.com/…
- Apple have patched their Windows software and released macOS Catalina — nakedsecurity.sophos.com/…
- The bugs patched are now being used in the wild to install ransomware, so patch now! Also, if you installed and later un-installed an Apple product on Windows you may still be vulnerable because the un-installer leaves Bonjour behind, and that’s where the vulnerability was — arstechnica.com/…, www.imore.com/… & nakedsecurity.sophos.com/…
Notable News
- A zero-day bug has been found in Android that affects many popular Android handsets (including Google Pixels 1 & 2, Samsung Galaxies S7, S8 & S9). A patch is expected from Google in the October update, and that patch will then have to make its way to user via the relevant manufacturers. The bug is being actively exploited in the wild — nakedsecurity.sophos.com/… & www.zdnet.com/…
- Facebook’s Libra crypto currency suffers more defections — with the departure of Visa, Mastercard, eBay & Stripe all major payment processors have now departed — www.imore.com/… & nakedsecurity.sophos.com/…
- A flaw has been found in the Galaxy S10’s fingerprint sensor that results in it being fooled into accepting any fingerprint when used with certain screen protectors. Samsung are working on a fix, but in the mean time users should revert to another unlock mechanism — www.bbc.com/…
- The Face Unlock feature on Google’s Pixel 4 works even when users eyes are closed (i.e. no attention detection like on iPhones), making it significantly less secure — www.bbc.com/…
- Twitter have clarified their approach to politicians who break their terms of services – they still won’t delete most of their tweets or accounts, but they will put the offending tweets behind a notice users have to click-through to see the tweet — www.imore.com/…
- Instagram have updated their apps to give users more and easier control over the data shared with third-party services they connect to their Instagram accounts — www.imore.com/…
- Microsoft have announced that they’ll be adding a feature to allow Xbox gamers to filter the messages they receive — nakedsecurity.sophos.com/…
Suggested Reading
- PSAs, Tips & Advice
- ⭐️ An important reminder to be just as suspicious of SMS messages as you are of emails. An SMS that appears to come from your carrier with a link is just as dangerous as an email pretending to be from your bank! — Phishy text message tries to steal your cellphone account — nakedsecurity.sophos.com/…
- Notable Breaches & Privacy Violations
- ⭐️ Twitter admits to accidentally using cellphone numbers provided for 2FA for targeted ads — help.twitter.com/… & nakedsecurity.sophos.com/…
- News
- ⭐️ Patrick Wardle, a well respected security researcher who focuses on Apple technologies has published details on a trojan Bitcoin app for the Mac being distributed through a front company by a hacking group associated with the North Korean government. The malware provides the attackers remote control of the infected Mac, and is part of an on-going campaign by the group to steal Bitcoins — www.forbes.com/…
- ⭐️ 🇬🇧 UK’s controversial ‘porn blocker’ plan dropped — www.bbc.co.uk/…
- Facebook News:
- Facebook announces two-year project to combat grooming and child exploitation on its platforms — www.imore.com/…
- Facebook flags thousands of kids as interested in gambling, booze — nakedsecurity.sophos.com/…
- #FacebookLockout: Users who report fake/scam accounts locked out — nakedsecurity.sophos.com/…
- 🇺🇸 Report suggests NYC District Attorney’s office has been able to break into iPhones since January 2018 — www.imore.com/…
- 🇺🇸 California outlaws facial recognition in police bodycams — nakedsecurity.sophos.com/…
- 🇺🇸 Oregon judge ordered woman to type in her iPhone passcode so police could search it for evidence against her — www.oregonlive.com/…
- 🇫🇷 Nationwide facial recognition ID program underway in France — nakedsecurity.sophos.com/…
- Opinion & Analysis
- ⭐️ One Year After ‘The Big Hack’ — Pixel Envy — pxlnv.com/…
- Related: while it seems clearer than ever that Bloomberg cried wolf in their sensational story last year, the danger is none-the-less real, as demonstrated by this story: Soldering spy chips inside firewalls is now a cheap hack, shows researcher — nakedsecurity.sophos.com/…
- ⭐️ Copy-and-paste sharing on Stack Overflow spreads insecure code — nakedsecurity.sophos.com/…
- ⭐️ In a briefing note sent to US corporations the FBI warns of common techniques in the use in the wild for bypassing 2FA. SIM swapping tops the list, with real-time phishing attacks that ask for username, password & one-time code and use them instantly being the next biggest danger — nakedsecurity.sophos.com/…
- Tom Burt, Microsoft VP for Customer Security & Trust shared details of Iranian state-sponsored hacking Microsoft have observed attacking many targets including US Presidential campaigns — blogs.microsoft.com/…
- How Photos of Your Kids Are Powering Surveillance Technology — www.nytimes.com/…
- Google’s auto-delete tools are practically worthless for privacy — www.fastcompany.com/…
- ⭐️ One Year After ‘The Big Hack’ — Pixel Envy — pxlnv.com/…
- Propellor Beanie Territory
Palate Cleansers
- After many years of trying, security researchers have finally cracked the password used by the famous Unix co-creator Ken Thompson in 1980. It turns out to have been a great password for the time — hard to guess, but given his love of chess, easy for him to remember:
p/q2-q4!(it’s so-called descriptive notation for an opening chess move). Thanks to the same set of ancient hashes we’ve known for some time that BASH author Stephen Bourne had a much more lax attitude to security since his password wasbourne, as did Eric Schmidt who used his wife’s name and some exclamation marks (wendy!!!). Finally, we know that famous C-guru and Unix co-creator Brian Kernighan used the secure-looking but utterly insecure/.,/.,(try type it and you’ll see it’s no better thanqwerty) — nakedsecurity.sophos.com/…
Note: When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.