Feedback & Followups
- Remain vigilant for pandemic-related scams:
- COVID-19 tests, PPE and antiviral drugs find a home on the dark web — nakedsecurity.sophos.com/…
- Beware of emails with “horrible charts” about Covid-19 — nakedsecurity.sophos.com/…
- 🇺🇸 Scammers target COVID-19 CARES Act relief scheme — nakedsecurity.sophos.com/…
- 🇺🇸 Riding the State Unemployment Fraud ‘Wave’ — krebsonsecurity.com/…
- Exposure Notification/Contact Tracing App developments
- With the release of iOS 13.5 Apple & Google’s exposure notification API is out! There are very few apps available just now, but they are expected to start rolling out over the coming weeks.
- Apple-Google contact tracing tech draws interest in 23 countries, some hedge bets — uk.reuters.com/…
- Apple-Google Exposure Notification API: Everything you need to know — www.imore.com/…
- How to Turn on COVID-19 Exposure Logging on Your iPhone — www.macobserver.com/…
- Apple responds to false Facebook claims about contact tracing update in iOS 13.5 — www.imore.com/…
- 🇪🇺 Five EU states criticize Apple and Google ‘imposing technical standards’ over contact tracing — www.imore.com/…
- 🇨🇭Switzerland were first to launch an app using the API — www.imore.com/…
- 🇱🇻 Latvia to launch Google-Apple friendly coronavirus contact tracing app — www.reuters.com/…
- 🇬🇧 UK contact tracing app delayed until June — www.imore.com/…
- 🇺🇸 North Dakota’s contact tracing app shares location with Foursquare, Google — www.imore.com/…
- With the release of iOS 13.5 Apple & Google’s exposure notification API is out! There are very few apps available just now, but they are expected to start rolling out over the coming weeks.
- Video Conferencing Updates
- Zoom have switched to their new and improved encryption scheme, and are not providing fallback to the old scheme, so you need to update your apps or use the web version to keep using Zoom — www.imore.com/…
- Apple have updated Group FaceTime so you can disable the auto-zoom on the current speaker: How to Turn Off Group FaceTime Moving Photos — www.macobserver.com/…
- Instagram adds video chat that supports up to 50 people, here’s how to use it — www.imore.com/…
- Skype gains 3×3 grid view and reaction customization in latest update — www.imore.com/…
- Facebook testing new audio calling app CatchUp — www.imore.com/…
- Related: Signal secure messaging can now identify you without a phone number — nakedsecurity.sophos.com/…
- Related: How to Improve your Zoom, Skype, or FaceTime call experience — www.intego.com/…
- 🇺🇸 The campaign to stop the renewal of parts of the Patriot Act has moved from the Senate to the House, and large tech companies have joined the fight to protect citizens’ browsing histories from warrantless searches — nakedsecurity.sophos.com/…
- 🇺🇸 Clearview AI facial recognition sued again – this time by ACLU — nakedsecurity.sophos.com/…
🇺🇸 Deep Dive 1 — The US Government Revive Their Attacks on Apple
The FBI revealed that it had succeeded in cracking the iPhones belonging to the shooter in the Pensacola Naval Base attack. From reporting it appears the devices were broken into using a hardware passcode brute-forcing device as sold by some grey-hat security companies.
The FBI director and the US Attorney General attacked Apple for not assisting in cracking the devices. The implication was that Apple could have simply opened the phones for them, but that they refused to in order to protect their customer’s privacy. The phrasing was misleading at best. The government describe hardware encryption as being about ‘privacy’, but it’s not, it’s about security, and it’s not about hiding things from the government, but from criminals. A truly secure lock keeps everyone out, any lock that doesn’t isn’t secure. The government being kept out is a side-effect, not the problem to be solved — keeping criminals out is what hardware encryption is all about.
Think of it like a safe in a wild west movie — the safe is designed to keep stuff inside safe from anyone who doesn’t have the key. The reason is to protect the money from the bandits, but as a side-effect, the sheriff can’t get in either.
You can have secure encryption, or you can have a back door, you can’t have both!
Apple responded by pointing out (again), that they handed over lots of data to law enforcement ‘within hours’ of the shooting. Everything they had in iCloud and any other logs or metadata they had was promptly handed over. To describe complete and prompt cooperation like that as Apple refusing to help the government is factually incorrect.
Links
- FBI finally unlock shooter’s iPhones, Apple berated for not helping — nakedsecurity.sophos.com/…
- Apple denies “false claims” by Justice Department over Pensacola attack — www.imore.com/…
- How the FBI Cracked Pensacola Shooter’s iPhone: An Automated Passcode Guesser — daringfireball.net/…
Deep Dive 2 — The BIAS Bluetooth Attack
Security researchers have found a flaw in recent versions of the Bluetooth spec that breaks the security of pairing, allowing attackers to impersonate any previously paired Bluetooth device and access all information that device has access to.
Because this is a problem with the specification, all Bluetooth devices implementing affected versions of the spec are vulnerable.
Affected Apple devices include:
- iPhone 8 and later
- 2017 MacBook Pro and later
- 2018 iPad and later
The group responsible for maintaining the Bluetooth spec (Bluetooth SIG) have promised to release an update to the spec to address the problem. Hardware vendors will then need to produce updated firmware that obeys this new spec and push that out to all devices. That’s going to take time.
For now, the only defence is to disable Bluetooth if you don’t need it. One silver lining is that attackers need to be within Bluetooth range to exploit this vulnerability.
Realistically, many of us will have no choice but to keep Bluetooth enabled, so we just need to be aware that if we’re in a crowded place, or a place we know to be hostile, it might be wise to turn off Bluetooth on our phones!
Links
- The research paper describing the flaws — francozappa.github.io/…
- The statement on the flaw from Bluetooth SIG (Special Interest Group) — www.bluetooth.com/…
- Bluetooth ‘BIAS’ Attack Affects Some Apple Devices — www.macobserver.com/…
Deep Dive 3 — The unc0ver iOS Jailbreak
Just days after the release of iOS 13.5 a new Jailbreak has been released that can be run on any iOS device that can run a currently supported version of iOS.
The jailbreak depends on a bug in the iOS kernel, and requires a USB connection to a computer to trigger. The jailbreak does not survive reboots, so you need to have the phone tethered each time you reboot to retain the jailbreak.
Like all jailbreaks, this one depends on an iOS security vulnerability, so it will just be a matter of time until Apple reverse-engineer the jailbreak to find the bug, and then fix it.
Because the jailbreak requires a USB connection it can’t be triggered remotely, so it’s only a security risk in places where you lose physical control of your iOS device, like when crossing borders. Since a reboot removes the jailbreak, it might be wise to power-down your phone when crossing certain borders.
Links
- The jailbreak’s official site — unc0ver.dev/…
- Meet unc0ver, the new jailbreak that pops shell—and much more—on any iPhone — arstechnica.com/…
- New iPhone jailbreak released — nakedsecurity.sophos.com/…
❗ Action Alerts
- Apple Security Updates
- iOS 13.5, including Exposure Notification API & face mask detection to speed up password entry — 9to5mac.com/…
- Mac, Safari & iCloud for Windows — www.us-cert.gov/…
- Adobe “out of band” critical patch – get your update now! — nakedsecurity.sophos.com/…
- Docker Desktop danger discovered, patch now — nakedsecurity.sophos.com/…
Worthy Warnings
- Edison Mail Bug Allowed Access to Email Accounts of Other Users — daringfireball.net/…
- Shiny new Azure login attracts shiny new phishing attacks — nakedsecurity.sophos.com/…
Notable News
- Security researchers have announced Strandhogg 2.0, an Android vulnerability affecting Android 8 & 9 that allows malicious apps to masquerade as legitimate apps on a phone. The flaw does not exist in Android 10, and has been patched in Google’s May update, but that’s only available on Google-branded phones ATM. Patches for other phones will start to come out, so patch as quickly as you can! — nakedsecurity.sophos.com/…
- It’s just been revealed that grey-hat security company GreyKey have been offering law enforcement a secret passcode-stealing tool named HideUI for a year, keeping it secret under NDA. Details are sparse, but the process seems to be that law enforcement take the device, plug it into a GreyKey, that booby-traps the device with a keylogger, law enforcement then trick the suspect into unlocking their phone, then it is re-connected to the GreyKey device, and the passcode is downloaded, giving law enforcement full access to the device — www.imore.com/…
- Chrome 83 adds DNS-over-HTTPS support and privacy tweaks — nakedsecurity.sophos.com/… & Google Chrome has just added a bunch of big privacy features — www.wired.co.uk/…
- Facebook Messenger adds safety alerts as it moves towards end-to-end encryption — www.imore.com/…
- 🇺🇸 FBI looking at your phone’s lock screen without a warrant unconstitutional, says Judge — www.imore.com/…
- 🇺🇸 A huge fight has erupted between the White House and Twitter because Twitter accurately flagged some of the President’s Tweets as misleading. Things escalated when Twitter flagged a further Tweet as inciting violence. The President has responded with an executive order that does not stand up to legal scrutiny:
- Trump Executive Order Misreads Key Law Promoting Free Expression Online and Violates the First Amendment | Electronic Frontier Foundation — www.eff.org/…
- Let’s go through Trump’s terrible internet censorship order, line by line — www.theverge.com/…
- 🎧 A good (and quite short) explainer: RESET: Trump vs. Twitter — overcast.fm/…
- FYI: In Update to Privacy Policy, Twitter Gives More Data to Advertisers — www.macobserver.com/…
Top Tips
Excellent Explainers
Interesting Insights
Palate Cleansers
- You can get accurate times to see the Crew Dragon pass overhead for anywhere in the world at Heavens-Above (remember to set your location!) — heavens-above.com/…
- Stanford to make its ‘Developing Apps for iOS’ course available online — www.imore.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |