Feedback & Followups
- Passkeys continue to roll out:
Deep Dive 1 — iLeakage
TL;DR While the threat is real, at least for now, the risk is low for regular users.
A new speculative execution bug has been found, and unlike most, this one can theoretically be exploited remotely. Most speculative execution bugs require the attacker and the victim to share a CPU, so they are only really relevant in multi-customer cloud environments, but this one is different — it can run entirely within Safari, so it can run from a malicious web page, and data can leak between two tabs sharing the same CPU.
This issue affects all A-series and M-series CPUs from Apple, so basically all iOS devices, and all non-Intel Macs.
There are a few silver linings though — first and foremost, this is not a quick attack, and it’s not easy to deploy, so the real-world risk for regular folks is low. However, if you’re important enough to be of interest to a nation-state, you need to be very concerned about this.
Secondly, Apple have a fix in the works. There is an experimental feature already in Safari on the Mac that can be enabled with a little terminal trickery that prevents code from two tabs sharing the same CPU, and hence, blocks the side-channel. The expectation is that this fix will soon be put live for all Safari users.
Finally, Lockdown Mode protects against this vulnerability, so if you’re important enough to be in the cross-hairs of a nation-state, you should be sure you’ve enabled that. TBH, anyone likely to be threatened by this attack should already have been running in Lockdown mode, regardless of this latest bug.
Links
- The most comprehensive writeup I found: iLeakage Attack could let hackers steal passwords, data from Safari on Macs — www.intego.com/…
- Hackers can force iOS and macOS browsers to divulge passwords and much more — arstechnica.com/…
Deep Dive 2 — iOS Private WiFi Address Fixed
Since the iPhone 5, Apple have supported randomised MAC addresses on their wifi cards when phones are scanning for available networks. This means that as you walk about, your iPhone is constantly changing MAC address, so you can’t be tracked over time.
This feature was not broken and didn’t need a fix.
Until iOS 14, once you connected to a WiFi network your device would revert to its true MAC address. But, in iOS 14 that changed, when Apple introduced the Private WiFi Address feature. With this feature enabled, iOS uses a different randomly chosen, permanent MAC address for each network you join. This means your device does not keep changing MAC within a network, so static DHCP assignments still work, but your device has a different MAC on each network, preventing cross-network tracking.
From the point of view of low-leave network protocols this worked perfectly, but researchers discovered that until iOS 17.1, the true MAC address was leaked by the metadata in a bonjour UDP packet sent by iOS devices when they join a network.
This means that from the point of view of network management tools our phones did appear to be different devices on each network, anyone we shared a network with could have run a network sniffer to find and decode the Bonjour broadcasts from our phones and map our random MAC addresses to our true MAC addresses.
The fact that the MAC address was being leaked within joined networks is not good, but it’s nowhere near as bad as it would have been if it was leaking while not joined to a network, or, if it was leaking at the lower ethernet or IP levels.
It should be noted that the entire Private WiFi Address feature is a nice to have, not a critical security feature, so there’s definitely no need to lose any sleep over this.
Links
- The least sensationalist report on the story to cross my radar: Apple Private Wi-Fi hasn’t worked for the past three years – Source: go.theregister.com — ciso2ciso.com/…
- Apple’s support page describing WiFi Privacy — support.apple.com/…
❗ Action Alerts
- Security researchers have released details of un-patched vulnerabilities in popular D-Link wifi extenders after the company failed to respond to their attempts at responsible disclosure, if you have one of these devices you may need to consider turning it off until D-Link issue a fix — www.bleepingcomputer.com/…
- Related: D-Link customer names and email addresses have also been leaked: D-Link confirms data breach after employee phishing attack — www.bleepingcomputer.com/…
- ARM have patched the Mali GPU driver used in many Android phones, and Google have seen exploits in the wild – if you can figure out if you need to patch, and if there is a patch from your vendor, patch ASAP — thehackernews.com/…
- Android October security update fixes zero-days exploited in attacks — www.bleepingcomputer.com/…
-
Linux users should be sure they’re fully patched:
- Synology DiskStation users need to be sure their NAS devices are fully patched — thehackernews.com/…
- Microsoft Patch Tuesday has been and gone, with 4 zero-days fixed — krebsonsecurity.com/…
- Apple Patches Everything. Releases iOS 17.1, MacOS 14.1 and updates for older versions fixing exploited vulnerability – SANS Internet Storm Center — isc.sans.edu/…
Worthy Warnings
- There has been a major breach at 23andMe — at the very least there has been a password stuffing attack that allowed attackers to access both the data from users who re-used passwords, and, users who shared data with those users because if the sheer number of accounts breached, some security researchers are skeptical that there has not been a leak of passwords from 23andMe itself, but there’s no firm evidence of such a leak — www.bleepingcomputer.com/… & www.bleepingcomputer.com/…
- Air Europa data breach: Customers warned to cancel credit cards — www.bleepingcomputer.com/… (Full card numbers, expiration dates, and CVV2 numbers stolen!)
- Casio discloses data breach impacting customers in 149 countries — www.bleepingcomputer.com/… (biggest risk is targeted phishing)
- Phishers Spoof USPS, 12 Other Natl’ Postal Services — krebsonsecurity.com/… (Even Ireland’s an Post was included, and Bart got multiple fake SMS messages from this campaign)
- There seems to be a spike in malicious Google Ads:
Notable News
- A reminder not to expose admin interfaces to the internet, and to always change the passwords from the defaults: Over 40,000 admin portal accounts use ‘admin’ as a password — www.bleepingcomputer.com/…
- Security Researchers earn over $1M for 58 Zero-days at Pwn2Own – the iPhone 14 & Pixel 7 survive unscathed, but the Samsung Galaxy S23 was hacked 4 different ways — www.bleepingcomputer.com/…
- A reminder of why we need Passkeys: Security researchers warn that the EvilProxy MFA AiTM (Adversary-in-the-Middle) 2FA/MFA bypass Malware-as-a-Service toolkit is being widely used against US in US companies — thehackernews.com/…
- A report from the US Department of Homeland Security’s Inspector General confirms that “CBP, ICE, and Secret Service Did Not Adhere to Privacy Policies or Develop Sufficient Policies Before Procuring and Using Commercial Telemetry Data”, i.e. the government used location data collected by data brokers to illegally track people. The report makes 8 recommendations, and DHS has accepted 6 of them — appleinsider.com/… (CBP is Customs & Border Patrol, and ICE is Immigration & Customs Enforcement)
- A timely reminder to be wary of goods peddled on social media: A report from the US Federal Trade Commission (FTC) shows Americans lost at least $2.7Bn to social media scams in 2021, and given the reporting rate is known to be low (perhaps as low as 5%), that’s just the tip of the proverbial iceberg — www.bleepingcomputer.com/…
- Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence — thehackernews.com/…
-
1Password discloses security incident linked to Okta breach — www.bleepingcomputer.com/… (They spotted the problem straight away and nipped it in the bud before any serious harm could be done)
- This relates to a breach at MFA-provider Okta which is likely to have caused issues for many other companies too — thehackernews.com/…
- Microsoft announces plans for the retirement of two legacy technologies often abused by malware:
- VB Script is now deprecated, it will be converted to a Feature on Demand before being completely removed from Windows (no firm dates released yet) — www.bleepingcomputer.com/…
- Microsoft are upgrading the Kerberos authentication protocol that powers Windows domains so it can fully replace the deeply flawed and often abused legacy LAN Manager authentication mechanism (NTLM) — www.bleepingcomputer.com/… & thehackernews.com/…
- Related: Microsoft is also extending the length of time it retains Office365 audit logs following successful attacks against Office365 tenancies used by western governments by Chinese hackers — www.bleepingcomputer.com/…
- Some nice updates from Google
- Google Play Protect gets new AI-driven malware protection designed to protect all Android apps, even side-loaded ones from even the more advanced techniques being used to attack Android these days — www.bleepingcomputer.com/… & thehackernews.com/…
- Google Expands Its Bug Bounty Program to Tackle Artificial Intelligence Threats — thehackernews.com/…
- Google Chrome’s new “IP Protection” will hide users’ IP addresses — www.bleepingcomputer.com/…
- It’s been good for a few weeks for the Goodies:
- Ukrainian activists hack Trigona ransomware gang, wipe servers — www.bleepingcomputer.com/…
- India targets Microsoft, Amazon tech support scammers in nationwide crackdown — www.bleepingcomputer.com/…
- U.S. DoJ Cracks Down on North Korean IT Scammers Defrauding Global Businesses — thehackernews.com/…
- Europol Dismantles Ragnar Locker Ransomware Infrastructure, Nabs Key Developer — thehackernews.com/…
Excellent Explainers
- Check In: Every parent should know this essential iOS 17 feature — www.cultofmac.com/…
- A nice guide from Apple on buying a second-hand iPhone safely: If you want to buy a preowned iPhone — support.apple.com/…
Interesting Insights
- An interesting approach being explored for safer AI models: Understanding Agentized LLMs: How to avoid making rogue AI — appleinsider.com/…
Palate Cleansers
- Best Scary Halloween Wallpapers for iPhone in 2023 — www.macobserver.com/…
- Excellent Newton documentary now on YouTube — appleinsider.com/…
- An excellent podcast mini-series on AI from Business Wars: The Rise of AI: The Next Big Thing – Episode 1 — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| A link to audio content, probably a podcast. | |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| A link to graphical content, probably a chart, graph, or diagram. | |
| A story that has been over-hyped in the media, or, “no need to light your hair on fire” | |
| A link to an article behind a paywall. | |
| A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. | |
| A tip of the hat to thank a member of the community for bringing the story to our attention. |