Kelly sits down with Bitwarden’s Gary Orenstein to talk about their password manager and how it can be both open source AND secure software. Learn more about setting up passwords and why it matters on Security Friday!
Security
Cryptomator 1.5.0 Update Adds New UI and Dark Mode
Recently released for customers, the new Cryptomator 1.5.0 update gives us a redesigned user interface, dark mode, and a new code structure.
Change Your Linksys Smart Wi-Fi Password Now
Linksys Smart Wi-Fi customers are being asked to change their passwords after hackers hijacked some accounts and changed router settings to direct users to malware sites.
The company decided to lock accounts and prompt a password reset because it couldn’t detect which accounts were hacked and which were not, and decided to act on all.
“Linksys is doing everything we can to make it tougher for the bad guys. But there are no guarantees,” Linksys said.
Russia Implicated in BGP Hijacking Incident This Week
Russian telecom company Rostelecom is implicated in a BGP hijacking incident which rerouted network traffic from Akamai, Amazon, Facebook, Google, and others.
BGP stands for the Border Gateway Protocol and is the de-facto system used to route internet traffic between internet networks across the globe…
BGPMon founder Andree Toonk is giving the Russian telco the benefit of the doubt. On Twitter, Toont said he believes the “hijack” happened after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, rather than Rostelecom’s internal network…
But, as many internet experts have also pointed out in the past, it is possible to make an intentional BGP hijack appear as an accident, and nobody could tell the difference.
iPad Pro Adds Mac-Like Microphone Disconnect Feature
MacBooks with a T2 Security Chip have their microphones disabled when the lid is closed. Now the iPad Pro 2020 models have the same feature.
WireGuard VPN Gets Added to the Next Linux Kernel
I briefly mentioned WireGuard when I wrote of Cloudflare’s WARP beta. I think it’s something to add to your technology watch lists. It’s just not any old VPN app, it’s a VPN protocol that could very well replace current protocols like IPsec and OpenVPN, or at least be offered as an alternative. You can read the technical whitepaper here [PDF], along with this write up from Ars Technica.
WireGuard will now operate as either a Loadable Kernel Module (LKM) or built statically into the kernel itself. But whether static or loadable, it will be “in-tree”—which means it’s provided ready to go with the vanilla kernel itself, with no need for repackaging by the various distros. This puts it on the same footing as other supported drivers.
New Zoom Bug Can Be Used to Steal Passwords, Access Your Webcam, Microphone
Security researcher Patrick Wardle disclosed two Zoom bugs today. They can be used to steal Windows passwords and access your webcam and microphone. They do however require physical access to the machine.
In this blog post, we’ll start by briefly looking at recent security and privacy flaws that affected Zoom. Following this, we’ll transition into discussing several new security issues that affect the latest version of Zoom’s macOS client.
At this point, Zoom should just rewrite its software completely.
Cloudflare’s WARP VPN Enters Beta for macOS, Windows
Continuing its tradition of April product announcements, today Cloudflare announced that its WARP VPN is entering beta for macOS and Windows.
OpenWRT is Vulnerable to Remote Code Execution Attacks
For three years, router firmware OpenWRT has been vulnerable to remote code execution attacks.
The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
This is especially concerning because OpenWRT is commonly recommend by privacy advocates as an alternative to built-in proprietary router firmware.
Marriott Hit by Second Data Breach Affecting up to 5.2M People
Hotel chain Marriott International has suffered a second data breach, exposing the personal data of up to 5.2 million guests.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
It sounds like login credentials of two employees were stolen, likely through a social engineering attack.
7 Private Alternatives to Apple Apps and Services
Andrew found seven Apple alternatives to use if you don’t want your data shared with the FBI, including Bitwarden, Cryptomator, and more.
Security Friday, Kernel Extensions – TMO Daily Observations 2020-03-27
Dave Hamilton and Andrew Orr join host Kelly Guimont to discuss Security Friday news, and the new kernel extension alert popping up in the latest MacOS 10.15 update.
A Bug Existing Since iOS 13.3.1 Interferes With VPNs Encrypting Traffic
There’s a bug that’s been in iOS since version 13.3.1 that prevents VPNs from encrypting network traffic and could leak some of your data.
Cellebrite Releases Report of Digital Intelligence Trends 2020
Forensics company Cellebrite, mainly known for its iPhone hacking capabilities, released a report of top digital intelligence trends for 2020. One thing that stuck out at me:
…over 70 percent of officers are still asking witnesses and victims to surrender their devices…However, most people do not want to have their primary communication device taken away for an indefinite period. To combat this issue, 67 percent of agency management believe that mobility technology is important or very important to the agency’s long-term digital evidence strategy and 72 percent of investigators believe it is important to conduct in-the-field extractions of this data.
In other words, it sounds to me like LE wants the capability to extract data from devices on site, instead of sending it to a lab. Fast action is important for LE, but it may also be too fast for people to think about those pesky rights they have before handing their phone over.
Grayshift Increases Price as it Struggles to Hack iPhones
iOS forensics company Grayshift was forced to raise its prices last year, noting that “Forensic Access to iOS continues to increase in difficulty and complexity.”
“I think it’s going to get harder and harder to find these kinds of unlocking flaws, because Apple does control the entire stack,” Alex Stamos, director of the Stanford Internet Observatory and former Facebook chief security officer, previously told Motherboard. “I think a couple more hardware revisions of understanding the ways that these unlocks are happening and [Apple is] going to make it extremely difficult. Which then will bring this debate back…”
It’s a complex issue. On one hand it’s good news for Apple customers. On the other hand, it makes the government is fight tooth and nail to take away our security.
Financial Companies Expose 425 GB of Data in Insecure Database
Researchers found an insecure database thought to have belonged to Advantage Capital Funding and Argus Capital Funding. It contained over 500,000 records of personal and professional information.
Shadowserver Keeps the Web Safe. Now it Needs Help
A small nonprofit organization called Shadowserver helps keep the web safe. It scans almost the entire internet to create activity reports for network operators. It also hosts a database of 1.2 billion malware samples, freely accessible to everyone. But it needs to raise money to stay in operation.
For more than 15 years, Shadowserver has been funded by Cisco as an independent organization. But thanks to budget restructuring, the group now has to go out on its own. Rather than seek a new benefactor, founder Richard Perlotto says the goal is for Shadowserver to become a fully community-funded alliance that doesn’t rely on any one contributor to survive. The group needs to raise $400,000 in the next few weeks to survive the transition, and then it will still need $1.7 million more to make it through 2020…
I had never heard of Shadowserver but it’s clear the organization is important. You can become a sponsor to donate money here.
Security Friday, WWDC 2020 – TMO Daily Observations 2020-03-13
Charlotte Henry and Andrew Orr join host Kelly Guimont to discuss the new look for WWDC and Security Friday’s headlines and tips.
56 Apps Spy on Your Clipboard and Apple Doesn’t Care
Researchers found 56 apps that are spying on the iOS clipboard/pasteboard, like TikTok, New York Times, Fruit Ninja, and more. There are undoubtedly many more apps engaging in this behavior. And as I wrote in February, Apple doesn’t think it’s a problem.
We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.
Sneak Peek: Here’s How a NordVPN Server Works
TechRadar Pro teamed up with NordVPN to give people an idea of what exactly goes on inside of a VPN server. It’s a fascinating glimpse into a technology ever-growing in popularity.
The session revealed that NordVPN’s Linux servers are configured with various tools that enhance security, privacy, and authentication. FreeRADIUS is used for authentication, while the squid proxy software is also used. SaltStack is used for correct server configuration, controlling the infrastructure.
How Worried Should You Be About Public USB Charging Stations?
Today DuckDuckGo published a post about the risks of using public charging stations. Technology exists that lets hackers install malware via these chargers. While I personally think the risk is a bit overblown, this is an argument I think can be added in favor of a portless iPhone.
Although it has become synonymous with charging, USB technology was initially developed with the aim of transmitting data. Thus, hackers can use these public charging stations to install malware on your smartphone or tablet through a compromised USB cable. This process, called “juice jacking”, allows hackers to read and export your data, including your passwords. They can even lock your device this way, rendering it unusable.
A Database of 500 iPhones Cops Tried to Unlock
Motherboard built a database of over 500 iPhones that law enforcement have tried to unlock. Many of them weren’t able to be unlocked at all.
Out of 516 analyzed cases, 295 were marked as executed. Officials from the FBI, DEA, DHS, Homeland Security and Investigations, the Bureau of Alcohol, Tobacco, Firearms and Explosives were able to extract data from iPhones in investigations ranging from arson, to child exploitation, to drug trafficking. And investigators executed warrants against modern iPhones, not just older models.
As mentioned, this provides useful data instead of the usual anecdotes. You can find the database here.
Proton Apps Receive Alternative Routing to Stop Censorship
Proton apps will get new alternative routing as a way to block attempts at censorship, whether it’s by governments, ISPs, or network admins.
Careless ‘Whisper’ Leaks Years of User Data
Whisper, an app for people to share their secrets, exposed user data like age, location, and more for years.
The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.
The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day.
You can never be 100% secure but at least put a damn password on your server.