Security Archives

Google Investigation Shows Apple Was Right About Face ID

Andrew Orr · January 18, 2019

Take this with a grain of salt because this tweet is all I’ve seen about this. But David Ruddock of AndroidPolice mentioned a Google investigation trying to determine if certain types of fingerprint sensors are secure.

Another CES Story: I’ve heard Google is currently investigating whether current optical fingerprint sensor designs are secure enough to be used for TrustZone auth (mobile payments, banking apps, etc). There is real concern optical FPRs may be too easy to spoof.

Although facial recognition came to Android first, it was there for convenience as a way to unlock your device. But Apple added it for security, and it looks like they bet on the right horse.

Link

Federal HTTPS Certificates Not Renewed Because of the Government Shutdown

Charlotte Henry · January 18, 2019

The U.S. Government shutdown has affected a whole host of areas in the public sector. One that might not immediately spring to mind, but is rather important nevertheless, is federal HTTPS certificates. Techcrunch had a look into the issue and compiled a list of all the federal HTTPS certificates that expired, or are about to expire. It included domains that redirect to the Congressional record and websites for agencies such as the Federal Energy Regulatory Commission. If you go to one of the sites with an already expired HTTPS certificate, such as disasterhousing.gov, you get a warning that the site might not be secure.

During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, had expired on many domains. And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed. Renewing certificates doesn’t take much time or effort — sometimes just a click of a mouse. But some do cost money, and during a government shutdown, there isn’t any.

Link

Collection 1 is a Massive New Data Breach

Andrew Orr · January 17, 2019

Troy Hunt, creator of the Have I Been Pwned? tool, wrote a blog post about the latest data breach called Collection 1.

Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows.It’s made up of many different individual data breaches from literally thousands of different sources.

To find out if your account credentials were leaked, visit haveibeenpwned.com.

Link

EU Does not Have a Coordinated Plan to Fight Election Hacking

Charlotte Henry · January 10, 2019

LONDON – The EU does not have an overall plan to deal with hackers seeking to disrupt its election in May 2019. According to a feature in Wired, each of the 27 states who will be in the EU when the election takes place is expected to secure the vote in their own country. Consequently, smaller member states could be left vulnerable, and cyber-attacks or disinformation could have a serious effect on the election results.

If a tiny member state is left it to go alone against Russia’s state-backed hacking teams and disinformation brigades, the calculus of the European Parliament could be engineered by a third-party state to tilt in its favor. The stakes are huge, and some say the EU hasn’t faced up to the enormity of the issue.

Link

Bounty Hunter Successfully Tracked Down a Phone

Andrew Orr · January 9, 2019

AT&T, Sprint, and T-Mobile sell access to customers’ location data. As an experiment, Joseph Cox paid a bounty hunter to locate a phone, and it worked.

The bounty hunter did this all without deploying a hacking tool or having any previous knowledge of the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves, including T-Mobile, AT&T, and Sprint, a Motherboard investigation has found. These surveillance capabilities are sometimes sold through word-of-mouth networks.

The technology apparently works on all mobile networks, but there was some issue with Verizon. Shady practices like this are why we need an American GDPR, as well as a better FCC.

News

Apple Support Scam is a new Voice Phishing Trick

Andrew Orr · January 4, 2019

Brian Krebs reported today that a woman got an Apple Support scam via an automated phone call. And it looked like a legitimate call from Apple.

News

USB-C Cables Could Get Built-In Security

Andrew Orr · January 2, 2019

Any system that uses this protocol will be able to confirm if a USB-C port or cable is authentic as soon as a connection is made.

News

U.S. Government had 4,570 Device Requests for Apple in 2018

Andrew Orr · December 21, 2018

Apple has redesigned its transparency website to make it easier to understand the number of government device requests the company receives.

Podcast

Apple Cloud Services, Password Management, Apple Leadership, with Peter Cohen - ACM 493

Bryan Chaffin · December 19, 2018 · Add Comment

Bryan Chaffin is joined by guest-host Peter Cohen to discuss Apple’s cloud services, including the ones they do really well and the ones that suck. They also talk about password management and practices, and look at Apple’s leadership team 8 years after Steve Jobs’s passing.

VIew all episodes

Podcast

Cloud-hosted Military Data, Password Offenders – TMO Daily Observations 2018-12-12

Kelly Guimont · December 12, 2018 · Add Comment

Join host Kelly Guimont to talk with John Martellaro and Andrew Orr about military data being hosted in the cloud and about the worst password offenders in 2018.

VIew all episodes

Podcast

Security Laws and Data Breaches – TMO Daily Observations 2018-12-07

Kelly Guimont · December 7, 2018 · Add Comment

Andrew Orr and Bryan Chaffin join host Kelly Guimont to talk about security laws, data breaches, and robot-led bear spray attacks.

VIew all episodes

Product News

Experimental Safari Feature Supports USB Security Keys

Andrew Orr · December 6, 2018

In the experimental version of Safari Technology Preview, the browser adds support for USB security keys.

Cool Stuff Found

Find Out If Your Data Was Leaked With This Data Breach Tool

Andrew Orr · December 5, 2018

A data breach tool called have i been pwned? is an app and website that helps you find out if your information was included in data breaches. It’s easy to use, just enter your email address. Have I been pwned? allows you to search across multiple data breaches to see if your personal data was compromised by any of the big hacks on record. The app includes no or automatic collecting of private data, searching among published databases and so-called pastes, getting real-time updated by receiving push notifications when new breaches happen, and information behind certain hacks, provided with relevant links to more information. The app has also been provided as open source software, found at GitHub. App Store: Free

Podcast

Starwood Security Breach, World AIDS Day – TMO Daily Observations 2018-11-30

Kelly Guimont · November 30, 2018 · Add Comment

Charlotte Henry and Andrew Orr join host Kelly Guimont to discuss the Starwood data breach and Apple’s work with (RED) for World AIDS day.

VIew all episodes

News

Marriott Hotels has Suffered one of the Biggest Data Breaches in History

Charlotte Henry · November 30, 2018

The Marriott hotel group has suffered one of the biggest corporate data breaches in history, data from half-a-billion customers stolen.

News

Dell Customer Data Targeted in Cyber Attack

Charlotte Henry · November 29, 2018

Dell has revealed that it suffered a cybersecurity attack but says it does not believe any customer data was extracted.

News

Reported Apple Partner AC Global Risk Criticized for 'Voice Risk Analysis' Tech

Charlotte Henry · November 26, 2018

Voice analytics firm AC Global Risk, which has claimed that Apple is one of its clients, faces serious criticism from academics and experts

News

iPhone Spyware Used to Attack Saudi Dissidents

Andrew Orr · November 21, 2018

The Saudi regime is known for attacking Saudi dissidents, and iPhone spyware could have helped them do so with the help of NSO Group.

Podcast

Software Security Reviews, New Apple Product Treadmill – TMO Daily Observations 2018-11-12

Kelly Guimont · November 12, 2018 · Add Comment

Andrew Orr and Charlotte Henry join host Kelly Guimont to discuss the Software security audits and the Apple Product Treadmill.

VIew all episodes

News

Bitwarden Passes Third Party Security Audit

Andrew Orr · November 12, 2018

During the tests performed by Cure53, five vulnerabilities were found. Only one vulnerability needed immediate action.

News

A Couple of Alternatives to That CloudFlare App

Andrew Orr · November 12, 2018

Named after the DNS address it uses—1.1.1.1—it promises a quick and easy privacy fix.

News

Apple's T2 Security Chip Can Prevent Microphone Eavesdropping

Andrew Orr · October 30, 2018

Apple’s T2 security chip has been added to the new MacBook Air. It’s also in newer MacBook Pro models. And it can prevent eavesdropping.

News

Apple Blocked GrayKey, Possibly Through Reverse Engineering

Andrew Orr · October 25, 2018

Apple has blocked GrayKey, an iPhone hacking device used by law enforcement. The company designed iOS 12 with protection against it.

Podcast

Throttlegate Lessons, Free Apple Video Rumors, Security PSA - ACM 485

Bryan Chaffin · October 24, 2018 · Add Comment

In the wake of Apple’s $12 million fine from Italian regulators, Bryan Chaffin and Jeff Gamet ask if the company learned any lessons from Throttlegate. They also update their plans for the show, discuss increasing rumors that Apple’s video content will be free, and offer a security public service announcement.

VIew all episodes