• iphone,  lifestyle,  security

    Another Reason to Secure Your iPhone While Traveling

    Stephanie Condon, writing for ZDNet has an interesting piece about smartphone data dumping by the US Customs and Border Protection service. According to Condon, the downloading, storing, and potential searches of American’s smartphones came to light by way of a letter sent to the agency by Sen. Ron Wyden (D-Oregon) about the practice.

    According to Wyden, CBP agents get American travelers to unlock their devices and then proceed to download the data into a government-controlled database. He calls such searches “warrantless” and I completely agree. On his official Senate.gov website, Wyden is quoted as saying:

    “Innocent Americans should not be tricked into unlocking their phones and laptops,” Wyden wrote. “CBP should not dump data obtained through thousands of warrantless phone searches into a central database, retain the data for fifteen years, and allow thousands of DHS employees to search through Americans’ personal data whenever they want.”

    Senator Wyden’s full letter to Chris Magnus, Commission of the US Customs and Border Protection service is available online.

    While I agree, all US citizens should comply with legally obtained and executed search warrants, I do not agree with the in discriminant downloading of American’s smartphones just because they are crossing the US border.

    One way to protect yourself if to ensure that you have a strong passcode on your iPhone. A couple of words long passcode is a strong defense to unauthorized access to the contents of your iPhone. A 6-digit or longer PIN code in place of a passcode is a good option too.

    Strong security and data privacy is a constant trade off with usability. Who want to keep entering a 18-characher passcode/PIN just to unlock their iPhone? Not me. Biometric security, such as Face ID or Touch ID are good tradeoffs for most people. They offer good security and ease of use.

    When learning about reports such as the one Wyden is claiming of the CBP, I have to think twice about my personal information data privacy. As we learned with John Eastman, courts are willing to uphold requests to unlock smartphones using biometric systems. What courts aren’t willing to uphold, is the forced compliance with requests for passcodes and PINs.

    A good strategy that iPhone owners can use is to hard lock their device by pressing and holding the Side Button (Power button) and either one of the Volume buttons for 3-seconds. This can easily be done while an iPhone is still in your pocket, purse, or bag. Once activated, Face ID, Touch ID, and Unlock with Apple Watch will no longer unlock your iPhone until the owner enters their passcode/PIN code.

    Starting with iOS 16, the new Lockdown Mode security feature will help protect customer’s and their data from common security vulnerabilities by trading convenience for security. Most people will never need this feature, but for those who do, it will help protect their privacy. Sometimes, security is hard, but necessary.

  • politics,  rim,  security

    New Information on Deleted Secret Service Text Messages

    Excellent reporting by Lawrence O’Donnell and The Last Word team at MSNBC.

    During the The Last Word telecast on July 21, O’Donnell details the facts of the case, as we know them, and raises very serious questions about the deleted Secret Service text messages from Jan. 5 and 6.

    In summary, O’Donnell reminds us that:

    • The Secret Service has a budget of $3B annually
    • The first of three emails informing staff to preserve records was sent by the Secret Service Office of Strategic Planning on Dec. 9, 2020
    • In an undated Jan. 2021 and a Feb. 4, 2021 email, sent by the Secret Service Chief Information Officer, reminds staff of their obligation to preserve records and includes instructions on how to do so
    • The Secret Service received the first written records preservation request before the physical act of exchanging agent smartphones for new devices
    • Ornato was promoted to the political post of White House Deputy Chief of Staff
    • The Secret Service runs a sophisticated cyber-crime organization and knows the legal obligations it has to handle and preserve records

    In my previous post on the Secret Service deleted text message fiasco, I suggested that we wait until more details about what happened by brought to light before placing blame on an IT staffer. Now it is beginning to look like the Secret Service, led by Director James Murray, either willfully ignored record preservation requests and established records and information management governance policies, or directly issued orders that the text messages be deleted from Secret Service issued smartphones. With a $3B annual budget, the Secret Service has more than enough money, in my opinion, to digitally and physically archive any Secret Service agent’s smartphone that was even remotely involved with the events leading up to and taking place on January 6, 2021. To suddenly have digital records be deleted and no discussion that I have seen about going back to the physical devices used on Jan. 5 and 6, is unfathomable to me. The Secret Service knows how to perform digital forensics and records preservation.

    While it will likely be years before the full story comes out about what happened to Secret Service text messages from Jan. 5 and 6, it is, in my opinion, growing more obvious this situation has less to do with an IT staffer having a bad day and that something much more politically motivated, possibly with criminal intent, has taken place.

  • mdm,  politics,  security

    About the Deleted Secret Service Text Messages from Jan. 5 and 6

    I was reading some of the coverage of the recently reported deleted text messages from US Secret Service smartphones from January 5 and 6, 2021.

    According to a Washington Post article:

    “The Department notified us that many U.S. Secret Service (USSS) text messages, from January 5 and 6, 2021 were erased as part of a device-replacement program,” he wrote in a letter dated Wednesday and obtained by The Washington Post. The letter was earlier reported on by the Intercept and CNN.

    There are a couple of details that are interesting about this situation.

    The first is the that the messages are reported as having been deleted as part of a “device-replacement” program being run by the Secret Service.

    If you think about how we switch from and old iPhone to a new iPhone, we do a backup to iCloud, switch over to the new iPhone, and then restore the iCloud backup to your new iPhone. But a large organization like US Secret Service, will be using a mobile device management (MDM) solution.

    MDM solutions allow IT departments to remotely manage a fleet of mobile devices. They don’t necessarily backup devices. They are used to enforce security features, automate software deployments, and, in the case of a lost or stolen device, securely erase devices that still have Internet access.

    In my opinion, having managed a corporate fleet of smartphones, the most probable answer is the most likely answer. New smartphones are purchased and activated, given to their new owners, and the owner signs into the MDM tool on the new smartphone to deploy the default configuration.

    While corporate email is stored on the server to be downloaded by the new device, plain old text messages, the ones that use the cellular network, are not.

    Specifically, what is and what is not backed up and restored during a smartphone refresh effort depends, obviously, on the migration software and procedures used by technicians during the cutover.

    In this first case, there is likely a contract IT staff member who is having a very bad day today if they made a mistake that prevented text message data from being migrated.

    The second detail, and the one that can land someone in legal trouble, is if someone in the Secret Service or their IT management firm, willfully instructed someone to erase smartphones, or by omission, leave out a migration step to transfer or archive text messages.

    This case is clearly supercharged by the US House Select Committee’s January 6th Attack on the United States Capitol and your position on The Big Lie. Deleted text messages, whether by mistake, or intentionally to obstruct justice, is only going to add more fuel to the debate.

    Colossal IT screw up or nefarious coup plot cover up?

    In my nearly three decades of IT experience, this feels like a poor IT staffer somewhere had a very bad, no good, rotten day.

    Let’s get all of the facts about what happened before blaming IT staff.

  • apple,  ios 15,  iphone 13,  security

    Apple Releases iOS 15.0 Build 19A346

    On Friday, I received my iPhone 13 Pro Max which I am really enjoying. Yesterday, while out and about, I happened to check Software Update, and noticed that Apple released an iOS 15.0 update with build number 19A346.

    In the above screen captures, you can see iOS 15.0 as shipped on iPhone 13 Pro Max (left) and iOS 15.0 on the same iPhone 13 after updating (right). The release notes did not say much other than it was a security update.

    “This update provides important security updates and fixes an issue where widgets may revert to their default settings after restoring from a backup.”

    The link provided in the release notes to the Apple Security Updates page as of the time of this post, had not yet been updated with the details of iOS 15.0 19A346.

    However, a piece by Jim Salter writing for Ars Technica may shed some light as to what’s going on.

    “[A] security researcher who goes by illusionofchaos dropped public notice of three zero-day vulnerabilities in Apple’s iOS mobile operating system. The vulnerability disclosures are mixed in with the researcher’s frustration with Apple’s Security Bounty program, which illusionofchaos says chose to cover up an earlier-reported bug without giving them credit.”

    Apple has received criticism in the past for being slow to acknowledge bugs reported by security researchers. And, when vulnerabilities are confirmed, Apple can be equally slow to credit researchers and provide pay outs as part of the company’s Security Bounty program.

    According to Salter, the security researcher, who goes by the name of illusionofchaos has posted example code of how the exploits work, meaning that an nefarious programmer can use the code to whip up a new malware attack against iOS devices.

    My suggestion is that anyone who is running iOS 15.0 check Settings > Software Update for iOS 15.0 (19A346) and install it as soon as reasonably possible.

    Interestingly, the same update was not available for my 10.5-inch iPad Pro nor my iPhone XR running the iOS 15.1 Public Beta.

  • mac os x,  macintosh,  security,  vintage

    Mac OS X 10.4 Tiger’s Java Updates

    Running Mac OS X Tiger? You’ll have some Java updates to apply!

    When restoring vintage Macs, I like to upgrade Mac OS / Mac OS X / OS X to the latest release to make sure that I have the very latest software on my gear. For my latest project, I am installing Mac OS X 10.4 Tiger and all of the available updates from DVD and Software Update. Looks likes Java has had quite a few updates.

  • firefox,  mozilla,  security

    Upgrade Firefox Now

    In an eyebrow raising announcement, users of Mozilla’s Firefox browser are urgently warned to upgrade to Firefox 72.0.1, Firefox Extended Support Release (ESR) 68.4.1, and Thunderbird 68.4.1 (which uses the Firefox engine) or later right away.

    All software have bugs, and Mozilla’s software is no exception. Also, bad guys will ruin everything on the Internet.

    What makes this warning from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) so important is that there are active attacks being made on Firefox compromised websites that have been infected with malicious web pages. Once an unpatched version of Firefox is successfully exploited, an attacker will be able to gain control over the Mac or Windows PC that the browser is running on.

    The CISA cybersecurity warning reads:

    “Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

    The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Mozilla Security Advisories for Firefox 72.0.1 and Firefox ESR 68.4.1 and Thunderbird 68.4.1 and apply the necessary updates.”

    Mozilla has provided directions for upgrading your copy of Firefox to the latest release on their support website.

    Keep yourself safe. Apply this update, even if you normally do not like to apply software patches and upgrades.

  • apple,  ios 11,  mac os x,  security,  update

    Apple Issues ‘Meltdown’ and ‘Spectre’ Patches for iOS, macOS, Safari

    apple_ios_1122_mealtdown_spectre_patch_20180108

    Today, Apple has posted a set of updates that are designed to patch recently reported vulnerabilities found in Intel and ARM CPU processors. These are very important security updates. You should install them as soon as you can.

    Apple Software Updates

    apple_macos_high_sierra_mealtdown_spectre_cpu_patch_20180108

    Ready for your downloading and installing pleasure are:
    * iOS 11.2.2 for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
    * macOS High Sierra 10.13.2 Supplemental Update
    * Safari 11.0.2 for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6

    The Apple support website always links to the latest security patch updates.

    The Short Story

    The vulnerability, which impacts all modern Intel and ARM CPUs, can be found in just about every PC, smartphone, and tablet on sale. Microsoft Windows, Linux distributions, and hardware vendors all need to update patches to prevent the “Meltdown” and “Spectre” vulnerabilities from being exploited and granting cyber-attackers access to highly sensitive data that is held in a computer’s protected memory space.

    Confused about all of this processor vulnerabilities and patching? It’s totally understandable. If you really want to understand what’s going on, check out Rene Ritchie’s excellent Meltdown and Spectre FAQ at iMore.com.

     

  • airport,  apple,  ios,  mac os x,  security,  tvos,  watchos

    With a Pair of AirPort Updates, Apple Completes Wi-Fi Vulnerability Patching

    On December 12, Apple released a pair of AirPort firmware updates to close the WPA2 key reinstallation attack vulnerability. The vulnerability was first publicly announced in October, after alerting vendors of the vulnerability much earlier in the year.

    Apple AirPort Extreme/AirPort Time Capsule base station firmware version 7.7.9 and AirPort Express firmware 7.6.9 both include the patch that protects against the WPA2 key reinstallation attack. The Common Vulnerabilities and Exposures (CVE) numbers that these patches address are CVE-2017-9417, CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.

    The AirPort firmware updates can be applied using the iOS AirPort Utility, available for free from the Apple iOS App Store. If you have an Apple AirPort running in your home or office, you need to update it right away to close this serious vulnerability.

    About this time last year, I wrote about my doubling-down on Apple AirPort hardware in the face of media reports (aka: rumors) that Apple had abandoned the AirPort product line. I still hold that there are much better Wi-Fi solutions available today, even for die hard Apple fans like us. The Wirecutter (https://thewirecutter.com/reviews/best-wi-fi-mesh-networking-kits/) has a very good review of mesh network Wi-Fi devices from vendors such as Eero and Netgear. You really should be running them over Apple’s AirPort at this point. Still, despite Apple reportedly walking away from AirPort, as a customer, I am glad that Apple tool on the task of releasing a pair of security updates for the aging devices. It seems only fair to customers, since Apple is still selling the AirPort hardware online and in retail stores.

    What About My Other Apple Gear?

    Apple updated iOS 11, macOS, watchOS, and tvOS back in October. If you are running iOS 11.1, watchOS 4.1, tvOS 11.1, or the latest versions of macOS High Sierra 10.13, Sierra 10.12, or El Capitan 10.11 you have already installed the WAP2 patch.  Use the Software Update feature of these operating systems to verify that you are up-to-date or install the latest software releases if need be.

    If you are still running macOS/OS X Mavericks 10.10, you should consider upgrading to High Sierra to gain the WPA2 patch. Mavericks and earlier versions of macOS will not be patched.

    What About Everything Else?

    The WPA2 key reinstallation vulnerability is not a flaw or vulnerability that is specific to Apple hardware and software. It is a flaw in the WAP2 system itself. Thankfully, the flaw can be fixed with software. What that means, though, is that to improve your chances of being protected against attacks using the WAP2 vulnerability, you must patch all of your Wi-Fi equipment, including routers/modems, smart devices (i.e.: light bulbs, switches, and cameras), TVs, Blu-ray player, and gaming consoles, for example.

    Learning More About the WAP2 Vulnerability

    To learn more about the KRACK WPA2 key reinstallation vulnerability, and to see just how catastrophic the vulnerability can be, see Mathy Vanhoef’s summary website and Krebs’ What You Should Know About the ‘KRACK’ WiFi Security Weakness blog post.

     

  • apple,  mac,  security

    Apple Issues Security Update for ‘root’ Vulnerability

    IMG_1167

    Yesterday, an unusually dangerous security vulnerability in macOS 10.13.1 High Sierra was uncovered.  Less than 24-hours later, Apple has issued a patch to correct the situation.  The vulnerability allowed access to the Unix ‘root’ account – the most powerful ID on a Unix system – without the use of a password.

    apple_macos_10_13_1_security_update_2017_001

    Apple support article HT208315 gives you the specifics about this vulnerability.  If you haven’t already done so, go to the Mac App Store and install Security Update 2017-001.  It is a small update that does not require the Mac to be rebooted.

    John Gruber over at Daring Fireball received a statement from Apple stating the company’s regret and apology for rolling out High Sierra 10.13.1 with this bug in it.  The statement to Daring Fireball also noted that “starting later today it will be automatically installed on all systems running the latest version (10.13.1) of macOS High Sierra.”

    It was later reported, again by Gruber, that the Security Update 2017-001 patch inadvertently breaks file sharing in macOS High Sierra.  If you experience the post Security Update 2017-001 file sharing bug, Apple has posted support article HT208317 on how to fix file sharing.  To apply the file sharing bug fix, open Terminal.app and issue the command:

    sudo /usr/libexec/configureLocalKDC

    There is no output from the command.  When you are done, quit Terminal.

  • apple,  ios 9,  iphone 6 plus,  iphone 6s,  security

    The Curious Case of the iOS 9.3.1 “Hey, Siri” Contacts, Photos Vulnerability

    Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1.  The reported vulnerability allowed a malicious user to by-pass the iPhone’s lock screen using the hands free “Hey, Siri” command.  When successfully executed, an attacker would be able to see all of the contacts and photos on the device.

    Quartz has an article up on their site that starts off with:

    “You might want to wait before downloading the latest version of Apple’s operating system for iPhones.

    If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole.”

    With my iPhone 6s Plus unlocked and running iOS 9.3.1, the “finicky” exploit worked.  However, if I repeated the process with my iPhone locked, the attack was stopped dead in it’s tracks.

    This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first.  I made this short video that was posted to YouTube this afternoon.

    [youtube https://www.youtube.com/watch?v=O_BrmKI3W9Y]

    Oddly, the security settings that AppleInsider.com reported as needing to be turned off to prevent the attack were still enabled on my iPhone.  Curious.

    So what happened?

    This afternoon, Fortune.com has an article up that the Siri-related problem was corrected by Apple from Apple HQ.

    “While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix.”

    Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.