On March 21st, Motherboard announced that a group called the Turkish Crime Family had issued an ultimatum that unless Apple paid a ransom (ranging from $100, 000 to $1M), 600 million Apple devices (phones, tablets and Macs) will be compromised, leading to theft of data and permanent erasure. The target date is April 7th.
The group has provided a subset of a list of AppleIDs credentials to various media sources to permit them to verify the credentials with their owners. It appears that there is a some validity to the claim.
Apple claims that their servers have not been compromised and there is not a systemic risk to Apple devices. They believe that the credentials were part of the list of credentials stolen from LinkedIn.
Oh my Gawd!!! What should I do????
At the bottom of this post, I have some recommended actions that you should take.
But first, let’s look at this threat in a little more detail. First and foremost, the risk to Apple devices is most likely overblown. If they have a dump of usernames/passwords from other sources, they would be depending on folks using the same credentials across the accounts. Many folks do this and this would account for a significant number (certainly north of a million), but not 600 million.
Next, this is likely a credentials hack, since that’s the proof they’ve given. If they’d somehow managed access to the Apple servers in a manner that would allow a remote control erasure of devices from their servers, they’d have erased a chunk of devices to prove to Apple they could do it.
That said, make no mistake: There is a significant risk that your Apple devices are at real risk. If you use the same password at multiple places, including for your AppleID, your risk is even higher.
Before discussing what you can do to mitigate your risk, one more comment on your AppleID. In past posts, I’ve discussed password management and the fact that certain accounts need more secure passwords than others. In these discussions, I focused primarily on financial and Cloud accounts. after all, that’s where your assets are controlled.
However, this issue has brought into sharp relief the importance of controlling your AppleID (and for Android users, your Google) credentials. These specific accounts are the master key into your digital realm.
Specifically for this issue, I’d recommend that you do two things to protect your Apple devices and the data stored on them (and in the iCloud):
- Change your AppleID password — Change your password to something that’s unique to your AppleID account and that is difficult to crack. I’d argue this could be a more important password than even your banking password. It should be long (more than 8 characters), contain special characters and numbers. If you search for “How do I create a secure password” online, you’ll find plenty of sites with specifics. Also, this blog has several posts on the subject. This might be a great time to consider using a password manager. Keychain on Apple devices is very good, or possibly other third party managers. Do this ASAP and do not wait until April 6th. There is no reason to believe that April 7th is the real date.
- Enable two-factor authentication — This will add the step of requiring additional authentication before taking action. This is something you should enable on all sensitive accounts like financial. Also, with the Apple version, it will also notify you immediately on all your devices when someone is attempting to access your account from a new source.
To do either of these actions, go to https://appleid.apple.com, log in and you’ll be presented to a screen that will allow you to change your password as well as to enable two-factor authentication if not currently enabled.
One final comment: If you’re a Android user, I’d recommend taking similar actions on your Google account. There is no doubt that if they have credentials to compromise AppleID accounts, they can also apply this to Google accounts.
There is a 3-part bug in iOS software that can allow someone to install malicious software on your iPhone, iPad, etc. The net result is that your entire device is at risk including passwords, camera and other sensitive data.
The exploit has been used to gain access of dissidents and news source devices.
Here is some additional information:
I highly recommend that you upgrade ASAP. Stay Safe!
On April 17, 2016, the CBS show 60 Minutes presented a segment by Sharyn Alforsi on how hackable smart phones are. It’s a pretty alarming report and I’d highly recommend that you watch it first before you continue to read this post.
The purpose of this post is my attempt to put this report into perspective. The segment brought up significant issues, though the report itself was alarmist. Being alarmist will hopefully grab the attention of the purposely clueless but it does put the normal user into a quandary: Should I take a sledgehammer to my phone and only use a landline or how can I insure that my phone is reasonably secure?
In the report, they reported on basically two types of hacks:
- The ability to listen to phone calls and access call metadata via a bug in the SS7 protocol when using cellular.
- The ability to access a given phone’s data via social engineering techniques.
The social engineering hacks are easier for the user to defend against by following the same good hygiene that one should be following on regular computers, like not opening unknown attachments and staying away from sketchy websites.
The SS7 hack is the most troubling since there is no way to defend against it or even know it’s happening.
Let’s start with the SS7 hack. First some background.
SS7 is a very old protocol that was developed in the ’80s to allow telecom companies (telcos or carriers) to exchange landline billing data between the companies. When you start a phone call (either cell or landline), the caller’s telco enters a record into a data base with metadata including start date/time, caller’s location, etc. When the call is connected, there is another record created with the callee’s metadata. When any changes occur doing the call, a records are created. Finally, when the call terminates, records are created.
This data is passed between telcos and will be used to update billing data for their customers. In original landline calls, there usually are two records for a given customer, logging the start and end times with the number and where they called. You see the results of this on your phone bills. With cellular, there are several records created as the calls are handed off between cell towers, including location and roaming information.
Since this protocol should only be used by telcos, it should not be easy or possible for hackers to get into it, especially in real time. Now, I’m not surprised that the protocol might have issues given its age, the real issue in my option is that the network connections that pass this data around are so vulnerable. Also, that hackers can get the SS7 passed metadata and listen into phone calls, exposes another vulnerability since the SS7 data doesn’t actually capture what is discussed.
So given this, how alarmed should one be? At this point, not alarmed as much as concerned that this issue has existed for a long time (and has been reported on for a couple years), no one seems to be in a hurry to plug the leak. I suspect that is because traditionally it has been very difficult for even skilled hackers to access this vulnerability. Even in the CBS report, they noted that the white-hat hacker group they profiled was given access to the SS7 data by a local telco. That’s great for identifying the problem, but it doesn’t indicate how likely this vulnerability can be exploited in the wild.
A couple more notes on this hack:
- Tablets are not as vulnerable since the phone number of the device was used to identify the device to access. Though tablets are assigned and use phone numbers to communicate with their cellular service provider, one would need to obtain the number which is not public.
- I don’t know how or if landline phones are vulnerable to listening into calls. After all, SS7 is also used to pass around landline metadata. One could reasonably assume that they could be vulnerable.
- There is some belief that US carriers are more secure than some foreign carriers. In the story they noted that the hacked phone was on a US carrier. It might be harder to hack into US carriers, but once in, it doesn’t matter where the target phone is.
Social Engineering hacks
The other hack they profiled was the ability to access and control a user’s cell phone via social engineering hacks. The term “social engineering” is used to group together vulnerabilities that are exploited by enticing the user to take some action that will enable the exploit, usually by permitting malware to be installed on the device.
One method they used in the CBS report was a ghost public wifi connection. The hackers provided a public wifi that contained the name of the hotel, which looked real, but was really a ghost. By connecting onto this wifi, the hackers were able to access the data and control the phone.
Though it can be difficult to defend against this type of hack, there are actions one can take to minimize the risk:
- First and foremost, minimize the use of public wifi. However, for most of us, there are occasions we must use public wifi connections.
- Don’t use just anyone’s wifi. I know of folks who actively search for wifi signals that they can connect to without a password, some public and some private without security enabled. This is a bad idea.
- Insure that your wifi router is properly protected with WPA2 security and a robust password. If your router supports guest passwords, enable that with a different (but equality robust) password. Only give that account to guests which will limit who has access to your primary local network credentials. BTW: Guest wifi accounts have the added security that your guests can not snoop on your local network.
- Most public guest wifi networks require some form of authentication to use them (and don’t use one that doesn’t). In hotels, it will usually be some combination of your room number and last name. In other locations, there should be a method to get the proper credentials. In all cases, they will let you know the SSID (service set identifier or name of the network). Be sure to only connect to that network and be sure that you must use the provided credentials.
- If you connect to a wifi without the proper credentials, get off that network as quickly as possible.
- Laptops have firewalls included in the OS. Always insure that they are enabled if you are on any public network.
The other social engineering hack in the story was the attachment in the email trick. They provided an attachment, which downloaded malware when opened. Alternatively, there are websites that will attempt to download malware on your device.
Again, being alert is crucial:
- Don’t click on attachments in emails that either are not from a source you trust or ones that seem odd. For example, a friend or business associate says “click on this to see something funny.”
- Don’t browse to sketchy websites.
- If your device asks you if you want to install something, be sure that’s what you’re trying to do. Basically think before you click “Yes”.
- Only download apps from the appropriate on-line store, like the App Store for Apple devices.
Finally, the CBS report also profiled a company named Lookout (lookout.com). They provide an app for iPhones and Android phones to monitor your phone for malicious apps, ability to locate the phone and backup photos and contacts. There is a premium service that adds theft alerts. You can get it from your app store.
I downloaded and signed up for the free service. I decided not to use the location service or the backup service since I use Apple for those services. However it did inform me that my device was up-to-date (and not jail-broke) and that my apps were safe.
I hope this helps. CBS performed a service by increasing our awareness of yet one more vulnerability in our technological lives. I just wish it had provided a little more context.
So, as most of my regular readers know, we are heavy Apple users, including MacOS and various iStuff. This means for email, I use the mail apps that are shipped with both my MacOS and iOS devices.
Now, I’ve been in the high technology business for a very long time and I’m very tolerant when bugs and other issues pop up when using various technologies. In fact, I usually attempt to work the issues that I find with the vendor if they are receptive (and frankly, most aren’t).
However, there are a small list of features that absolutely, positively must work. When they don’t work, it has a major impact on your workflow and ability to do what you need to do on a computer.
Mail is one of these features. When email doesn’t work, it’s very disruptive. That is the topic of this post …
When I upgraded my Macs to the latest version of MacOS, El Capitan (10.11), I was dismayed to learn that the mail app didn’t work nicely with my email servers. The problem is that it kept reloading my inbox, which for long periods of time meant that the inbox was not useful as what was displayed was not in date order and what was on time were very old messages. It also impacted my backup solutions, since instead of backing up a few tens of MB was now backing up many GB several times over a couple day period, which can get expensive.
Interestingly, it continued to work normally for all my iOS apps, as well as other mail apps on MacOS, including Microsoft Outlook. A large number of other MacOS users saw this problem. The only other common attribute was that the email server solutions are provided by GoDaddy.
One support thread that I used in my search for a solution can be found here. As you can see, I proactively worked with both Apple support and GoDaddy support (who hosts our email). Generally, I was very impressed with Apple support, until they decided that the problem was with GoDaddy and they disengaged. GoDaddy support on the other hand was pretty useless and pointed to the El Capitan mail app as the problem and not their problem. They also used it to attempt up-sell me to a more expensive email solution.
My workaround is to use an alternate mail app, in my case Outlook, which is oh-kay, but not great since, moving from the MacOS mail app has broken some of the features that I using like filtering. (Yes, I know Outlook has filtering also, but I’ve set up many filters on Apple Mail.)
So, what can we learn from this fiasco:
- First and foremost, the more vendors that need to interact, the easier it is for each to point fingers at each other. In this case, Apple and GoDaddy simply blamed the other.
- The quality of the support options is important, though in this particular case, it fell flat. Until this particular problem, I’ve been very impressed with Apple support. Besides the Genius Bar, there is on-line and phone support. On the latter, most consumer products force you to pay for phone support. Apple does not.
- When dealing with technology, one needs to be flexible. The workaround in this case was to change out the mail app. As noted, not a complete solution, but it’s a workaround.
- Use the various support forums to see if others are seeing the problem. The more folks that see the problem, the more pressure is applied to the vendors to provide solutions.
Oh yeah, regarding the GoDaddy up-sell … stay tuned …
A couple days ago, I posted comments about the tension between the need for reliable and totally secure encryption and the needs for law enforcement to be able to access messages with the goal of finding terrorists before they act. See Privacy in the Wake of the Paris Attacks.
An article in today’s Boston Globe entitled In the age of ISIS, privacy still matters by Hiawatha Bray reminded me about a crucial element that needs to be considered in this discourse: Even if the US and/or other western countries require encryption “back doors” in technology going forward, there are plenty of opportunity for terrorists and criminals to acquire and use secure communication apps that will not support such back doors.
This is no different than the problems of regulating criminal activity on-line. As long as the technology is developed in another country, it can’t be effectively regulated in the US.
In the rush to address to provide a very real but elusive law enforcement capability, the end result will certainly have significant adverse impact to our nation’s on-line and computer leadership, as well as to your data’s security and privacy.
Like the vast numbers of people around the globe, I’m appalled and saddened by the events of November 13, 2015 in Paris. I feel for the families as well as Western culture which, like 9-11, as taken a huge hit.
Which brings me to the issue of private and secure communication and data. A number of commentators in the US have been railing against commercial apps that offer unbreakable encryption for communication that likely were the methods that the terrorists used to communicate between themselves. Regardless of which side you fall on regarding privacy against governmental snooping, having no way to intercept terrorists messages that lead to an event like Paris is a legitimate problem.
Vendors like Apple have listened to the concerns of their customers (post the Snowden revelations) and have provided very powerful encryption on certain communications and data for which the decryption keys are kept on the user’s device not on the server side. This is a huge advance, since even a hacker breach of the vendor’s servers will not compromise the encrypted data. For example, did you know that iMessage on iOS and MacOS is securely encrypted in this manner? (See the TechCrunch article for more information.) Same with Keychain on MacOS. Without this level of security, Cloud services are simply too porous to store extremely sensitive data. However, since the vendors do not have access to the keys, they can’t provide them to law enforcement.
The Paris attacks demonstrate the rub: Preventing legitimate, lawful access by law enforcement (including the NSA) to private communications and data is important to help prevent or at least anticipate attacks like we saw in Paris. It’s really problematic that the French authorities didn’t see it coming.
As readers of this blog are aware, I’m less concerned about governmental agencies in the US spying on me. In some other countries, I’d be much more concerned about this. What I am concerned about is the amount of data being collected about me (and others) in the name of commerce in conjunction with the apparent lack adequate safeguards on my data by various entities (both governmental and private). I do not trust that my communications and data will not be released into the wild. For some stuff, that’s fine. However, for other stuff, it’s a huge problem that has been largely mitigated by secure encryption that permits me to hang onto the keys.
So, what to do?
There’s going to be renewed debate whether governmental agencies, with appropriate safeguards, will be able to have a backdoor into your private communication and data. This time, the momentum will be much more in favor of it. I welcome the discourse. In my opinion, we need to solve this issue and soon. On the surface, governmental access vs. private and secure data appear to be mutually exclusive goals. I’m hoping we can come up with a reasonable compromise that satisfies both needs.
However, we all need to be diligent to insure that lawmakers and others don’t gut the safeguards that currently exist.
Viva la France!
November 19th Update: I neglected a crucial element in the discussion of this issue. It turns out that there are other ways to get encrypted apps, even if the US government mandates some form of back-door. The end result is no real benefit, while potentially allowing your data’s security and privacy to get into the wild. Please read Update on the encryption issue post the Paris attacks for more on this.
I’d like to approach a topic which might not exactly be part of the purview of this blog but it is related and that’s skimmer fraud. Most likely, you’ll run into skimmers at ATMs and at exposed point-of-sale terminals like those on gas pumps.
So, what’s a skimmer?
It’s a device that attaches to the credit card slot of an ATM or point-of-sale terminal to make a copy or “skim” the data from your credit card’s magnetic strip as you swipe or insert the card. Its frequently coupled with a device to copy your pin when you enter it, either with a faux-keypad that lays on top of the real keypad or a discrete camera to watch you enter the pin from above. Continue reading
There is an interesting article in this week’s New York Times: Why ‘Smart’ Objects May Be a Dumb Idea. In it, the author Zeynep Tufekci, notes that with the rapid proliferation of smart things, enough hasn’t been done to secure them from hacking. There have been several examples recently of cars being hacked to demonstrate the dangers.
Though I’ve written about the Internet of Things in the past, specifically around the Nest thermostat, I’ve been surprised to hear how many items have been getting connectivity. Some items make sense, door locks, thermostats, lamps, televisions, automobiles. Others are a little surprising, like light bulbs, refrigerators and ovens. Yet more are frightening like rifles.
The problem that they all share is how to keep them secure against hacking. At the most benign, hacking them can undermine privacy, even if it’s not clear why. Take Nest thermostats. Hacking into a Nest user’s account will show whether there is anyone at home. Whether at home or away, a fair amount of mischief is possible exercising control of the thermostat. On the other end of the spectrum, the threat of someone controlling your car is terrifying!
The general concern in the security community is that the various manufacturers are not implementing holistic security practices. Rather, they are reactively fixing discovered issues, but are not properly looking for and proactively fixing security weaknesses before they become identified by a third-party or worse, become exploitable “in the wild.” A perfect example is the auto hacking. Why has there not been a firewall between the Wi-Fi capability and the computers operating the car itself. That would be easy to do, with no loss of functionality, yet the manufacturers apparently didn’t see the need.
As a result, I’m personally slow rolling on the Internet of Things. Yes, I have a smart TV and the Nests, but I’m not running out to purchase smart door locks, nor does my TV have a camera or microphone. Though one of our cars has Wi-Fi, we don’t really need it, so I’ve disabled it for now, the risk is currently not worth the reward.
Fortunately, the car hacks that the media has been yelling about of late, were performed in laboratory conditions, which is to say that to hack the car, the researchers needed access to the vehicle at some point to be able to retrieve the data required to get remote access to the vehicle. As a result, we’ve not yet seen any incidents in the wild.
What should you do? Like everything on-line these days, you need to evaluate the value you get with smart devices and weigh that against the risks posed. As aways, do not take the enhanced capabilities at face value or worse do it because it’s cool. The good news is that we’ve not yet seen widespread hacking of appliances and other “things”. That said, its probably a matter of time before it happens.
As readers of this blog know, I run Windows in a virtual machine (VM) on one of my Macs. Though I can do most everything on the Mac, there are a few apps that that I depend upon that do not run on the Mac so I run them on Windows. Also, I test various topics for this blog on both a Windows and Linux VMs.
Before performing any change as major as upgrading your operating system, you should do a couple things:
- Insure that your applications and devices are compatible. Check Microsoft’s Compatibility Center. I found the site to be helpful, but didn’t find everything I run on my Windows box, so I also needed to check with various app vendors also.
- Back up your system! Let me say it again (with emphasis): BACK UP YOUR SYSTEM! Upgrades typically work fine, but they can go south and put you into a world of hurt if you’ve not backed up. See my post on Systematic Backups for more information. BTW: If you’re running in a virtual environment, simply take a Snapshot, which will permit you easily recover your system to a pre-upgrade state.
- Finally, be aware of a new feature that has serious security implications: Wi-Fi Sense.
Now that Windows 10 is available for upgrade, there is a new feature that you should know about prior to upgrading your system to Windows 10.
The new feature is called Wi-Fi Sense. Wi-Fi Sense allows you to share your Wi-Fi network credentials with friends and family without explicitly giving them the credentials. When enabled, Wi-Fi Sense copies your credentials into the Microsoft Cloud, where anyone on your Outlook, Skype or Facebook friends list can automatically connect with your Wi-Fi network when within range. It’s an interesting feature but personally, I think the security concerns far outweigh the benefits.
It comes enabled by default, but It can be disabled. My concern is whether it saves your credentials prior to you explicitly disabling it. By that I mean, if you disable it after you upgrade, it appears that the credentials have already been stored by Microsoft and there is no indication that they will be deleted from their servers. Given the current security climate, I’d be a little uncomfortable with this.
If you tend to give your friends and family credentials (as opposed to maintaining a “guest” Wi-Fi account) liberally, then this could be a more secure method since you don’t need to provide the actual password in unencrypted form.
The only way to securely opt out of this feature for your network is to rename it adding the string “_optout” to the SSID. This is really inconvenient and totally unnecessary. However, for now, this is the only method to insure that your Wi-Fi credentials are not compromised.
For more information, see the following articles:
- Brian Krebs – Windows 10 Shares Your Wi-Fi With Contacts
- Ars Technica – Wi-Fi Sense in Windows 10: Yes, it shares your passkeys; no, you shouldn’t be scared
it will be interesting to see how this develops over the next few weeks. As always, unless the upgrade is needed, it’s a good idea to delay upgrading to a major new release until things settle out. Also, a reminder to check to see if your favorite applications are supported by the Windows 10.