Security, privacy and Internet of Things updates for the week of March 18th 2017: Apple ransom, CIA leaks, Google blacklists Symantec certificates, CIA data dump, Instagram 2 factor, ISPs selling your info, Android wifi tracking, not quite breaches, Bixby, Alexa.
One of the most significant stories of the week is a claim by a hacking group that they have several hundred million Apple account credentials and will use them to remotely wipe devices on April 9th if Apple doesn’t pay up. While it seems unlikely, there are simple precautions you can take which you should already be doing – use a unique strong password on your Apple account (one you don’t use anywhere else) and turn on 2 factor authentication. I’ll write up more about this soon. For now, you can read the original coverage at Motherboard and a follow-up at ZDNET.
Google found that Symantec-owned certificate authorities mis-issued more than 30,000 certificates (this is up from 108 in January). A mis-issued certificate could allow a an imposter to pretend to provide a secure connection to a web site they don’t really operate, collecting logins, financial information and whatever else you might send to that web site. Google’s solution is to have their Chrome browser stop accepting certificates from these authorities.
Not all vulnerabilities are in software: social exploits can be as or more damaging than technical ones. In this case a simple netted a hundred million dollars.
Wired demonstrates how to do a responsible disclosure of a security issue they resolved.
Congressmen are applying pressure to resolve a significant security issue in control systems for global cellular networks. The SS7 system coordinates calls and text messages between telephone networks.
If you can get into SS7 you can redirect and listen to phone calls and read text messages as well as tracker users.
Wikileaks dumped more CIA documents about the CIA breaking into Macintoshes. Apple says these exploits have already been fixed.
And the CIA can take control of hundreds of models of Cisco switches using a vulnerability in the implementation of Cisco’s telnet-based (cough) control protocol.
Instagram is now offering two-factor authentication to all users. If you use Instagram you should emable this now.
And MIT is conducting research into ways to protect the privacy of database queries. Their system prevents databases from monitoring what users are querying them for (think about protecting user queries of search engines).
The US Senate voted to allow ISPs to sell information about your Internet activity. This is commonly reported as “your browsing activity” but it’s more and less than that. This still needs to pass the House and be signed by the President, which all sounds pretty likely.
I’ll be writing up in detail what this means and how to protect yourself.
Third parties can subtly track your location just by your phone’s attempts to connect to wifi networks. Wifi access points can see phone’s MAC address (the 6 byte address the uniquely identifies ethernet, cell and Bluetooth chips), allowing your phone to be tracked easily. Apple introduced MAC address randomization back in iOS 8 – when an iPhone probes for Wifi networks, it will use a randomized MAC address. Google also supports MAC address randomization – unfortunately, few Android phones utilize it.
Not quite a data breach, more a list of customer information flapping in the wind, at Saks Fifth Avenue.
Also not quite a data breach, the UK company Three’s showed some customers other customers’ information when they accessed their accounts.
Internet of Things
Samsung is going for a male audio assistant, Bixby, as the next iteration of its “S Voice” service.
Amazon got press for providing access to Alexa through their iOS shopping app. Alexa is a definite upgrade over Amazon’s old voice-powered search. I can access smart home skills through Alexa on the app, so I can tell it things like “Turn on the kitchen lights”.