Apple Special Event and Security

@ WWDC

Apple’s facial recognition has spurred a number of discussions about the privacy trade-offs in the iPhone X.

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X | Dark ReadingOne concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user’s fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

Can Cops Force You to Unlock Your Phone With Your Face? | The Atlantic – Even if Face ID is advanced enough to keep pranksters out, many wondered Tuesday if it would actually make it easier for police to get in. Could officers force someone they’ve arrested to look into their phone to unlock it?

How Secure Is The iPhone X’s FaceID? Here’s What We Know | Wired – Marc Rogers, a security researcher at Cloudflare who was one of the first to demonstrate spoofing a fake fingerprint to defeat TouchID. Rogers says he has no doubt that he—or at least someone—will crack FaceID. In an interview ahead of Apple’s FaceID announcement, Rogers suggested that 3-D printing a target victim’s head and showing it to their phone might be all it takes. “The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem,” Roger says. “I’d love to start by 3-D-printing my own head and seeing if I can use that to unlock it.” 

Now lets talk about the Apple Watch, which I consider to present more serious issues.
 
The Apple Watch 3 is interesting from a legislative point-of-view. The software SIM in the Apple Watch clones the number of your iPhone. The security services of the major powers generally don’t broadcast their capabilities. Politicians are generally untroubled by knowledge of what is possible. Giving politicians an inkling is likely to result in broad sweeping authoritarian power. 
Imagine what will happen when Amber Rudd goes into parliament looking for real-time access to everyone’s phones. She now can point to the Apple Watch 3 as evidence that LTE and 3G connections can be cloned. What kind of legislation will her special advisers start cooking up then?

Secondly, it will only be a matter of time before criminals either work out how to do it themselves, or co-opt mobile carrier staff. Two factor authentication that depends on SMS is already compromised. This allows it to be compromised and undetectable.

The Apple Watch 3 may have royally screwed us all.

The internet of hacking or WTF is happening with my smart home?

Mirai – is a bot network that is powered by a range of devices including infected home routers and remote camera systems. It took over these systems by using their default passwords. The network of compromised machines is then targeted to overload a target network or service. Last week the Dyn DNS service was targeted which restricted access to lots of other services for users on the east coast of the US.

DNS is like a telephone directory of internet destinations, if no one knows where to go it becomes a lot harder to get in touch.

DDoSing
Mirai didn’t spring miraculously out of thin air. It finds its history in passionate gamers who used distributed denial of service (DDoS) attacks to slow down or even kick opponents off online gaming platforms. Eventually the gaming companies got hip to it and went after the cheaters, not to be outdone the cheaters went after the gaming companies.

Taking a service offline using DDoS became a source of extortion against online banking and e-commerce services. Attacks can be used as a form of ‘digital hit’ to take out opponents or critics like online security commentator Brian Krebs.

Computing
Moore’s Law meant that computing power has become so small and plentiful that it is surprising what we often have in the palms of our hands. The first Cisco router was built on the circuit board of a Sun Microsystems workstation. Home routers now are basically small computers running Linux. A CCTV camera box or a DVR are both basic PCs complete with hard drives.

Back in 2007, BlackBerry co-founder Mike Lazaridis described the iPhone as

“They’ve put a Mac in this thing…”

The implication being that the power of a sophisticated PC was essentially in the palm of one’s hand. The downside of this is that your thermostat is dependent on a good broadband connection and Google based cloud services and your television can get malware in a similar manner to your PC.

Security
For a range of Chinese products that have been acknowledged as part of the botnet; the manufacturer acknowledged that they were secured with a default admin password. They fixed the problem in a later version of the firmware on the device. Resetting the default password is now part of the original device set-up the first time you use it.

The current best advice for internet of things security is protecting the network with a firewall at the edge. The reality is that most home networks have a firewall on the connected PCs if you were lucky. The average consumer doesn’t have a dedicated security appliance on the edge of the home network.

Modern enterprises no longer rely on only security at the edge, they have a ‘depth in defence’ approach that takes a layered approach to security.

That would be a range of technology including:

  • At least one firewall at the edge
  • Intrusion detection software as part of a network management suite
  • A firewall on each device
  • Profile based permissions across the system (if you work in HR, you have access to the HR systems, but not customer records
  • Decoy honey post systems
  • All file systems encrypted by default so if data is stolen it still can’t be read

Processes:

  • Updating software as soon as it becomes available
  • Hard passwords
  • Two-factor authentication

Depth in defence is complex in nature, which makes it hard to pull off for the average family. IoT products are usually made to a price point. These are products as appliances, so it is hard for manufacturers to have a security eco-system. The likelihood of anti-virus and firewall software for light bulbs or thermostats is probably small to non-existent.

The Shenzhen eco-system
Shenzhen, just across the border from Hong Kong has been the centre of assembly for consumer electronics over the past 20 years. Although this is changing, for instance Apple devices are now assembled across China. Shenzhen has expanded into design, development and engineering. A key part of this process has been a unique open source development process. Specifications and designs are shared informally under legally ambiguous conditions – this shares development costs across manufacturers and allows for iterative improvements.

There is a thriving maker community that allows for blurring between hobbyists and engineers. A hobbyists passion can quickly become a prototype and then into production . Shenzhen manufacturers can go to market so fast that they harvest ideas from Kickstarter and can have them in market before the idea has been funded on the crowdsourcing platform.

All of these factors would seem to favour the ability to get good security technologies engineered directly into the products by sharing the load.

China
The European Union were reported to be looking at regulating security into the IoT eco-system, but in the past regulation hasn’t improved the security of related products such as DSL routers. Regulation is only likely to be effective if it is driven out of China. China does have a strong incentive to do this.

The government has a strong design to increase the value of Chinese manufacturing beyond low value assembly and have local products seen as being high quality. President Xi has expressed frustration that the way Chinese manufacturing appears to be sophisticated, yet cannot make a good ballpoint pen.

Insecurity in IoT products is rather like that pain point of poor quality pens. It is a win-win for both customers, the Chinese manufacturing sector and by extension the Party.

More Information
WSJ City – Massive Internet Attack Stemmed From Game Tactics
Your brilliant Kickstarter idea could be on sale in China before you’ve even finished funding it | Quartz
Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
Europe to Push New Security Rules Amid IoT Mess — Krebs on Security
Why can’t China make a good ballpoint pen? | Marketplace.org

The Yahoo! Data Breach Post

Yahoo! had a data breach in 2014, it declared the breach to consumers on September 22. This isn’t the first large data breach breach that Yahoo! has had over the past few years just the largest.

In 2012, there was a breach of 450,000+ identities back in 2012. Millions of identity records were apparently being sold by hackers in August 2016 that the media initially linked to the 2012 breach. It would be speculative to assume that the records for sale in August was part of the 2014 raid.

The facts so far:

  • 500 million records were stolen by the hackers. Based on the latest active email account numbers disclosed for Yahoo! many of these accounts are inactive or forgotten
  • Some of the data was stored unencrypted
  • Yahoo! believes that it was a state sponsored actor, but it has offered no evidence to support this hypothesis. It would be a bigger reputational issue if it was ‘normal’ hackers or an organised crime group
  • There are wider security implications because the data included personal security questions

The questions

Vermont senator asked the following questions in a letter to Yahoo!:

  • When and how did Yahoo first learn that its users’ information may have been compromised?
  • Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
  • What Yahoo accounts, services, or sister sites have been affected?
  • How many total users are affected? How were these users notified? What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
  • What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
  • What is Yahoo doing to prevent another breach in the future?
  • Has Yahoo changed its security protocols, and in what manner?
  • Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Added to this, shareholders and Verizon are likely to want to know:

  • Chain of events / timing on the discovery on the hack?
  • Has Yahoo! declared what it knew at the appropriate time?
  • Could Yahoo! be found negligent in their security precautions?
  • How will this impact the ongoing attrition in Yahoo! user numbers?

Additional questions:

  • How does Yahoo! know that it was a state sponsored actor?
  • Was there really Yahoo! web being sold on the dark web in August?
  • Was that data from the 2014 cache?
  • How did they get in?

More information
An Important Message About Yahoo User Security | Yahoo – Yahoo!’s official announcement
UK Man Involved in 2012 Yahoo Hack Sentenced to Prison | Security Week
Congressional Leaders Demand Answers on Yahoo Breach | Threat Post

The September 11 post

15 years ago I worked agency side in Haymarket in London’s west end  for Edelman. It was a normal day, well as normal is it gets when you are in the middle of the dot com bust fallout.

My job meant working on communications programmes for the European subsidiaries of technology companies. This was to reflect a ‘business as usual’ face to their customers. This allowed the subsidiaries to keep their businesses largely intact so that they could be sold off to help bail out the financial hole that the parent company had made.

The businesses had grown on generous venture capital payments, share placements and bank loans. The dot com bust suddenly meant that there was a surplus of servers, network switches, bandwidth, commercial space and Herman Miller Aeron chairs.

Due to the nature of the business I worked closely with colleagues on the finance team because I spoke ‘geek’ and understood how screwed these clients happened to be.

The financial and corporate teams worked for a number of clients, notably Cantor Fitzgerald. They were to lose two thirds of their personnel by the end of the day.

It was early afternoon, when I realised that something was up. We had TVs around the agency that often weren’t on. This time they were all turned to Sky News, which was running the footage. After the troubles and bombings in Beirut, it wasn’t a complete surprise to see another landmark attack – at least at first.

Once the scale sunk in, then the realisation of how different the world was going to be started to dawn on me.

Throwback gadget: SnapperMail

At the end of 2001, I started to prepare of leaving my job at Edelman. This meant upgrading my home IT set up. I picked up an iBook. The iBook was Apple’s consumer-orientated laptop made from 1999 to 2006. Mine was a second generation ‘Snow’ laptop with a G3 processor, dual USB sockets and a combo drive which allowed me to watch DVDs and burn  CDs.

I used the move to go on the first version of OSX. The move also meant that I got a new email account, my default account to date. It had two key attributes:

No adverts, so it looked professional in comparison to having a Yahoo! or Hotmail email address and it wasn’t tied to an ISP.

IMAP support which allowed me to use my email account across different devices that all sync across the devices. POP3 downloads the  emails from the server to the device

My iBook was my only source of email access whilst I left Edelman and then eventually joined Pirate Communications. My first smartphone was a Nokia 6600, which I used alongside a Palm  PDA – l got this sometime around the end of 2003. The 6600 supported IMAP out of the gate, it was slow, but I was connected.

The 6600 was eclipsed by Palm’s Treo devices which were a better device. I moved from the 6600 and a Palm Tungsten T3 combo to a Treo 600 smartphone in January 2005.

The process wasn’t smooth. The Treo was sufficiently fragile that I got a translucent silicon jacket that worked surprisingly well with the keyboard and screen protector to look after the touchscreen. Software wise the Treo 600 was a step back from the Tungsten T3 PDA. The screen was smaller and the software felt sluggish in comparison. I had deliberately chosen the 600 over the 650 because I had previously worked agency side on the Palm account and been a long-suffering device owner so knew how crap they were at bug fixes.
snapperfish limited
Unfortunately Palm had not been as progressive in comparison to Nokia with its default email client. The software didn’t support IMAP. Fortunately I used to follow Mitch Kapor’s blog and he had recommended an app from a small New Zealand company SnapperFish.

SnapperMail was a compact modern email client. It has a number of features that we would expect now:

  • It supported IMAP
  • It supported SSL client to mail box encryption*
  • it was really easy to use
  • You could work with attachments including zipped files**
  • There was no restriction on the file size of attachments, the only restriction was your email account rather than your email client

This looks like the kind of technology you would have thought Palm should have done. At the this time Palm were competing against Microsoft Windows Mobile 2003, BlackBerry 6200 series, 7100 series and early 8700 series. Yet the default email client was back in the 1990s.

*The full-fat application cost US$39.99

**SnapperMail came bundled with HandZipper Lite which handled the compressed files and JPEGWatch Lite image viewer

I used this alongside MetrO – a public transit directions app and QuickOffice Pro – to read Office documents as part of my modern smartphone experience. It wasn’t just me that loved SnapperMail, it was praised by Walt Mossberg back when he wrote at the Wall Street Journal.

SnapperMail won two Palm Source (Palm’s software licence business) Powered Up awards in 2003. It was recognised as Best Productivity and Best of the Best Solution.

More information
SnapperMail Has Solid Software For Savvy Mobile E-Mail Users | WSJ
QuickOffice
MetrO – open source mass transit application
PalmSource Welcomes Developers with Awards, New Tools; Announces New Licensees | PalmSource press room