This week
Does Apple really log every app you run?
Apple’s latest operating system, Big Sur, was released for its Mac computer lineup this week. That coincided with some Mac users finding that they couldn’t run applications.
Twitter users were quick to spread that blocking connections to ‘ocsp.apple[.]com’ would make their Macs useable again. Reports that “Apple was logging every app you run” followed (Spoiler alert: they aren’t.)
Apple’s ‘online certificate status protocol’ (OSCP) service is used to validate the developer certificate of apps before they are executed by the operating system. It’s part of the firm ‘Gatekeeper’ functionality that users can enable to allow only verified apps to run.
The OSCP service ‘fails open,’ meaning that if it can’t be reached (for example you don’t have an Internet connection) the apps will run. This week the service didn’t stop working, it just really slowed down. That meant that it didn’t hit the failure mode, and users were left waiting for their apps to be checked before they could be run. By blocking access to the site you caused a short-circuit and got things moving again.
Apple has doubled-down on its privacy stance in recent years and sees it as a key differentiator to its competitors (especially Google, whose business model relies on selling targets ads based on mining personal data.)
While it is true that we don’t know if, or what, Apple does with those OSCP requests, given the privacy stance, I would be surprised if it was misusing this potential source of data for profiling users.
There’s an explicit option, under the privacy settings, to opt-in or out of the collection of anonymous application and crash analytics. The Gatekeeper functionality is also something users can toggle on and off.
Such an ‘absolutist’ stance on privacy has a serious impact on the security of users: the feature is specifically designed to prevent unsigned applications, such as malware, from running. Just because something is technically possible does not mean that it is happening. It’s a classic risk trade-off.
As Italian computer science student Jacopo Jannone puts it: “if you think your privacy is put at risk by this feature more than having potential undetected malware running on your system, go ahead.”
Interesting stats
~1/3 Android handsets (those running Android 7.1 Nougat) will start failing to connect to HTTPS websites secured using certificates from LetsEncrypt in 2 months, and fail to validate any in 10 months time. Android has a very fragmented ecosystem and many vendors infrequently provide updates zdnet.com
67% of malicious Android app installs occur from the official Google Play Store, and of 34 million installs analysed between June and September 2019 between 10% - 24% of apps could be described as ‘malicious or unwanted’, according to NortonLifeLock zdnet.com
2.8x greater costs incurred by firms that ‘bungle’ incident response of extreme cyber incidents $47M is the median loss for ‘extreme’ cyber incidents 73% of extreme losses represent less than 10% of the organisations annual revenue, while in 14% of cases the losses exceeded annual revenue. … based on a study of 103 of the largest events reported in the last five years by the Cyentia Institute cyentia.com (PDF)
23% reduction in the cyber skills gap, according to industry certification body (ISC)2 scmagazine.com
Other newsy bits
Privacy nutrition labels coming to AppStore in December
Privacy ‘nutrition labels’ will be mandated for all new submissions to Apple’s AppStore from the second week of December, including the type of data collected by developers, and third parties, and if it is transmitted off the device or not. This is a great step toward making privacy policies less impenetrable and getting consumers to question what permissions an app requires theregister.com
Tim Berners-Lee’s Inrupt is turning the webs model on its head
Tim Berners-Lee Solid data pods get a step closer to reality with the release of Inrupt’s Enterprise Solid Server. The father-of-the-web’s “pods” turns the internet model on its head: putting your data in one place, then granting organisations access to it, rather than creating copies for each service schneier.com
TicketMaster to appeal £1.25M fine for data breach
TicketMaster has been fined £1.25M ($1.65M) for their MazeCart breach in 2018 (vol. 1, iss. 2). The breach occurred in a third-party chatbot, that was also present on the checkout page. The ICO found it took TicketMaster 9 weeks to start investigating the issue, which is estimated to have affected over 1.5 million of the firm’s UK customers. TicketMaster plans to appeal the penalty. bbc.co.uk
In brief
Attacks, incidents & breaches
- Compal, Taiwanese laptop manufacturer, has become a victim of DoppelPaymer ransom group, who are demanding $17M USD. This could become a much more serious issue if the software images deployed onto laptops were modified by the attackers. Compal, who manufacture devices for Apple, Lenovo, Dell and HP, originally denied the attack. bleepingcomputer.com, theregister.com
- Popular kid’s website Animal Jam breached, 46M user records exposed, after private AWS key posted to Slack channel theregister.com
Threat intel
- Lauren Place has a good ‘eulogy’ for the Maze ransomware group, and how they transformed the business of ransomware in 18 months. The group have been responsible for over 70 incidents in 2020 digitalshadows.com - RansomEXX malware has been ported to encrypt files on Linux. Linux is a popular server operating system and currently often escape encryption and marks a shift in tactics away from disrupting Windows-based user devices and domain controllers to other corporate apps and data scmagazine.com
- Ransomware groups may turn to Facebook ads to increase consumer pressure in wake of a breach krebsonsecurity.com
- ‘ModPipe’ malware, discovered by ESET, targets Oracle’s Micros Restaurant Enterprise Series (RES) point-of-sale software, popular in the hospitality sector zdnet.com
- Sad DNS: Partying like it’s the naughties, DNS cache poisoning is back, as University of California, Riverside researchers manage to force spoofed responses into Bind, dnsmasq, etc zdnet.com
Vulnerabilities
- It’s possible to bypass the certificate checks in Palo Alto GlobalProtect SSL VPN authentication. In certificate-only mode that means an attacker can simply authenticate as any user they wish. In a multi-factor configuration it negates the second factor provided by the certificate. (Versions of PAN-OS before 8.1.17, 9.0.11, 9.1.15, and 10.0.1 are vulnerable.) Patch! (H/T Tim!) paloaltonetworks.com
- Ubuntu fixes vulnerability that made it trivial for users to escalate their privileges to root-level arstechnica.com
Security engineering
- Microsoft the latest organisation to join call (hur-hur) to stop using phone and SMS for multi-factor authentication zdnet.com
- Comodo makes good on promise to open-source its endpoint detection and response solution. zdnet.com, github.com
Internet of Things
- Details from ContextIS on a vulnerability they found in the Volkswagen Polo infotainment system, as well as a look at VW’s car incident response process contextis.com
- EU cybersecurity agency ENISA has released guidelines for securing the Internet of Things that help “manufacturers, developers, integrators… to make better security decisions” europa.eu
Privacy
- The Conservative party may have been processing data unlawfully under GDPR by inferring voter’s ethnicity based on their first and last names theregister.com
Public policy
- The US Cybersecurity and Infrastructure Agency, CISA, has largely managed to avoid politicisation since its creation under the Trump administration. Politico has a piece looking at how the US’ cyber policy may evolve under the Biden administration: continued commitment, more multilateral attribution of attacks, in part to keep Russia in check. politico.com
- A good writeup on the 2020 US election security success story lawfareblog.com
- Meme warfare: the Pentagon is trolling Russian and Chinese hackers with cartoons cyberscoop.com
Mergers, acquisitions and investments
- Tailscale raises $12M for ‘mesh’ style corporate VPN based on WireGuard protocol techcrunch.com
- Palo Alto to buy attack surface monitoring biz Expanse for $800M to boost their ‘Cortex’ SOC offering cyberscoop.com
And finally
Thinking about Yourpassword1!
Researchers at Carnegie Mellon University say password complexity requirements - such as upper and lower case characters, numbers and symbols - doesn’t make your password more secure. Your first character is likely a capital. Your last an exclamation. If you use a number it’s probably 1 (then 2, 3, 4 if you’re forced to change it). cnet.com
Also, congratulations for Joe Hancock, Mike Owen and the team at Mishcon de Reya, as they become the first global law firm to achieve CREST certification for their incident response services. mishcon.com