We’ll keep it short and sweet this week. Earlier this year, an advanced form of spyware was discovered on a small group of Middle-Eastern journalists’ iPhones that was eventually traced back to a developer in Isreal called NSO Group. Purportedly designed for law enforcement agencies to combat terrorism, the spyware known as Pegasus appears to have been utilized by one or more government agencies to spy on a select group of iPhone users. At the time, it was unclear how the exploit was being deployed, so no defense or patch could be provided to stop Pegasus from being installed. After months of research, Canadian internet watchdog group Citizen Lab uncovered the flaw and announced it this week in the news, timed in concert with a security update from Apple that should be applied immediately to all iOS devices and MacOS devices.
What this means for you
If you have a late model iPhone, Mac computer, Apple Watch or iPad, check the settings immediately for any available updates and apply them as soon as you can get to a solid internet connection and have your device connected to a power source. The iOS version you are looking for is 14.8, and on Macbooks and iMacs it will be MacOS 11.6.
- Update your iPhone, iPad, or iPod touch – Apple Support
- Update your Apple Watch – Apple Support
- Update macOS on Mac – Apple Support
As of this writing, the actual number of people who have been impacted by this flaw and Pegasus is very small, but now that the actual flaw has been revealed, there is a possibility that others beside the NSO Group will attempt to take advantage of the window that is typically open while people get patched which can be days or even weeks. While Pegasus is designed for spying, there will surely be other malware types released to attempt to exploit this flaw that may be more straightforward in doing harm. Don’t be one of the ones caught sleeping on this update. Get patched now!
The end of 2016 is nearly upon us, and I don’t think I’m alone in saying that I hope 2017 will bring more optimism and compassion for everyone. That being said, we at C2 are going to put our game faces on and finish out 2016 as if it was the best year yet (as far as C2 is concerned, it was, thanks to you!), but I will be taking a break for the next two weeks from scaring the spirit of security into you, so the next newsletter after this one will be in 2017. I don’t want to leave you hanging like a stocking on the chimney, so here are some technology gift ideas that I hope will inspire the spirit of giving in you.
- If you spend time in the outdoors trying to get away from all that big-city tech, but can’t put down that mobile device, how about a solar-powered charger? These things are great when paired with a portable battery pack (a 2015 recommendation). Set up the charger in the sun and attach your battery pack while you’re out enjoying nature. You can come back, grab your battery pack and keep going with your USB-powered smartphone, tablet or action camera without having to hunt for a non-existent AC outlet. Repeat until you are tanned, relaxed and chockful of wonderful memories captured on your favorite mobile device, of course!
- Speaking of action cameras, it seems like everyone has one, and why not? They’re very affordable, and when you can capture ridiculously adorable and amusing videos, how can you not afford get one? The GoPro HERO+ is the titular company’s entry-level model and it still shoots awesome video in a highly durable, portable and dare-I-say wearable fashion. GoPro videos will become this generation’s family vacation “slideshow”, minus the boring!
- Cordless headphones seem to be the hotness this year (another 2015 recommendation), but I still see a lot of folks rocking corded earbuds. As simple as they are, they get tangled if you look at them funny, so why not store them in style with a key chain fob designed to tame those unruly earbuds? The simplicity of this thing is hard to beat: your neatly wrapped earbuds will always be nearby, because you never misplace your keys, right?
- Did someone say lost keys? Tile Mate has you covered, fam! Attach one of these babies to your keys (or whatever you seem to misplace frequently) and your phone can lead you to them. And if you are one of those people who misplace your phone, all I got to say is this: Find my iPhone or Android Device Manager.
- Want to really give a gift that can keep on giving, months or even years later? How about the gift of data backup? It’s not whimsical and definitely not romantic, but buying a family member a year’s subscription to CrashPlan, Carbonite or BackBlaze and setting it up for them can mean the difference between “Oh no!” and “Oh well, thank goodness I’ve got a backup.” Bonus gift: you get to be the hero!
To finish out this list, here are a couple of things you might want to avoid:
- Virtual Reality is definitely the hot new entertainment trend, and there are a ton of knock-offs, wannabes and straight up con-artists looking to exploit the hype. Quality VR headsets that are approaching the fiction sold by Hollywood will currently set you back well over $500, and require dedicated systems such as a Playstation 4 or a high-end (+$700) Windows gaming computer, some degree of technical proficiency, and a strong stomach. Make sure you try before you buy, especially something that isn’t an Occulus, Vive or Playstation device.
- Nintendo released a retro-gaming console called the Nintendo “Classic Edition” for $60, featuring a slew of games from many of our childhoods’, and promptly sold out of them, well before the shopping season had even picked up steam. The lack of stock coinciding with the holidays has created a huge gray and black market for these devices, which are being sold for 3 to 4 times their actual cost. Unless you or a loved one are really into retro-gaming, you may want to let the hysteria subside and pick one up for normal price (or even on sale) in 2017.
Image courtesy of Master Isolated Images at FreeDigitalPhotos.net
With the hotly anticipated announcement of the next iPhone right around the corner, some parts of the technology media are once again navel-gazing about the world’s continuing love affair with Apple’s popular smartphone. It’s easy to see why so many are devoted consumers: the iPhone is a stellar example of a beautiful device that is highly functional. Long gone are the days where using high-tech tools were the sole domain of the unfashionably nerdy or productivity-obsessed workaholics, and there is no doubt who we have to thank for this change. But the eternal question is raised again: are we sacrificing function for form? Has the iPhone become of the stiletto heels of mobile devices?
Has Woo gone off the deep end?
Before you get the pitchforks and torches out, let me be clear: I’ve got nothing against stiletto heels. They are only one example in a sea of thousands that illustrated the “form over function” ideal, but they make for a handy and familiar analogy. Over time, the iPhone has become thinner because, let’s face it, chunky phones just aren’t “sexy” in today’s world. This had led to some interesting trends including antennae-gate, bend-gate, Touch disease, and the telling statistic that up to 1 in 4 of iPhones will suffer a cracked screen during their functional life, and that as many as 15% of all iPhone users are walking around with cracked screens rather than replacing them. What’s troubling is that an affordable, shatter-proof screen is readily available: use plastic instead of glass! But time and again, market research and testing shows that people don’t want plastic because it feels cheap, and right now, iPhones (and smartphones in general) are still very much a status symbol. Not that other smartphones aren’t seeing a similar trend in flawed design, but Apple is an easy, high-profile target that continues to market on its esthetics, and like a purebred pet with predisposition to genetic health issues, the iPhone could be evolving into a fragile, unsustainable extreme. How many more “flaw”-gates will people suffer through before demanding a more functional, practical smartphone? I still see a lot of stiletto heels out there.
In the latest dramatic chapter of the ongoing encryption battle between the FBI and Apple, the feds have admitted that they worsened their chances of ever finding out the contents of the San Bernardino shooter’s iPhone when they reset its associated iCloud password in a misguided attempt to access the locked device. According to Apple, prior to that reset, the FBI may have been able to gain access to the device without Apple having to provide a controversial backdoor to its otherwise very secure smartphones. On top of the FBI’s blunder and lack of understanding of Apple’s iPhone security, it’s also clear that several members of the House Judiciary Committee leading the hearings on this controversy are also poorly versed in how smartphone security works. To be fair to everyone, Apple’s iCloud system is arcane even to me, so it’s easy to see how someone unfamiliar with the system could make this mistake.
What this means for you:
Making fun of government officials being ignorant about high tech subjects is like shooting fish in a barrel. The “series of tubes” analogy used by Senator Ted Stevens is just one of many examples of US lawmakers struggling to understand admittedly complex technologies like the internet and encryption. Back then (10 years ago!) it might have been acceptable to dismiss their technology naivety as understandable – after all they are congress people, not IT consultants. But now, in an increasingly technology-permeated society, their ignorance or willful disregard of technology can lead to very bad decisions that have widespread and long-lasting consequences. This is just as applicable to your personal and workplace tech. While it’s impossible to be an expert on everything, if you rely on technology for critical business operations, you should have more than a basic understanding of how to turn it on and off. At minimum you should know what risks come with that technology, and if you cannot claim to be an expert in the technology in question, you should always consult with an experienced technology professional before making game-changing decisions.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Apple is infamous for it’s stringent and sometimes odd vetting process for iOS apps, but it has purportedly kept iPhone and iPad users relatively safe from the malware that has plagued the Android ecosystem for years. Unfortunately, they can no longer wear that badge with pride anymore, as dozens (possibly hundreds) of apps written by Chinese developers and distributed through the official Apple App Store have been found to be infected with malware that can cause serious security problems for the affected device. Before you get up in arms about the brazen escalation of Sino-American cyber-hostilities, security analysts believe that the infected apps weren’t purposefully compromised, but were caused by Chinese app developers using an infected version of Apple’s coding framework, Xcode to build or update their apps. These apps were then submitted and, upon passing through Apple’s security screening, distributed in both the Chinese and American App Stores to upwards of hundreds of millions of users.
What this means for you:
Unless you make a habit of installing Chinese iOS apps you probably aren’t directly affected by this. Check this list, and if you did install one of the affected apps remove it or update it immediately, and change your Apple Cloud password and any other passwords you might have used while the infected app was installed on your device. For the rest of us that aren’t impacted, this particular failure illustrates two important points about security:
- No security system or process is infalliable. Apple’s fall from grace in this regard was only a matter of time. Every good security plan should include a failure contingency. In Apple’s case, they know exactly who installed what apps and plan to notify all affected customers.
- The use of the compromised Xcode framework was traced to many developers using a non-official download source to retrieve the code, which is very large (3gb) and is very to slow to download in China from Apple’s servers. Rather than being patient/diligent, Chinese programmers used local, unofficial repositories hosting malware infected versions of Xcode. Always confirm your source (whether reading email or downloading software) before clicking that link!
According to security and censorship watchdog Great Fire, the latest iPhone just made its debut in China, and already new owners are being hacked by what appears to be a state-sponsored “man in the middle” attack. Though there have been many other allegedly government-backed attacks on US-based companies, presumably for commercial or political gain, this appears to be aimed at gaining iCloud identities of its own citizens, and its hard to not draw a dotted line to the recent Hong Kong protests, images and news of which were widely disseminated by mobile devices like the iPhone.
What this means for you:
Unless you are a Chinese citizen that has somehow managed to find your way to this modest blog, this particular event won’t have much impact on you. The hack is actually being perpetrated by China’s “Great Firewall” and only affects a specific, Chinese-only browser called 360 Secure Browser made by a company called Qihoo. Use of this browser is apparently mandatory for all education institutions in China. Seeing as other browsers not under the control of the Chinese government like Firefox and Chrome appear to be unaffected by the hack, it’s hard not to jump to some obvious conclusions. While the more conspiratorial among you may whisper that the American government is only a few steps behind the Chinese in this egregious breach of privacy, it’s important to note that unlike China, US-provided internet is not gated by a single, government-controlled firewall like China’s Great Firewall, nor our are students and teachers mandated to run a (allegedly) state-backed browser. However, this does not mean you should be less vigilant in protecting your security and privacy, as its quite apparent that US agencies like the NSA have no problems snooping on its citizens anyways.
It pains me to write about this, but I think it illustrates a valuable (if obvious) lesson. Immediately following the opening weekend of iPhone 6 sales, a web page began circulating on the internet advertising a “hidden” feature of Apple’s just-released iOS8 operating system update for its mobile devices. Called “Wave” this feature of iOS8 allowed upgraded iOS devices to be charged by microwaving them for 60-70 seconds. Needless to say, this does not work. As a matter of fact, it will destroy your shiny new phone in the time it takes to say, “I shouldn’t have done that.” This type of hoax has been around for quite awhile, in various forms, but invariably someone knows someone who knows someone who destroyed their phone after being taken in by one of these pranks.
What this means for you:
At first blush, I thought to myself, “Really, anyone that dumb deserves to have their iPhone fried,” but as I thought about it, their are legions of folks of all ages, from those old enough to remember when microwave ovens first appeared (1946) to those younger than the appliances they use, that do not know (a) how the technology works, and (b) the dangerous bits that everyone assumes everyone else knows. My daughter doesn’t know that metal shouldn’t go in the microwave – we’ve never had occassion to discuss it. Most of the tech we use on a daily, even hourly basis is well beyond average human comprehension, and the benefits gained from attempting an understanding feel intangible. Instead, we take it for granted, and are schooled on occasion through painful lessons like, “Everything you read on the internet isn’t necessarily true,” and, “Microwaving an iPhone is bad, mmmkay?”
Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
A new scam to extort money out of Apple mobile device users has surfaced in Australia, with scattered reports in other countries as well. Affected devices are locked out via Apple’s own “Find my iPhone” platform with a message that demands a ransom payment of $100 USD to unlock the phone. Security analysts are unsure at this point as to how the perpetrators are gaining access to victim’s AppleID accounts, and so far Apple is refusing to comment on this issue. According to posts on Apple’s Support Forums, the only reliable way to unlock the device is to reset it back to factory settings and restore your data from a backup, if one was actually created and maintained for that device.
What this means for you:
So far, there is a tenuous link between some of the victims and the recent eBay hack that exposed user accounts and encrypted passwords, where the victims admitted to using the same password for both eBay and iCloud. However, several other victims of this new ransom scam did not use the same password as their eBay account, so eBay’s exposed data may not be the only source. Bottom line, you should use strong, unique passwords for online accounts, especially for the ones that are tied to important services like online banking, email and any account that has access to confidential data, either yours or your clients/customers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Security researchers have discovered that certain models of iOS devices that have been “jailbroken” are now being targeted in a malware attack, dubbed “unflod”, that can collect the AppleID account login and password used on that device and transmit it to hacker-controlled servers. While jailbreaking iPhones or iPads isn’t likely to be something the majority of iOS device-users will do (primarily because it voids your warranty), a significant percentage of users (2% in early 2013, or nearly 7 million devices) regularly jailbreak their devices. Even if the actual count of phones vulnerable to this threat is somewhere less than 7 million, it’s still a big enough target for identity thieves.
What this means for you:
If your iOS device isn’t jailbroken, you don’t have to worry about the unflod malware attack. If you have an iPhone 5s, iPad Air, or iPad Mini 2G, you don’t have to worry about this particular attack either, even if the device is jailbroken, as the malware currently in use doesn’t work on 64-bit operating systems, of which the aforementioned devices use. The unflod malware appears to be caught through application of certain system tweaks that can only be applied to jailbroken, 32-bit OS devices, and only then if the tweaks are sideloaded outside of Apple’s own official app store, or Cydia, the “unofficial official” app store for jailbroken devices. In other words, if most of the words in the article don’t make sense to you, you probably won’t be affected by this malware.
HOWEVER, if you’ve ever considered jailbreaking your iOS device for whatever reason, let the above serve as a cautionary tale: be sure you know what you are doing, back up your important device data, and seriously consider whether you really need a jailbroken iPhone. While the above malware attack requires a specific set of circumstances that only affect a very small percentage of users, jailbreaking a device should only be done by someone willing to take on an increased risk of security breaches and with a full understanding of troubleshooting your own device issues.