Posted by: David Harley | October 10, 2018

More commentary on China, Apple, and supply-chain hacking

Following up the previous story Supply chain hacking: bull in a China shop? [updated]

[Additional: Motherboard – The Cybersecurity World Is Debating WTF Is Going on With Bloomberg’s Chinese Microchip Stories]

Paul Ducklin for Sophos: Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) – more useful than most of the commentary I’ve seen!

The Register: Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down – “Bloomberg puts out related story while security experts cast doubt on research and quotes” Risky Business Feature: Named source in “The Big Hack” has doubts about the story See also commentary by John Gruber.

Reuters: Apple tells Congress it found no signs of hacking attack – John Gruber adds Here’s the entire letter.

Department of Homeland Security: Statement from DHS Press Secretary on Recent Media Reports of Potential

Supply Chain Compromise – “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. ”

Well, that’s reassuring. Or is it? Well, not for John Gruber: “For me, having the current U.S. government weighing in publicly on this issue does not fill me with any sense of confidence or reassurance on either side of this story….” Me neither. And I’m not reassured by the equally lukewarm commentary from the UK, either. Reuters: UK cyber security agency backs Apple, Amazon China hack denials

So still waiting to see if Bloomberg has something more definite to back its claims.

Commentary from Graham Cluley: Department of Homeland Security and GCHQ back Apple and Amazon’s denials they were hacked by China

And Richard Chirgwin for The Register: Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials – “Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong”

David Harley

Posted by: David Harley | October 6, 2018

Android SMS Worm, plus setting up a Mac for kids

Lukas Stefanko: Video analysis of Android SMS worm spying on victims – “This Android Spy is spread using social engineering technique on the potential victim through received text message from his contact list. User’s device sending this message is already compromised. SMS also contains link to fake Sagawa website that leads to downloading malicious app.”

Something a bit different. Mark Stockley for Sophos: Setting up a Mac for young children – “…I enlisted its in-built parental controls to see what they could do, and how they could help….This article walks you through the things I did to secure the laptop, and details the parental controls and options I chose.”

David Harley

Posted by: David Harley | October 5, 2018

Supply chain hacking: bull in a China shop? [updated]

[Added some very useful links – 6th October 2018]

My colleague at ESET, Cameron Camp, today published the second of a series of articles [as the conference is now over, I don’t know if he plans on any further articles in the series] commenting on this year’s Virus Bulletin: Virus Bulletin 2018: Supply chain hacking grows up

It’s an interesting article that makes some good points. But what particularly interested me was that it came hard on the heels of Bloomberg’s report The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies claiming that
“The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

Could this be true?  Well, Amazon and Apple have strongly denied it, as has Super Micro Computer Inc, whose supply chain is alleged to have been infiltrated. So who knows? Probably none of the sources that have commented on the topic subsequently, but here are a few of them anyway:

It will certainly be interesting to see how this story develops.

David Harley

Posted by: David Harley | October 4, 2018

Intel Management Mode – Apple didn’t lock

Thomas Claburn for The Register: Apple forgot to lock Intel Management Engine in laptops, so get patching

“In a blog post on Tuesday, researchers Maxim Goryachy and Mark Ermolov, involved in the discovery of an Intel ME firmware flaw last year, reveal that Chipzilla’s ME contains an undocumented Manufacturing Mode, among its other little known features like High Assurance Platform mode.”

Not quite a major panic: the macOS High Sierra 10.13.5 update apparently fixed this, and an attack would require local access. Still…

Based on this rather good article at Positive Technologies: Intel ME Manufacturing Mode: obscured dangers and their relationship to Apple MacBook vulnerability CVE-2018-4251

David Harley

Posted by: David Harley | October 3, 2018

News update: October 3rd

Filip Truta for Bitdefender: Researchers use Android password managers to make phishing attacks more practical
“Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM found that certain Android password managers can be tricked into entering valid login credentials into phishing apps. The trick even works with Google’s try-before-you-buy Instant Apps, which allows users to take apps for a spin without actually installing their contents on the device.”

Graham Cluley, also for Bitdefender: Even with the latest iOS 12 update, your iPhone’s lockscreen is unsafe
“Jose Rodriguez, who has uncovered vulnerabilities in iOS’s lock screen security on a number of occasionsin the past, has produced a video demonstrating an (admittedly convoluted) way of accessing information on locked iOS devices that really should be out of bounds.”

Lawrence Abrams for Bleeping Computer: Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones
Kaspersky has discovered that [Roaming Mantis Group] is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page.

Pierluigi Paganini: Expert demonstrated how to access contacts and photos from a locked iPhone XS
“…Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited …  (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).”

Zeljka Zorz for HelpNet: How to minimize the negative effect of mobile device loss or theft

David Harley

« Newer Posts - Older Posts »