Brazilian Grand Prix organisers have been issued with security recommendations by the FIA to implement in 2018 to avoid the issues which plagued this year’s race weekend. The penultimate race of the season had a series of robberies and attacks on F1 personnel1 take place away from Sao Paulo’s Interlagos circuit . Most concerning was the fact that the incidents continued despite local police increasing its presence around the circuit after Mercedes staff members were robbed at gunpoint early in the weekend. The problematic weekend prompted Pirelli and McLaren to cancel a two-day tyre test planned to take place at the circuit the following week . F1 management said it could not be held responsible for the attacks, but the failure to address concerns during the weekend itself led to criticism, prompting a report2 to be presented to the final World Motor Sport Council meeting of the year this week.
That report has outlined a plan for Interlagos to follow next year and includes the setting up of a police reporting hub at the circuit itself. “The World Council was presented with the report on the security incidents that occurred at this year’s Brazilian Grand Prix which was requested from the Commercial Rights Holder (CRH) by the FIA,” a statement read. “Following the report, the CRH recommended that the promoter, who is responsible for the security of the event, retains an independent security expert to evaluate and advise on security plans, implements a police reporting hub at the circuit and improves overall communication between the promoter security, police and F1 stakeholders.
“The World Council strongly urged the promoter to implement these recommendations and improve the situation ahead of next year’s event . The FIA will offer to participate in discussions with the local authorities and closely monitor the situation.” Local authorities hope the impending sale of the circuit will help calm security fears for future events . The city of Sao Paulo is in talks with at least three interested parties.
After rapidly patching a flaw1 that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week. Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post2 on Wednesday called iOS 11 “a horror story” due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses. What’s left, he argued, is a single point of failure: the iOS device passcode.
With an iOS device and its passcode a barrier but not a particularly strong one an attacker can gain access not only to the device, but to a variety of linked cloud services and any other hardware associated with the device owner’s Apple ID. Before the release of iOS 11, Alfonin explained in a phone interview with The Register, there were several layers of protection in iOS.
“I feel they were pretty adequate for what they were,” he said. “It seems like Apple abandoned all the layers except the passcode . Now the entire protection scheme depends on that one thing.”
What changed was the iOS device backup password in iTunes . In iOS 10 and earlier, users could set a unique password to secure an encrypted backup copy of the data on an iPhone . That password travelled with the hardware and if you attempted to connect the iPhone to a different computer in order to make another backup via iTunes, you’d have to supply the same backup password.
That’s a security problem because device backups made through iTunes contain far more data than would be available just through an unlocked iPhone . And that data can be had through the sort of forensic tools Elcomsoft and other companies sell.
“Once an intruder gains access to the user s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” Alfonin explains in his post. “Everything (and I mean, everything) is now completely exposed . Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user s original Apple ID password are quickly exposed.”
So the risk goes beyond the compromised phone and any associated Apple devices: Apple’s iCloud Keychain could include, say, Google or Microsoft passwords. Alfonin in his post suggested “Apple gave up” in the wake of complaints from police, the FBI, and users . Asked whether he had any reason to believe the change was made to appease authorities, he said, “I don’t believe this was made for the police . I believe it was just user complaints.”
Nonetheless, the iOS change has significant implications for those who deal with authorities, at border crossings for example.
“If I cross the border, I may be forced to reveal my passcode,” he said, noting that many thousands of electronic device searches happen every year.
With that passcode, authorities could create their own device backup and store it, which would allow them to go back and extract passwords unrelated to the device itself later on. “If that happens they have access to everything, every password I have,” he said. Alfonin said with iOS 11, Apple’s entire protection scheme has fallen apart . He likened the situation to the 2014 iCloud hack known as Celebgate4.
“Those iCloud accounts were protected with just passwords,” said Alfonin. “We have a similar situation today . If it’s just one single thing, then it’s not adequate protection.”
To fix the issue, Alfonin suggests going back to the way things were. “It was a perfectly balanced system,” he said. “I don’t think anybody complained seriously . The ability to reset an iTunes Backup password is not necessary .
If they revert it back to the way it was in iOS 10, that would be perfect.”
Of course, this is just Alfonin and Elcomsoft’s opinion . Others in the world of infosec were not convinced by his arguments for example, Dino Dai Zovi, cofounder of cloud security biz Capsulate8, was having none of it:
Apple did not respond to a request for comment.
PS: Apple’s iPhone X shares face scans with apps, which has some people worried5 . Also, if you have installed the password-less root security patch on macOS 10.13.0, and then upgraded to 10.13.1, make sure you reinstall the patch Apple’s Software Update mechanism should do this automatically and reboot .
Belfast City Hall security lags well behind rest of UK and must be upgraded urgently, expert warns
Counter-terrorism measures to protect the public at Belfast’s Christmas Market lag far behind those at similar events across Britain, a security expert has warned. https://www.belfasttelegraph.co.uk/news/northern-ireland/belfast-city-hall-security-lags-well-behind-rest-of-uk-and-must-be-upgraded-urgently-expert-warns-36348968.html
Counter-terrorism measures to protect the public at Belfast’s Christmas Market lag far behind those at similar events across Britain, a security expert has warned. Andrew McQuillan accused the authorities of failing to do as much as they should to protect the public and called on the council to urgently make improvements.
He was speaking after the Belfast Telegraph yesterday revealed details of a counter-terrorist assessment showing City Hall was extremely vulnerable to a car bomb or lone wolf attack involving knives or other weapons. The National Counter-Terrorism Security Office (NaCTSO) identified the Christmas Market, which runs until December 23, as a “specific vulnerability”. The report will be discussed by the council’s strategic policy and resources committee today before it is debated at a full council meeting on December 4.
Mr McQuillan said: “I have worked on security at events across the UK, Europe and the US.
“The measures adopted in Northern Ireland just aren’t as good as those elsewhere, which is surprising given the significant paramilitary threat we faced in the recent past.
“Security at the Winter Wonderland event in London is phenomenal and that at the Christmas markets in Birmingham and Manchester is also very high.
“The measures in place at Belfast City Hall’s market lag seriously behind and this must be urgently addressed.
“We should not bury our heads in the sand . There are steps which can be taken immediately to improve the situation.”
The council has installed large planters on the pavement outside City Hall “to provide some protection in case of a vehicle-born attack” . But Mr McQuillan said that while the measure was welcome it wasn’t nearly enough. He suggested that protection could be enhanced if interlocking red-and-white security barriers were placed around City Hall . He added: “These have been placed at bridges in London before permanent barriers go up.
“They are filled with water and sand and are very cheap to erect.
“NaCTSO is a highly respected organisation . They have highlighted weaknesses and Belfast City Council really should move swiftly to implement their recommendations.”
Mr McQuillan, who owns Crowded Space Drones and whose father Alan was a former PSNI Assistant Chief Constable, said there was a dangerous complacency in Northern Ireland about the dangers of an attack at a public venue. He added: “Just because we had republican and loyalist violence in the past doesn’t exempt us from international terrorism . Some claim on social media that reporting the threat here is scaremongering.
“These people have no awareness whatsoever of public safety at events . A report from the National Counter-Terrorism Security Office is not scaremongering . It has to be taken seriously.”
Mr McQuillan also claimed it was wrongly argued that increased security would mean Northern Ireland was returning to the past.
He said: “What these people ignore is that armed police at Christmas markets in England is very normal and England usually has an unarmed police force.
“We are dealing with a new emerging threat . Not updating and changing your plans is just not smart . It is waving a red flag at a bull.
“People can choose to inhabit a bubble but it doesn’t reflect the world we live in . No risks should be taken with major events.”
Mr McQuillan said the council could apply to have the national barrier asset system deployed – temporary high-grade security fencing which protects high-profile locations or events. He added: “I feel sorry for the council as the market’s location at City Hall isn’t the easiest to protect . We really need to talk about the issue .
Ignoring it doesn’t make our vulnerability go away.
“Making security at your event look visibly as hard as possible is a great deterrent for terrorists who are hunting vulnerable targets”.