After rapidly patching a flaw1 that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week. Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post2 on Wednesday called iOS 11 “a horror story” due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses. What’s left, he argued, is a single point of failure: the iOS device passcode.
With an iOS device and its passcode a barrier but not a particularly strong one an attacker can gain access not only to the device, but to a variety of linked cloud services and any other hardware associated with the device owner’s Apple ID. Before the release of iOS 11, Alfonin explained in a phone interview with The Register, there were several layers of protection in iOS.
“I feel they were pretty adequate for what they were,” he said. “It seems like Apple abandoned all the layers except the passcode . Now the entire protection scheme depends on that one thing.”
What changed was the iOS device backup password in iTunes . In iOS 10 and earlier, users could set a unique password to secure an encrypted backup copy of the data on an iPhone . That password travelled with the hardware and if you attempted to connect the iPhone to a different computer in order to make another backup via iTunes, you’d have to supply the same backup password.
That’s a security problem because device backups made through iTunes contain far more data than would be available just through an unlocked iPhone . And that data can be had through the sort of forensic tools Elcomsoft and other companies sell.
“Once an intruder gains access to the user s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” Alfonin explains in his post. “Everything (and I mean, everything) is now completely exposed . Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user s original Apple ID password are quickly exposed.”
So the risk goes beyond the compromised phone and any associated Apple devices: Apple’s iCloud Keychain could include, say, Google or Microsoft passwords. Alfonin in his post suggested “Apple gave up” in the wake of complaints from police, the FBI, and users . Asked whether he had any reason to believe the change was made to appease authorities, he said, “I don’t believe this was made for the police . I believe it was just user complaints.”
Nonetheless, the iOS change has significant implications for those who deal with authorities, at border crossings for example.
“If I cross the border, I may be forced to reveal my passcode,” he said, noting that many thousands of electronic device searches happen every year.
With that passcode, authorities could create their own device backup and store it, which would allow them to go back and extract passwords unrelated to the device itself later on. “If that happens they have access to everything, every password I have,” he said. Alfonin said with iOS 11, Apple’s entire protection scheme has fallen apart . He likened the situation to the 2014 iCloud hack known as Celebgate4.
“Those iCloud accounts were protected with just passwords,” said Alfonin. “We have a similar situation today . If it’s just one single thing, then it’s not adequate protection.”
To fix the issue, Alfonin suggests going back to the way things were. “It was a perfectly balanced system,” he said. “I don’t think anybody complained seriously . The ability to reset an iTunes Backup password is not necessary .
If they revert it back to the way it was in iOS 10, that would be perfect.”
Of course, this is just Alfonin and Elcomsoft’s opinion . Others in the world of infosec were not convinced by his arguments for example, Dino Dai Zovi, cofounder of cloud security biz Capsulate8, was having none of it:
Apple did not respond to a request for comment.
PS: Apple’s iPhone X shares face scans with apps, which has some people worried5 . Also, if you have installed the password-less root security patch on macOS 10.13.0, and then upgraded to 10.13.1, make sure you reinstall the patch Apple’s Software Update mechanism should do this automatically and reboot .
ICTS is recognised as a leading supplier of security and related services in some of the most demanding and high profile
environments throughout the country. One of our primary assets is our ability to adapt and evolve to meet the challenges
of an ever-changing business. At ICTS we seek to identify the most promising individuals, and provide the resources and opportunities needed to
maximise individual potential. In both recruiting and development in this way our management team are able to
demonstrate in-depth commitment to the goals and operating philosophy of ICTS, ensuring that management experience
and market-specific security skills, remains one of the most important competitive strengths of ICTS. We now have an opportunity for a customer focussed, progressive Area Manager to join our team within a prestigious
nationwide contract. DUTIES AND RESPONSIBILITIES WILL INCLUDE
- Leading managers, supervisors, and a large and diverse workforce across a group of sites
- Driving productivity to maximise performance whilst ensuring standards are adhere
- Instilling a culture of continuous improvement
- Coaching and mentoring staff on site and driving engagement within the team
- Analysing statistics and reading and writing report
- Client / customer relationship management – Liaising with the Client and ICTS stakeholders to meet the client s
and ICTS service expectations
- Directing operational planning – Effective allocation of financial resources; and manage end of month financial
processes, including budgets, payroll, and invoicing
- Responsible for all professional matters across multiple sites site, to include ISO QM, BCMS, Environmental.
- Manage all aspects of the employee life cycle, including but not limited to: Recruitment
- Absence Management
- Investigation, Disciplinary and Grievances
- Staff appraisals
- Staff development
- Training Files
- Performance Management
- Provide a positive contribution towards maintaining an environment of equal opportunity, in accordance with the
Equal Opportunities and Diversity policy.
- Fulfil Health and Safety responsibilities by adherence to the requirements of the Company s Health and Safety
Email: email@example.com Web: www.icts.co.uk
Page 1 of 2 In return the successful candidate will join team committed to development and progression, a competitive reward
package, and employment benefits (company car etc.) The successful candidate will need to demonstrate the following skills and experience:
PERSON SPECIFICATION Essential
- Managerial experience
- Experience of driving management performance initiatives
- A motivational leader
- Full driving licence and willingness to travel both locally and nationally
- Excellent communication skills – both oral and written
- Excellent administration skills, including computer skills
- Track record of ability to work under pressure in dynamic work environment
- Flexibility according to operational needs
- Excellent customer service record
- A keen eye for detail with the ability to maintain standards of accuracy under pressure of tight deadlines.
- 5 year checkable background
- Experience of leading large teams of staff in the service or security industry
- Experience of managing in a security, warehouse, or distribution environment
- Ideally degree educated or equivalent
- Non Front line SIA License
We take our commitment to principles of fairness and mutual respect for people of all faiths and cultures
seriously and we expect our employees to do so as well. We take firm action where any concerns are raised
both internally and by our clients, customers and members of the public. All applicants must have correct documentation enabling them to work here and also have a permanent NI number. Internal candidates will be expected to show a good attendance/timekeeping record and also a good
performance in their previous role(s). This position may be subject to Client/Board approval.
All Managerial positions and Promotions are subject to a probationary period of 6 months.
Please Note: The probationary period can be extended should the candidate s performance not meet the required standard. Interested parties should send their CV with a covering letter to Lucy Gibb at firstname.lastname@example.org
ICTS IS AN EQUAL OPPORTUNITIES EMPLOYER
Email: email@example.com Web: www.icts.co.uk
Page 2 of 2
Area Manager – ICTS – Northern Ireland
WASHINGTON (Reuters) – President Donald Trump was expected to nominate Kirstjen Nielsen, who as the top aide to his White House chief of staff has sought to instil order in Trump s team, to lead the U.S . Department of Homeland Security, a White House official said on Wednesday.
If confirmed by the Senate, Nielsen would take the reins at a sprawling department with more than 240,000 employees that is responsible for U.S . border and airport security, immigration policy, disaster response, refugee admissions and other matters.
Nielsen, 45, is a cybersecurity expert with a considerable resume in homeland security that includes work at the department s Transportation Security Administration and on Republican former President George W .
Bush s White House Homeland Security Council.
Nielsen was retired Marine Corps General John Kelly s chief of staff when he was secretary of Homeland Security during the opening months of Trump s presidency . Kelly brought her to the White House as his deputy when Trump named him chief of staff in July to replace Reince Priebus after only six months on the job.
The official announcement of her nomination could come as early as later on Wednesday, the official said, speaking on condition of anonymity . The nomination requires Senate confirmation.
Nielsen s departure from the White House would mark the latest upheaval in Trump s White House team . She was responsible for carrying out some of Kelly s orders on who gets access to the president . As a result, she has irritated some White House officials who now have limited contact with Trump.
Kelly has sought to bring more order to the chaotic West Wing since replacing Priebus . Trump has welcomed the changes to some extent, although he has privately confided to friends that the limitations on access to the Oval Office sometimes go too far.
Putting Nielsen into the Homeland Security post will allow Trump and Kelly to keep a close eye on the department, but getting her out of the White House could permit some relaxing of Kelly s strictness.
Cyber security is one of the primary issues under the Homeland Security Department s sprawling portfolio . Nielsen previously worked at a cyber think tank at George Washington University, blocks from the White House, and is considered well-versed in some of the more technical missions at the department, such as sharing cyber threat information with the private sector.
The department was created after the Sept .
11, 2001, attacks on the United States exposed cracks in the country s homeland security apparatus.
The appointment comes at a busy time for the department, with one of its agencies, the Federal Emergency Management Agency, overseeing disaster relief in hurricane-hit Puerto Rico, Texas and Florida as well as wildfire-ravaged areas of California . The department also is responsible for U.S . border security.
The department is a major player in implementing Trump s aggressive stance toward deporting illegal immigrants, as well as vetting the lower number of refugees Trump has decided to allow into the United States.
It seems like a low-drama pick .
It s a little concerning that she seems to have little background in immigration security and policy, but those individual agencies are in good hands already, and there is a strong core of career managers, said Jessica Vaughan, director of policy studies at the Center for Immigration Studies, which favours more limits on immigration.
Politico first reported the appointment.
Reporting by Steve Holland in Washington; Additional reporting by Yeganeh Torbati, Dustin Volz and Doina Chiacu; Writing by Will Dunham; Editing by James Dalgleish