Winners of a security quiz staged by Taiwan’s Criminal Investigation Bureau may be wondering why they tried so hard to do well after some of the USB drives handed out as prizes turned out to be wretched hives of malware and villainy. According to the Taipei Times, the Bureau hosted1 an infosec event in December 2017, and gave 250 drives to people who won a cybersecurity quiz. It’s since emerged that 54 of the 8GB drives were infected by a computer used by an employee of supplier Shawo Hwa Industries Co to transfer an operating system to the drives and test their storage capacity .
While the dongles were manufactured in China, the Taipei Times said there’s no suggestion that espionage was a motive. The good news is that the infection was an old virus Chinese-language site Liberty Times names2 as XtbSeDuA.exe that tries to steal personal data from 32-bit machines. The CIB says stolen data was forwarded to a relay IP address in Poland which in 2015 was associated with 2015 Europol raids on an electronic funds fraud ring .
The police added that the server receiving the data from the latest infections has been shut down.
The prizes were handed out from December 11 to December 12, when complaints from the public started arriving, but 34 of the drives are still in circulation somewhere.
Mo money mo problems , lamented Biggie Smalls in 1997, unaware of the rather mundane application the predicament would have some 20 years on in Britain s automotive industry . But it turns out he was really rather prescient; UK motorists have become increasingly at risk of car theft, as unconventional security systems on high-tech vehicles are vulnerable to new avenues of compromisation. Police data has revealed a 30% increase in car theft over the past three years, a trend they attribute in part to canny thieves capacity to bypass modern security systems in cars .
Indeed, police footage1 emerged in November showing how thieves were able to steal cars without the need for keys, a feat which becomes increasingly problematic as the demand for keyless-type vehicles continues its onward march. Over the past few years, cars have not been omitted from the digital revolution, with many manufacturers eschewing traditional metal keys for a push button fob . Ostensibly a more convenient means of security, the new technology opens up different types of criminality . Speaking to Sky News2, Steve Launchbury of Thatcham Research explains, When you have keyless-type vehicles where you physically just press a button and walk away, you ve got the risk now of the signal being captured . The problem, although of the First World variety, isn t negligible; reports of car theft to 40 police forces in England and Wales rose from 65,783 in 2013 to 85,688 in 2016 . The bulk of these were situated in the capital, with 26,496 cars reported stolen to the Metropolitan Police. How can we bolster defences against the onslaught of vehicular theft ? In an age of fingerprint sensors and facial recognition, the answer is comfortingly old school; the RAC recommends a return to more traditional means of security, including some rumination on where to park your car ideally a well-lit location in an area not known for criminal activity . Concealing your valuables that old chestnut still serves as a powerful disincentive for criminals looking to break into a car.
In an amusingly kitschy turn of events, security professionals have also advised a nod to the 80s with a revived use of the tangible security lock . Clunky, awkward and inelegant, the devices are thought to provide a robust visual and physical deterrent . Which, in an age of fancy gadgets and seemingly boundless tech, feels terribly salt-of-the-earth, albeit a bit of a pain .
High-tech vehicle owners, you have been warned.
After rapidly patching a flaw1 that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week. Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post2 on Wednesday called iOS 11 “a horror story” due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses. What’s left, he argued, is a single point of failure: the iOS device passcode.
With an iOS device and its passcode a barrier but not a particularly strong one an attacker can gain access not only to the device, but to a variety of linked cloud services and any other hardware associated with the device owner’s Apple ID. Before the release of iOS 11, Alfonin explained in a phone interview with The Register, there were several layers of protection in iOS.
“I feel they were pretty adequate for what they were,” he said. “It seems like Apple abandoned all the layers except the passcode . Now the entire protection scheme depends on that one thing.”
What changed was the iOS device backup password in iTunes . In iOS 10 and earlier, users could set a unique password to secure an encrypted backup copy of the data on an iPhone . That password travelled with the hardware and if you attempted to connect the iPhone to a different computer in order to make another backup via iTunes, you’d have to supply the same backup password.
That’s a security problem because device backups made through iTunes contain far more data than would be available just through an unlocked iPhone . And that data can be had through the sort of forensic tools Elcomsoft and other companies sell.
“Once an intruder gains access to the user s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” Alfonin explains in his post. “Everything (and I mean, everything) is now completely exposed . Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user s original Apple ID password are quickly exposed.”
So the risk goes beyond the compromised phone and any associated Apple devices: Apple’s iCloud Keychain could include, say, Google or Microsoft passwords. Alfonin in his post suggested “Apple gave up” in the wake of complaints from police, the FBI, and users . Asked whether he had any reason to believe the change was made to appease authorities, he said, “I don’t believe this was made for the police . I believe it was just user complaints.”
Nonetheless, the iOS change has significant implications for those who deal with authorities, at border crossings for example.
“If I cross the border, I may be forced to reveal my passcode,” he said, noting that many thousands of electronic device searches happen every year.
With that passcode, authorities could create their own device backup and store it, which would allow them to go back and extract passwords unrelated to the device itself later on. “If that happens they have access to everything, every password I have,” he said. Alfonin said with iOS 11, Apple’s entire protection scheme has fallen apart . He likened the situation to the 2014 iCloud hack known as Celebgate4.
“Those iCloud accounts were protected with just passwords,” said Alfonin. “We have a similar situation today . If it’s just one single thing, then it’s not adequate protection.”
To fix the issue, Alfonin suggests going back to the way things were. “It was a perfectly balanced system,” he said. “I don’t think anybody complained seriously . The ability to reset an iTunes Backup password is not necessary .
If they revert it back to the way it was in iOS 10, that would be perfect.”
Of course, this is just Alfonin and Elcomsoft’s opinion . Others in the world of infosec were not convinced by his arguments for example, Dino Dai Zovi, cofounder of cloud security biz Capsulate8, was having none of it:
Apple did not respond to a request for comment.
PS: Apple’s iPhone X shares face scans with apps, which has some people worried5 . Also, if you have installed the password-less root security patch on macOS 10.13.0, and then upgraded to 10.13.1, make sure you reinstall the patch Apple’s Software Update mechanism should do this automatically and reboot .