Posted October 4, 2018
Social technology strikes again the intersection of the digital world and constitutional law and more – it is the core of the trip we take around the headlines in today's discussion. On our list for this week we have:
We're kicking this week with a look at a story from Cult of Mac with a scary headline that you may have seen recently about a "hackers steal corporate password" vulnerability from Apple machines. That headline was true. But since is a heading, it simplifies something to make a splash. The real headline can read: "Social technology allows hackers to steal corporate passwords," but it's not so bad. Nevertheless, this is a serious story. What are the details?
The weakness is Wetware
Security researchers from a company called Duo Security recently announced that they had identified potential problems with Apple's DEP or Device Enrollment Program. DEP is a tool used in businesses and other business applications, so companies can register, monitor and otherwise monitor the security of the devices that are used under the company's umbrella. This could be a company-made iPhone, a Macbook for employees, or other Mac and iOS devices that may be in use. According to Duo Security, the method of attack they found would enable the poor to exploit a company's DEP to get the ability to steal everything from Wi-Fi passwords to account information for corporate applications.
The attacker will need to be able to register a device with the company's systems for managing mobile devices (MDM) – basically a server that manages DEP. To do that, it would require the hacker to have a valid serial number like not already registered with the system. Otherwise, the system will not accept the device; You can not register the same number twice for obvious security reasons. So how do they badly get hands on such a serial number?
Social technology is the first and most likely attack line: They can only contact someone in the company and place them in a valid serial number. With social engineers who can do things like tricking telecommunications companies to help them bypass a target's two-factor authentication, a worker in sharing a serial number looks good at the opportunity. It's not the only way they could come in, though.
They can scour the Internet, look at discussion boards that are about providing support for these types of devices. Employees often report serial numbers as part of the troubleshooting process. Using brute force to try to guess a valid number can also be another to get into the system. Given the complexity of serial numbers, however, this is not a likely option because of how long it takes to find another valid number. Once the fake device has been registered, it has access to a wide range of information within the company's network – just as intended, as this is how DEPs will work basically.
So what does Apple do with all this? Not much, in the end. This is not a software error or a security vulnerability, and nothing is specific to Apple's Device Enrollment Program that makes it vulnerable. There is only one basic problem with some DEP: if any unscrupulous people enter the network, they can do bad things. To get there initially someone else needs to let them wake up. If everyone in an organization adheres to best practice and wary of the dangers of social technology online and over the phone, most DEPs – including Apple – are as safe as the designers intended. When we talked about social technology, we made a whole show on it back in episode 45 of the checklist – head there if you would like to learn more about these silvertong tactics.
What can companies do to protect against social technology? The most common cause of an enterprise's security concerns is simply when an employee accidentally shares information with someone they should not. Losing devices, like your company's phones, also poses a serious risk, especially when you have not used strong passwords to secure everything. Keep in mind that social engineers can often get enough information about a person to start trying to guess common passwords they can use – that's why a random string is such a valuable password.
Always be careful when someone calls and begins to ask for information they would not normally have access to; This can be a real scenario sometimes, but sometimes there may be someone trying to construct deeper access. They can even have some relevant information that makes the case more legal. When someone looks for access, they should not have, be suspicious and always follow regular procedures. Sometimes try to do the right thing by helping a customer to actually make the wrong thing.
Your face and the fifth change
Well, it's finally happened – here's a story that we should definitely look into. According to a CNET report, a federal law enforcement officer was forced to unlock his iPhone for investigators using FaceID. This is the first such event we know about due to public reporting, but for those who have listened to the show for a while, maybe it will not come as a surprise. We've wondered the potential of something like this, about the first moment Apple announced FaceID, would be something.
In the United States, you can not legitimately be told to reveal a password or a PIN to the police, either for the phone, computer or other device. However, several courts have decided that you may be forced to use fingerprints to unlock a device through something like Touch ID. Whether the courts will maintain Face ID usage is not a known amount, especially since this is the first known occurrence of this tactic. While it's hard to imagine that the police somewhere have not already done this before, we know about this event now because it was the only time the FBI could access the device.
At some point, the device was locked again (or perhaps lost power), which means that the only way to unlock the phone is now using its PIN. Without access to it, and it refused to refuse to cooperate, the FBI had to request a police station in Ohio (where the suspects were arrested) for help. Why? Well – CNET says the Columbus, Ohio Police Department has been known to use iPhone cracking devices in the past. The FBI probably sees access time on PD's device so that they can return to the suspect phone for further evidence collection.
The current offenses are serious; The suspect was retrieved by the FBI in a child pornography survey, and the first appearance of the suspect unit revealed incriminating chat logs. It puts this story in a difficult category. We want the guilty parties to go to jail in cases like this, along with others involved in murderers, drug traffickers and terrorists, and when gathering evidence becomes more difficult, it seems that the only option is to accept a back door in software.
Although it is not necessarily the right conclusion to draw, that is not what we focus on our discussion today. Instead, we will focus on how the average individual user can give a certain peace of mind if you feel uneasy about the fact that you can legally be required to unlock your device with face or touch ID. You have opportunities you can explore.
The easiest way to avoid worries completely? Turn these features off completely. Apple makes it easy to disable these features, even if you want to sacrifice some convenience for added security. The process is simple:
- Go to the Settings app on your device
- Look for your face ID and password (or touch ID and password if you have an older phone)
- Select "Reset Face ID" – this completely removes The stored information from the device's Secure Enclave processor, which means the PIN, is now the only way to access the device
What if you only want to turn off your face ID for a short while? You can do that too. Hold the Volume Up button while pressing the power button of the phone. When the query about turning off your phone appears, press Cancel. FaceID will now remain disabled until next time you unlock your phone with your PIN.
For most, TouchID and FaceID are amazing features that are very secure in themselves. Weigh the risk to the reward for yourself, but do not forget about the ability to temporarily disable the feature; If you are in a dangerous situation where you want to ensure that your phone can not be reached without your consent, use it. Otherwise, you should feel relatively comfortable leaving the services enabled if you prefer not to enter your PIN every time you download the device.
Question on last week's Wi-Fi Question
Last week, we built our entire show around questions from a listener named John and his concerns about using wireless networks during the trip. This week we turn to a question from listener Andy, who has some questions of himself after listening to our episode. Andy writes:
I listened to [the How to Hotel Wi-fi] episode … Great info … I travel a lot and I am constantly concerned about hotel Wi-Fi. You have all done a good job with borders when you are at Wi-Fi hotel, and you have provided a good risk assessment, ie what to do and what you should not do in hotel Wi-Fi. August was very specific that he does not make a bank on open Wi-Fi even though he is on an encrypted (https) website. However, August did not make sense if he would change his opinion of doing economic activity if he was on an encrypted site and he used a trusted VPN.
Adding an addition to a VPN in equation change risk / reward calculator when it comes to working with your finances over an open Wi-Fi network? Yes – with a warning. It is still best to avoid doing this kind of work on an open network whenever possible, just as a matter of best practice. However, when it can not be avoided, it is a good way to deal with a reliable VPN. Note that we say trusted VPN; You need to find a provider that you can trust and that does not analyze your traffic, as Facebook's "VPN" does.
Andy asked another question that at first glance we might have assumed that he already wanted to know from listening to this show – but it's stupid of us to assume that everyone always knows what the terminology we use means, especially when it's possible everyone gets so confusing! Then ask Andy:
What's the difference between malicious software and a virus and is this important to me?
Virus is a type of malicious software, but not all malware consists of viruses. Other forms of malware include Trojan horses, ransomware, spyware and a number of other categories that all form template icious soft ware as a whole. Viruses are specifically designed to infect your computer before you try to infect other computers on your network and they can do all sorts of nasty things from destroying your operating system to log keystrokes. So, what will combat malicious software, take care of viruses as well? It depends on the security software you are using – so take a closer look at your vendor and the information they provide to gain insight into what you need to keep you protected.
With that we will add a bow to this week's episode. Do you want to check out some of the episodes we've done before you have not heard yet? Maybe it's time to take a deep dive on social technology with episode 45. You can do everything here with our archives, where you can listen to each episode or twilight through the show notes to get the key points right away. Check back every week to see the addition of our last discussion.