Twitter Security

While the spirit of tweeting is usually public you may not want all your Twitter settings as open as that spirit.

NakedSecurity from Sophos has published a nice guide to help you set things right on your Twitter account.

The article covers login verification, password resets, photo tagging, locations settings, and more.

Be sure to check it out when you have a chance.

Dropbox and Trusted 3rd Parties Own ‘Your Stuff’

From the Dropbox ‘Terms’ page —

Your Stuff & Your Permissions

When you use our Services, you provide us with things like your files, content, email messages, contacts and so on (“Your Stuff”). Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.

We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, email organization, easy sorting, editing, sharing and searching. These and other features may require our systems to access, store and scan Your Stuff. You give us permission to do those things, and this permission extends to trusted third parties we work with.

If it sounds contradictory that’s because it is. Don’t trust Dropbox.

Hacked by Cat Videos, Really!

Brought to you kindly from The Intercept

Many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked—like clicking on the wrong attachments, or browsing malicious websites. People also think that the NSA and its international partners are the only ones who have turned the internet into a militarized zone. But according to research I am releasing today at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, many of these commonly held beliefs are not necessarily true. The only thing you need to do to render your computer’s secrets—your private conversations, banking information, photographs—transparent to prying eyes is watch a cute cat video on YouTube, and catch the interest of a nation-state or law enforcement agency that has $1 million or so to spare.

We’ve had illegal commercialized hacking for quite a while now, but now we have “legal” commercialized hacking.

One way to help protect yourself is to use the EFF’s HTTS Everywhere plug-in. Sadly, it does not cover Apple’s Safari yet.

Here’s the other relevant portion of the article from The Intercept —

Companies such as Hacking Team and FinFisher sell devices called “network injection appliances.” These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people’s everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target’s computer without his or her knowledge.

THE Apple Security Audit: It’s Time Has Come

Apple needs a mega-security audit. As far as I know Apple has not contracted for a security audit from anyone. I’ll be generous and assume Apple has fulfilled it’s PCI DSS obligations, but I don’t have a reference for that.

So why? Why, with all the customer good-will that Apple has accumulated, does Apple need an outsider to come and and perform a security audit?

Well, to establish trust in the Snowden Age, that’s why.

Apple, like any other netizen, has been attacked repeatedly, and sometimes successfully. See

  1. Australian Apple ID
  2. Bypass iOS 7.0.4 – 7 Apple ID Activation Lock iCloud [iPhone 4]
  3. Touch ID hack
  4. Jonathan Zdziarski’s revelations about corporate backdoors in iOS (given a user’s or Apple’s approval)
  5. OS X’s File Vault2 has not been audited so who knows if it’s really secure.
  6. No password, no problem from 2012.
  7. The recent “goto fail” fixed by Apple in 10.9.2.
  8. Have there ever been any penetration tests run against iCloud? Or Apple’s ID page?

So what do the items above have in common? Most of them are recent issues or outstanding issues. They cover every platform or significant web page that Apple deploys including iOS, OS X, iCloud, and Apple’s ID maintenance.

Apple continues to release security fixes regularly, but now we need more assurances than the proverbial ‘trust us’. Now we need audited software and we should expect anything less from a recognized product leader.

iOS Data Security: Jonathan Zdziarski’s Report(s)

According to researcher and iOS security veteran, Jonathan Zdziarski (@jzdziarski) —

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices.

and

…only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

However, there are services present that

give enterprises access to corporate devices. These back doors are in your phone’s firmware, whether it’s company owned or not, and their security mechanisms are likely also within the reach of others, such as government agencies or malicious hackers.

and additionally

with today’s BYOD culture, employees may be unknowingly allowing their personally-owned devices to be forensically accessible to a company’s internal investigations team (as well as law enforcement, with the enterprise’s consent) by simply enrolling it into the corporate MDM policy. Additionally, new employees that are issued devices may be permitted to retain personal information on their corporate device without first being informed that their devices could, at any time, be subject to a thorough search that bypasses security.

The bottom-line is that you should be aware of pairing your device. If you pair your device with an Enterprise MDM you’re personal data has a greater risk of being tapped.

Jonathan makes a great point in conclusion, and that is

Apple would do well to begin separating consumer firmware from enterprise firmware, to offer a hardened version of its operating system to consumers. This (and other enterprise back doors) introduced into iOS over the years threaten to weaken the overall security of the device for the majority of consumers (who never enroll in an enterprise environment).

I can’t agree more.

[Updated, 7/23/14] Apple responds here.

My Comcast Experience

I’ve had Comcast in the Chicago suburbs for years and it’s been great. Recently though, Comcast has been trying to get me to upgrade from a 20Mbps Blast service to something more expensive and I see no reason to upgrade.

Lately, I’ve experienced several hiccups and disconnections.

Coincidence?