Apple closes security loophole in iPhones and other iOS devices

14/06/2018

Today Apple is closing a security loophole in iPhones and other iOS devices that enabled law enforcement to hack into criminals’ devices, inculding one of the San Bernadino killers.

They have introduced “Restricted USB Mode”, which will stop hackers from extracting data through an iPhone’s lightning port an hour after being locked.  It is believed that this is how the FBI were able to read data from the iPhone belonging to a gunman involved in the shootings in San Bernadino.

Apple says this is part of their usual security reviews, and is not aimed at thwarting law enforcement but is to protect users from criminals.

GreyKey-box

The GreyKey device that hacks into locked iPhones via its Lightning port

This will protect iPhones from the iPhone hacking tool GreyKey.

The new default settings will have a feature Apple call a “USB restricted mode” which has been present in developer betas for both iOS 12 and iOS 11.4.1. With this feature, all communication through a Lightning port to USB connection will be blocked on unlocked and dormant devices.

US law enforcement uses a tool called a GrayKey, which is a small box with two Lightning cables that can unlock password encryptions on iPhones and extract data from  iPhones.  The Restricted USB Mode will cut off the GreyKey’s access.

hacked-iphone

The GreyKey device reveals a locked iPhone’s passcode in as little as 30 seconds

Of course the cops believe this is aimed firmly at law enforcement, and will result in criminals and terrorists getting away with serious crimes.

“I think that privacy protections are on a collision course with responsible law enforcement actions to conduct legitimate investigations,” said Ronald Hosko, a former assistant director of the FBI who is now president of the Law Enforcement Legal Defense Fund, which raises money to defend officers accused of misconduct. “Terrorists or other criminal organizations will do something that’s heinous, in a way that is blocked from lawful law enforcement view. They will to some extent get away with it. We will lose lives, we will lose infrastructure in a big way, and then we will be having a different conversation.”

bmc-orange


ibVPN – safe web browsing for not much money

08/06/2018
ibvpn-4616-reviews

ibVPN – a high-rated VPN service with more than 180 servers world-wide

A VPN (Virtual Private Network) is a technology that creates a safe and encrypted connection over a less secure network, such as the internet. VPN technology was developed as a way to allow remote users and branch offices to securely access corporate applications and other resources. Nowadays VPNs are widely used to encrypt and secure an otherwise insecure connection (such as a public wifi access point – an eavesdropper can see everything you do over McDonalds’s wifi if it isn’t encrypted!); some people use VPN service to access restricted online service – eg if you live in the UK you won’t be able to use the US Netflix service as that is geographically restricted to users in the USA.  But if you use a VPN server based in the USA, Netflix won’t be able to tell that you’re not in the USA yourself – all Netflix can see is that your traffic is coming and going from that US-based server.  This feature also lends some anonymity to the internet connection, which is another reason some people use a VPN.

And  it’s not just geographical restrictions that VPN use can help you circumvent: some work and school networks stop users accessing some sites like Youtube for instance (your employer may want you to work rather than look at cat videos) or hacker sites (schools tend to block sites with crime-related content, and as so many people associate hacking with crime, anything containing the word “hacker” gets banned).  So, the local network won’t let you view what you want?  Use a VPN, and all the local net can see is data going to/coming from the VPN server.  It knows nothing about goddamn cat memes or how to crack Facebook accounts!

For the past few years I have been using ibVPN (“Invisible Browsing”), run by Romanian-based service provider Amplusnet.  It’s not the fastest service out there, but it is competitively-priced and has global availability.  ibVPN boasts of more than 180 servers in 47 countries across the globe.  And there are 4 different service plans:

  • Ultimate, at $4.83 per month –  “Great for strong privacy and securityheavy streamingunblocking restricted websitestorrents & p2p activity. The most complete package”
  • Standard, at $3.08 per month – “Great for regular usagestreamingunblocking restricted websitesprivacy protection. Includes access to VPN and Extensions. No SmartDNS.”
  • Torrent, also $3.08 per month – “Special package for those looking to protect their identity while downloading torrents. Privacy protection. No SmartDNS or Proxy.”
  • IBDNS/SmartDNS, also $3.08 per month – “Special package designed for unblocking restricted websitesand heavy streaming. Includes SmartDNS and access to browser extensions. No VPN.”

Their All-In-One client software/apps is available for Windows, Apple MacOS and iOS, and Android devices, and the services are also compatible with Linux, most routers, smart TVs and gaming consoles.  The interface is clean and efficient (see below).

ibVPN-All-in-one-client

ibVPN All-In-One client interface controls your VPN sessions

If you’re thinking of going with ibVPN but want to try before you buy, they offer a 6 hour free trial period.  And they have a 15 day money back guarantee if you’re not satisfied by the service.  This shows they have confidence in the quality of their product.

The speed of some servers/connections is not always great, but it is rarely appalling and the price is excellent.  All in all, a good service – I’ve been using it for some years now, which is the greatest praise any product could get – if I keep paying for something it’s because it’s the best!!  😉

Buy Me A Coffee


Hack Trump!

22/05/2018

 

“You’ll prise my iphone from my cold dead fingers!” Trump will never stop tweeting – luckily for hackers.

The intel is out: we’re on to hack the Don.  The White House staff tried to tell him that bringing a cell phone into the secure area was to bring in his own gaping goatse security hole.  But he insisted: he needed, not one, but two iphones.  One for calls, one for Twitter.  Cos yeah, we all need a special Twitter phone.

But even though that’s a bit against procedure in the White House, it’s not un-doable.  His predecessor Barack Obama was hooked on crack, I mean Blackberries.  He simply could not exist with his poor-excuse-for-a-smartphone.   So allowances were made and he kept his Blackberry.  But he was aware of   the security risks; he had a specially-modified one made up, without microphone, camera or GPS, and even this “military-grade” Blackberry had to be handed over every 30 days to check for tampering, further modification, any chance that it posed any extra danger.

And Trump’s calls-only iphone is issued by White House staff and swapped out “through routine support operations” to check for hacking and other security concerns (well, any extra security concerns over and above the security concern that he is carrying around a bloody listening device!!).  But he refuses to let them have his Twitter iphone, because it would be a nuisance!

I’m sure it would be difficult to hack Trump’s phone(s).  I’m sure his equipment is especially hardened against threats.  But when a target is as juicy as Trump, and you have potentially nation-state actors moving against him, nothing is hack-proof.

The White House banned its employees from using personal phones while in the West Wing in January. A statement at the time said that the “security and integrity of the technology systems at the White House is a top priority for the Trump administration”.  But Trump’s wandering the West Wing (and the rest of the White House), Twitter-phone ready to tweet.

The personal smartphone of Trump’s chief of staff John Kelly was reportedly hacked during the Trump transition.  And he didn’t replace it until October.  And Trump’s Twitter-phone hasn’t even been checked!!

This is the man who criticised Hilary Clinton for her use of a personal email server.  He is so dependant on Twitter that he needs a phone especially to tweet.  Note that he needs this phone (not device, oh no, it has to be a phone) to tweet (not to use for other electronic communication, oh no, he hasn’t used email since he came into office, he needs it only to tweet).

The guy is an idiot.  Don’t know if you’ve noticed that yet.

bmc-orange


So all you want is bloody poetry huh?

17/04/2016

I try to blog as often as I can.  But I’m really depressed that only my poems get Likes.  My political, cultural and other entries get next to no interest.  I’m not going to stop posting stuph about politics, culture, privacy, security and the other subjects that get me riled.  And the poetry of course (bread and circuses FFS).  I’d just be happier if my “serious” posts got more attention.

Also, even the poems get next-to-no Comments.  I need Comments so I can hopefully improve. Please please, poetry Likers, could you also Comment?  I’d really appreciate it.  Thanks for reading.

UPDATE: as of 18 April (day after posting) I’ve received two Likes: from anthonymize and Juansen Dizon.  Just general, click-the-Like-button likes, and no comments.  Likes please me, as I have an ego that enjoys beeing stroked; but the whole point of this post is that I want Comments too.  If you’re too shy to make Comments readable by everyone who visits the blog post, there’s a Contact Form button at the top of the page.  You can put your Comments there, abd if you want anonymity that’s what I’ll give you – your name etc will not be kept on record if that’s what you want.

sad-face-sticker

Leave Comments, damn your eyes!

This blog isn’t an anthology of what I consider my best work.  I put works-in-progress here, meh stuph that I’d love to be reviewed and love to get Comments on.  So pleeeze! – if you have the time, write something in the Comments or Contact Form.  Comment on my blog, I’ll come look at your blog, if you have a blog of course, and if I can create a window in my already bursting bag of commitments.  That last bit is a joke of course.  But in all serious, Comment on me and I’ll Comment on yours.  Quid Pro Quo I think it’s called: washing each others’ backs.

Cheers, Martin X!


free web stat


Why putting back doors in message apps will not stop terrorism

17/02/2016

I’m not a security expert.  So why don’t you listen to one?  This video is Bruce Schneier, a well-known security and cryptography expert, taking questions at DEFCON 23.  He addresses the issue of back doors at about 07:20, but the entire video is worth watching.

If you don’t want to watch it, I’ll paraphrase:   The feds say that ISIS recruits via Twitter.  A recruiter will get into conversation with people,  and the feds can monitor that okay.  But then the recruiter says “go download secure-app X” and all of a sudden the authorities can’t monitor them any more.  This makes the cops sad.  So they want to put back doors in all the messaging apps.  But that is not going to solve the problem!

(About 09:10) “This is not a scenario that any type of back door solves. The problem isn’t that the main security apps are encrypted. The problem is that there is one security app that is encrypted. The ISIS guy can say ‘Go download Signal, go download Mujaheddinsecrets, go download this random file encryption app I’ve just uploaded on Github ten minutes ago.’ The problem is not the encryption apps that the authorities want to get into, the problem is general purpose computers.  The problem is the international market for software.”  Back doors are not the solution for the problem the authorities claim to have.

You’d have to put back-doors in all messaging apps.  Not just the mainstream ones.  Not the not-so-popular niche apps that some people like to use.  ALL apps.  Including ones created by ISIS guys and uploaded to whatever-server-wherever-whenever.  “So we need to stop talking about that [back doors] or we’re going to end up with some really bad policy.” [about 10.00]

 

 


How to delete that iffy stuph off your computer

18/11/2015

Hopefully, most/all people know that simply clicking “delete” on your computer is not going to delete the files.  Erasing a file simply erases the file system entry, leaving the actual file intact and accessible to others if they have the correct tools and know-how.

To combat this, various “secure” deletion programs have been created: eg shred and secure-delete (srm) etc in the Linux/UNIX world, and programs such as Eraser, Freeraser, Blank and Secure and DP Shredder (and others) for Windows operating systems.

Unfortunately these tools are not a cure-all.  If someone has physical access to your laptop, a skilled technician can fool these programs and make the computer to spew its guts.  Just look what the NSA and GCGQ did to a Guardian computer believed to be carrying details of what NSA whistleblower Ed Snowden had told them.  Just check out what staff members of the Guardian newspaper had to do under the watchful eyes of NSA/GCHQ operatives to ensure no nasty ones and zeroes got out there to knock Western Civilisation down onto its knees.

Many folk in the computer security community think this was “security theatre”… the NSA/GCHQ experts did stuph that was in no way necessary, it just helped stop educated security guys from figuring out what bit of laptop needed to be trashed and what was trashed for no reason except for the daft notion of “obscurity = security”.  Secirity experts will have talked with their expert buddies to find out what they thought as they watched the computer dismantled and buggered-up beyond recognition.

Anyway, have the NSA/GCHQ forgotten that mantra that is beaten into them at school “back-up, back-up, back-up”.  Who says that the files on that laptop were unique?  I seem to remember that a number of newspapers around the world were publishing details of this story… do NSA/GCHQ held the only copy of the intel?  That is a stupid idea.  If I was given a story whose details and proofs were on a disk, I would send copies to everyone, to be published if I slipped and fell horribly in the shadow or I disappeared one night never to return.

Bloody stupid intelligence service.  Their #1 secret = there is no intelligence regarding their intelligence.  Because they have none.  Now let’s go drive off a cliff somewhere.  Orders is orders, innit?

 


So are the terrorists coming to get us or not?

10/07/2014

On Monday the Guardian reported the former head of MI6, Richard Dearlove saying that the risk to the West of Islamist terrorism is overblown and the activity is now centred in the Middle East – “Muslim on Muslim” as he put it. And as he recently ran MI6 he probably knows more about this stuff than most of us. Dearlove was addressing the Royal United Services Institute from a pre-prepared speech just hours after broadcast an interview with a Briton who had appeared in an Isis video. Abdul Raqib Amin, from Aberdeen, said:

“I left the UK to fight for the sake of Allah, to give everything I have for the sake of Allah. One of the happiest moments in my life was when the plane took off from Gatwick airport. I was so happy, as a Muslim you cannot live in the country of kuffars [non-believers].”

This means that he is not going to come back to Britain to put his new military skills to use. It’s far more likely that Amin and his comrades will remain in Islamic regions to “fight the fight”.

So, if the domestic terror threat has receded, why is the British government using emergency powers to pass communications surveillance law that has just been ruled as illegal by a judicial review claim in the high court?

Cameron and his lapdog Clegg is carrying on with blowing the “threat” out of all proportion by using emergency powers to fast-track this legislation through parliament when there is no actual emergency. And Labour leader Ed Miliband is supporting it too! Labour MP Tom Watson says there was a secret deal between party leaders and MPs knew nothing about it until today! It’s being called a “stitch-up”. British democracy in action.

On a related note, the government has announced that anyone carrying an electronic device onto an aeroplane would have to demonstrate it actually worked, because of “intelligence” that terrorists have learned a new method to replace a battery with explosives. But this is just “security theater” – the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it. Airport security is always playing catch-up with the “terrorist threat”. This week you’ll have to switch on your phone to prove it contains a real battery. Next week the terrorists will make batteries that work as batteries as well as containing explosives. And what if you’re like me and constantly forget to charge your phone? Dead battery, device can’t power up, and you’ll have a pretty stark choice: dump your expensive smartphone and go on the flight, or keep the device and go home. And it’s apparently going to be a random check! Okay, British Airways and Virgin Atlantic say they will send your device home for you if you can’t take it on the plane. But that’s just two airlines. And anyway, if the explosive in the phone can’t be detected by usual checks, what’s to stop the terrorist just putting it in his suitcase in the baggage hold?


%d bloggers like this: