Information Technology

I’ve long believed that Apple should separate security updates from iOS and iPadOS releases and allow iPhone and iPad users to choose if they want to upgrade or stick with the current release and continue to receive security updates. Come the launch of iOS 15 and iPadOS 15, iPhone and iPad users will get this exact choice.Must read: Apple should fix this privacy issue, not try to keep it quiet
The page listing the features for both iOS 15 and iPadOS 15 outlines the change.

Here is the relevant bit from the iOS 15 page:iOS now offers a choice between two software update versions in the Settings app. You can update to the latest version of iOS 15 as soon as it’s released for the latest features and most complete set of security updates. Or continue on iOS 14 and still get important security updates until you’re ready to upgrade to the next major version.The iPadOS 15 page contains similar language. Of course, there are questions around this.

For example, will users get to choose what path to take or will the iOS 15 opt-out feature be buried deep in the settings where few will see it. How long will Apple continue to offer updates for iOS 14? Will it be for the duration of the iOS 15 lifecycle (after which, will iOS 14 users have to choose to move to iOS 15 or iOS 16), or for a limited period?Also, will users who have upgraded to iOS 15 be able to roll back to iOS 14? Currently, Apple prevent rolling back by not signing earlier releases of iOS, for obvious security reasons).All this said, it’s a good thing that Apple is giving users this choice because it will mean iPhone and iPad users will be able to get security updates without having to take on a whole new release. This will be of particular interest to those running older hardware that might experience performance issues running under the weight of iOS 16.Interestingly, it seems that Apple Watch users will have to upgrade to watchOS 8 to get updates, because there is no mention of staying on watchOS 7 anywhere in what Apple has published.What will you do? Upgrade immediately to iOS 15, or sit back and play a wait-and-see game on iOS 14? More

The Justice Department filed charges against a former cybersecurity official this week over a 2018 cyberattack on Gwinnett Medical Center in Georgia.Vikas Singla was indicted for allegedly stealing information from a digitizing device while also disrupting the hospital’s phone and printer services. While the indictment did not name the company the 45-year-old worked for, Bleeping Computer reported he was chief operating officer of a healthcare-focused network security firm called Securolytics. The Marietta-native allegedly had help with the attack. The indictment said Singla was “aided and abetted by unknown others” on September 27, 2018 when he hacked into the hospital’s Ascom phone system as well as a series of Lexmark printers and a Hologic R2 Digitizer.Singla appeared before US Magistrate Judge Linda Walker of the U.S. District Court for the Northern District of Georgia on Thursday and was charged with 17 counts of intentional damage to a protected computer. Each count carries a sentence of up to 10 years in prison. He is also facing a charge of obtaining information by computer from a protected computer.Less than a month after the intrusion, Gwinnett Medical Center began investigating their own systems after patient information appeared online, according to ZDNet. They traced the breach back to an IT intrusion on September 29 — just two days after Singla’s alleged actions — and said the attackers were threatening the 500-bed non-profit hospital. 

After three days, the attackers released full names, dates of birth, and gender of some patients while also boasting to news outlets about their access to the hospital’s systems. One of the attackers, angry that the hospital initially denied it was hacked, messaged security blog Salted Hash to tout their control of the hospital, writing, “does GMC have control of this system. The answer is no. The last time we checked, we own their Ascom system and their data.”The FBI and Justice Department did not say whether the two attacks were connected, but Acting US Attorney for Georgia Kurt Erskine said Singla “allegedly compromised Gwinnett Medical Center’s operations in part for his own personal gain.” Chris Hacker, Special Agent in Charge of the FBI’s Atlanta Field Office, added that the cyberattack could have had disastrous consequences and noted that patients’ personal information was compromised due to Singla’s alleged actions. More

US retailer Carter’s accidentally exposed the personally identifiable information (PII) of potentially hundreds of thousands of customers. 

On Friday, vpnMentor said the incident was not caused by an unsecured bucket or misconfiguration in a cloud storage system — as is often the case with when it comes to accidental leaks — but rather a “simple oversight” in the firm’s online order tracking infrastructure. The breach, discovered through a web mapping project underway at vpnMentor, was caused by a failure to implement authentication protocols for a popular URL shortener tool used on the retailer’s US e-commerce domain.  Carter’s is a major retailer for baby clothing and apparel in the United States which now operates worldwide. The company generated over $3 billion in revenue during 2020.  When a purchase was made through the Carter’s US website, the vendor would automatically send them a shortened URL to access a purchase confirmation page. However, a lack of security around the URLs themselves, together with no authentication to verify the customer, was problematic.  The confirmation pages, generated by Linc’s automation platform, contained a variety of customer PII — and to add another potential problem, the links never expired, allowing anyone to access these pages at will, at any time, alongside backend JSON records.  Information exposed on these pages included full names, physical addresses, email addresses, phone numbers, shipping tracker IDs, as well as purchase and transaction details.

“Due to the massive volume of sales Carter’s enjoys every year, this simple but drastic oversight exposed 100,000s of people to fraud, theft, and many other dangers,” the researchers say. Due to the nature of the flaw, the exact number of records exposed is unknown. However, the team estimates that over 410,000 records could have been open to abuse, with the potential impact including phishing, social engineering, and identity theft. Carter’s was informed of the security breach on March 22, five days after the initial discovery. Contact was made on March 30, and initially, the retailer asked vpnMentor to submit their findings through Bugcrowd. However, Carter’s eventually accepted the direct report and the shortened URLs were pulled between April 4 – 7. ZDNet has reached out to Carter’s but has not heard back at the time of publication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The story that an iPhone owner’s personal data was leaked online while it was in the hands of an authorized Apple repair center should bring chills to any owner of Apple hardware out there.And Apple’s response to the matter is even more worrying.This incident happened in 2016 at a Pegatron facility in California.It’s quite shocking. Our devices contain a vast array of private and personal data, ranging from health and financial data, our communications, movements, and personal photos and videos.The idea that someone could be going through this when a device is in for repair and go as far as to share that information is appalling.Must read: I just found my lost AirTag… you’ll never guess where it went

Apple is a company that claims to put privacy at the core of everything it does. And yet, everything about how it handled this, to its inaction since, suggests Apple is more concerned about its image rather than user privacy.

The fact that Apple’s involvement in this was kept confidential, becoming public only as a result of a legal dispute between Pegatron and its insurer over the cost, doesn’t look good.Now, there are always going to be people who end up in positions of trust that shouldn’t be trusted. It’s a fact of life. But Apple is supposedly leading the way when it comes to user privacy, and that should include the privacy of users wanting their devices repaired.It’s unclear here whether the repair center asked for access to the iPhone in question, or whether the device was unprotected, but either way, the best way to prevent this from happening is to make it so that it can’t happen.Just as some cars, such as Tesla, have a valet mode that secures certain features of the vehicle from access, Apple needs to implement a similar feature for its devices. This “repair mode” feature would allow repairers access to the device but no access to any of the data on the device. This would be a great addition to newer devices, closing a privacy loophole.I would also expect authorized repair centers to offer an environment where snooping on data, and being able to copy or share it, would be hard to do. I’ve seen secured repair facilities where CCTV is in use, the test networks don’t have access to the internet and are managed, and employees are not allowed to bring their own tech into the repair areas. This is somewhat extreme, but as users are asked to trust Apple with more and more of their data, there needs to be a barrier between repair agents and the user’s personal data. An alternative is a secure backup followed by a wipe before a device is handed over for repair, with the data reloaded following the repair. I know that companies try to cut costs when to comes to repair, especially when it comes to warranty work, but for a company rolling in cash, that’s a poor excuse.Also, while taking control of the privacy and security of user data during repair sounds costly, privacy breaches are costly, both in monetary terms and bad publicity.Apple does offer users tips on getting their device ready for service, which shifts the responsibility to the user. Problem is, depending on what’s wrong with a device or how it is damaged, this is not always possible. For example, on an iPhone with a dead screen, suffering from water intrusion, or stuck in a boot loop, this isn’t going to be possible. Owners should be confident they can send in their hardware for service without having that data snooped on even if they can’t securely erase it. You might also think that this is a lot for Apple in response to a single case from 2016, but given that Apple wanted to keep this quiet, we must bear in mind that this could be the one case we know of out of many that we don’t.Suppressing its involvement in these things isn’t helping secure end users. It just allows Apple to pretend that it’s not an issue.And it clearly is a problem. More

Chinese law enforcement has made over 1,100 arrests in a nationwide crackdown on telecoms and banking fraud.

The Ministry of Public Security announced the operation on June 9, dubbed “Card Broken,” which aims to destroy criminal gangs that are conducting cybercriminal activities. In particular, Card Broken is focused on telecommunications network fraud, including the sale of phone, payment cards, and money laundering services over China and across borders. The department specifically notes “coin farmers” as being involved, in which accomplices or members of criminal groups facilitate money laundering through cryptocurrency to avoid the scrutiny of law enforcement in the country.  Coin farmers would allegedly sign up for different cryptocurrency exchanges and set up personal accounts. These traders would then buy or sell cryptocurrency based on their handler’s instructions and funds issued to them. The virtual currency would then be sent to wallets controlled by gang members and designated elsewhere.  In return for their activity, coin farmers would receive a commission of between 1.5% and 5%.  “The high illegal income attracts a large number of people to participate, causing serious social harm,” the department says. 

Now in its fifth leg, the operation honed in on the criminal chains of these activities, breaking down at least 170 allegedly criminal groups. Action has been taken by law enforcement in provinces including Beijing, Hebei, and Shanxi.  In total, the Broken Card operation has resulted in the destruction of roughly 15,000 gangs and 311,000 individuals suspected of involvement have been arrested, according to the ministry.  China has taken a tough stance on cryptocurrency, outlawing exchanges and warning that trading disrupts “economic and financial order.”  While individuals are still allowed to own cryptocurrency assets, three state-backed financial authorities recently issued a joint warning reminding citizens that cryptocurrency cannot play a part in Chinese financial activities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Law enforcement has seized one of the largest marketplaces for selling stolen account credentials. 

The website’s infrastructure has been taken over by the police, according to the US Department of Justice (DoJ). A seizure warrant affidavit unsealed on Thursday outlined Slilpp’s past activities. In operation since at least 2012, the marketplace — with domains on both the clear and dark web — offered stolen credentials for services including PayPal, Wells Fargo, Amazon, Chase, Capital One, and more.  These included usernames and passwords, mobile phone accounts, and e-commerce accounts.  The DoJ says that over 80 million credentials were available for purchase from over 1,400 victim organizations worldwide. Law enforcement from the US, Germany, the Netherlands, and Romania was involved in the confiscation of servers supporting the platform’s infrastructure and various domain names.  Slilpp buyers would allegedly use these credentials to perform banking theft and fraud, such as wire transfers from victims to accounts owned by them. 

“To date, over a dozen individuals have been charged or arrested by US law enforcement in connection with the Slilpp marketplace,” the DoJ says.  According to Acting Assistant Attorney General Nicholas McQuaid, Slilpp allegedly caused “hundreds of millions of dollars in losses to victims worldwide” — and at least $200,000 in losses in the US alone. However, the “full extent” of the marketplace’s role in the credential theft economy is “not known.” “The department will not tolerate an underground economy for stolen identities, and we will continue to collaborate with our law enforcement partners worldwide to disrupt criminal marketplaces wherever they are located,” McQuaid commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Farewell, not so sweet prince.
Image: Google
Google has reversed course and ended its experiment to only show Chrome users the domain name of the site they are on. Kicked off in August, the experiment randomly assigned users to test whether it could help users spot phishing sites. “Delete simplified domain experiment,” Google engineer Emily Stark wrote in a Chromium commit. “This experiment didn’t move relevant security metrics, so we’re not going to launch it. :(” Starting with Chrome 90, if a user did not specify the protocol to be used when accessing a site, Chrome would try first using HTTPS, before falling back to HTTP. Earlier this week, Android Police spotted that Google had killed off its augmented reality Measure app. Heading to its listing without being signed into an account that has the app installed returns a “Not Found” error, while users that previously installed it can continue to see its listing page. “This app is no longer supported and will not be updated,” the page states. “Users who previously installed this app can continue to use it on compatible devices.” Related Coverage More

Lawmakers in Beijing have enacted laws banning people from complying with foreign sanctions against China. The new laws were passed against the backdrop of the US and EU continuing to prohibit companies from working with Chinese companies due to issues ranging from human rights, military, and technology. Passage of the new legislation means that multinational companies with any presence in China must now navigate China’s sanctions along with those that have been issued by Western countries. The new laws provide Beijing with powers to target companies involved in implementing foreign sanctions by seizing their assets, prohibiting or restricting transactions, and denying or cancelling visas. The ban extends to company employees as well, and even the spouses and immediate family members of certain individuals who are on the newly created “counter control” list that was enacted as part of the laws. On the same day, China’s lawmakers also passed new data security laws that strengthen the government’s control over digital information. Although the full text of the newly passed laws has not been released yet, the laws will provide a broad framework for future rules on internet services, such as how certain types of data must be stored and handled locally.

Since the new year, Beijing has been cracking down on how tech companies operate, which has led to Alibaba being fined $2.7 billion, Ant Group becoming a financial holding company that is overseen by China’s central bank as part of efforts to appease regulatory concerns, and 33 mobile apps being called out for more user data than it deemed necessary when offering services. China’s internet regulator, the Cyberspace Administration of China (CAC), in March also released regulations that prohibit mobile app developers from refusing to offer basic services to consumers who did not want to provide personal data that were unnecessary for the provision of such services. Related Coverage More