Apple Macintosh 11-year-old security hole and Apple could kill police iPhone unlockers.: TTWCP Radio Show- 2018-06-16
DNA data breaches. Craig discusses why it is such a big deal and why we have to be worried about it.
Cryptocurrency is in the news again. Craig tells you why this blows his mind.
Police can unlock iPhones. (Well they brute force attack it — so if you have a 15 number password it will take them over 200 years)
Hey, you heard the police can unlock iPhone’s right. Well looks like there’s a new feature that might stop them.
Also, ambulance chasers they’ve been around a long time. Well, we’re going to talk about a new type a digital ambulance chasers.
Do you drive a BMW car? They’ve been found to have more than a dozen security flaws.
Craig is putting up a new membership site (Yes, it is free you just have to sign up) On it will have all his special reports that he puts out and you will be the first to get them.
- For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks
- No one is updating their Android devices, new data shows
- Apple Is Testing a Feature That Could Kill Police iPhone Unlockers
- Digital Ambulance Chasers? Law Firms Send Ads To Patients’ Phones Inside ERs
- Cryptocurrency trading app Taylor says all funds have been stolen in a cyber attack.
- MIT fed an AI data from Reddit, and now it only thinks about murder
- A blockchain start-up just raised $4 billion without a live product
- BMW cars found to contain more than a dozen flaws
- Why a DNA data breach is much worse than a credit card leak
- New asteroid gold rush ‘could earn everyone on Earth £75 billion’
Airing date: 06/16/2018
Apple Macintosh 11-year-old security hole and Apple could kill police iPhone unlockers.
Craig Peterson:[00:00:00] Hi everybody.
[00:00:01] Craig Peterson here. Of course we’re going to be talking about technology its impact on us what we’ll be talking about security. We’ve got some great information here including some problems with Mac OS if you’re a Mac user. This is an 11 year long vulnerability that just hasn’t been fixed yet. We’re going to talk about DNA data breaches I don’t know if you’ve heard of these before but it’s becoming a big thing and it’s something we need to think about. We’ve got a cryptocurrency story this week that just blows my mind. Hey you heard the police can unlock iPhone’s right. Well looks like there’s a new feature that might stop that an ambulance chasers they’ve been around a long time. Well we’re going to talk about a new type a digital ambulance chasers and BMW cars. They’ve been found to have more than a dozen security flaws.
[00:00:54] You know there’s probably a lot more. Don’t worry. Here we go. You’re listening to Craig Peterson on the air now for going on 20 years. We’ve got tens of millions of podcasts downloads and hopefully we’ll be able to give you a couple of things today that not only educate you, but I think you’ll find surprising. So here we go.
[00:01:17] Well first off, we’re going to talk about this hack. This is a problem that is only in Mac OS. Now we talk a lot about problems that only exist in the Windows world of course. The Android world which has been a real cesspool when it comes to security breaches and the main reason for that as we’ve discussed before is that people are not updating their Android devices and many times that’s because you just can’t update the android device, right. You buy them because they’re cheap. And even if there expensive there are thousands of variations of Android because of the device drivers they’re all using different components and sometimes the exact same model phone from the exact same manufacturer will have different versions of hardware in them or even completely different hardware. So, it’s really difficult for these companies that are manufacturing the phones and the carriers that are further modifying the phones to keep everything up to date. Think about that, if you’re Google, and you are making an operating system and you’re selling it and you’re getting blamed for all of these Android problems and in reality, the problem is there are a bunch of people putting their fingers into your code messing around with it in order to make it compatible for their customers right. So, think about that for a sec you’ve got the android device so you are shipping it now to some door operating systems are you shipping now to some device maker that’s going to take your operating system and put it on their device well the devices all vary in the CPU in the speed that think about the displays they’re all different.
[00:03:01] The way you touch them to interact is actually different. Those are all different device drivers. You also have, of course, the cellular data modem that might be in there to get data you’ve got the Wi-Fi chipsets. There’s a whole ton of pieces and they’re all buying them from more or less the same manufacturers depending on what it is but they’re having to modify it. So now your Google operating system your Android is being modified by the device manufacturer who now is going to ship it off to your carrier. So you have a contract with who with Verizon with T-Mobile, Sprint whoever it might be. So, they’re going to want to get their fingers into it too. They’ll do a few little things they might be using specific band frequencies, for instance, for your internet. And in fact, that’s true for Wi-Fi as well because depending on where you are in the world there are different frequencies sets different bands for the Wi-Fi.
[00:03:57] So now you’ve got the manufacturer, who has modified it, you’ve now got the ISP or the phone provider the carrier who’s modifying that device and shipping it out. Many times, You’ll also find that the people who make the component hardware for the device will also be modifying that device before they ship it out. So, the list kind of goes on and on. The people who have the fingers in it. So, now your Google, you found a security problem. Now what are you going to do about that security problem. How are you going to get your code out there, while you’re going to make effects or patch and you’re going to send it to the device manufacturer. Now the device manufacturer says you know we haven’t sold that phone and years. OK. So, we’ve got other things we have to do. We have our people now working on the next release of the next greatest phone. So, they’re not going to make an update for your phone. And the same thing with the component manufacturers they’re not going to have an update for some old chip that they manufactured years ago. And even if it’s a fairly recent chip and they do provide an update, it’s got to go back to the manufacturer who now has to integrate it and then distribute the changes, right. And then it has to go back to the carrier who sold you the device who no longer has a relationship with you potentially right you might switch carriers. How are they going to get their changes in how they’re going to get out to you? So, it’s very, very, difficult in some cases. Google can send out patches directly to you. You can get them. You know you’ve got to Google Play store and you can get various types of updates and stuff from there directly from Google. But it’s a real, big problem and that’s one of the biggest problems we have right now in security. Certainly, the biggest problem in mobile security now. Apple has been known to be rather safe and secure because it was designed that way from the start.
[00:05:55] Remember the whole Internet thing started in government and in academia and the big guy out there in academia who had a lot of operating system technology was AT&T and they had something called Unix and Unix was designed to be able to run on all of the different hardware AT&T had and that’s a lot different hardware. Think about the big old phone companies. They had old machines new machines they had machines that were huge main data processors they had other machines that were teeny tiny sitting right by a Pole pack then couldn’t really put one of them on a pole very easily, but you know you could it happened.
[00:06:35] And so they had this operating system called Unix that worked really well. While UC Berkeley University of California Berkeley took some of those concepts, licensed some of that software the version 7 Unix, back in the day, and they ran with it and they started adding in more ability to have networking. Now think about this for a minute, in your school system our university system. You also have the same types of problems AT&T has had plus a few more because you also have a lot of pieces of equipment that you have to make and modify maintain
[00:07:13] Run different software on and at the same time. Now you have a new problem which is you have all these students that want to hack in and change their grades, right and do all of the stuff you might not want them to do.
[00:07:26] So, it becomes a little bit of a problem. So, guess what. AT&T and UC Berkeley particularly Berkeley they built in a lot of security. They designed the Internet, basically. And because of that Internet implementation let’s put it that way they didn’t really design it, but they certainly implemented it but because of that implementation and its security you now had an operating system called Unix back in the day that was very secure it was ready to go. And then you had a Torval, come along and he went there and made his own Unix lookalike and called it Linux and it doesn’t have all of the same safety features. But it has much of the same thinking that was there in the original Unix’s of the world. So, fast forward to Apple, Apple had its operating system that was frankly kind of a toy it ran on some of the Mac’s number of those little boxy ones way back when. But it wasn’t a great operating system and it wasn’t something that could really build on to a lot of good things with it had its advantages. I can already hear you. Here come the text messages right. You know already here you’re talking about it but in reality, they needed something a lot better.
[00:08:42] And so that’s what they did. They took Unix.
[00:08:45] In fact it looks like what they did is it took free BSD looking down on the kernel and they were able to put their windowing interface on top of it. And you know there’s times actually to a couple of other companies. Steve Jobs had some involvement with but. We’re trying to make this simple right. This is not a history of Apple computers. What I’m trying to explain why they are more secure than Windows and so they took all of this wonderful code that was designed to be secure. They put a window in interface on it and out they go. They had a very good very productive operating system. Well one of the things that they did to make it more secure and they added on was that the applications became signed applications. So, a developer would sign an application and you knew now that the developer had basically approved it said it was good and Apple would sign them so that you knew. Yes, indeed this was reviewed by Apple and it was something you should pay attention to. You don’t have to worry about any more of the machine automatically just accept the software, and if there are problems of course the machine will pop up a little warning saying well the software is not signed I don’t recognize it and unless you change some settings it will not lead to install that software. While there is a bit of a problem here because Apple, remember they changed their processors. Now they’re using Intel processors. They may actually be switching processors again within the next year or two, but they changed to Intel processors from the power PC stuff and I love PowerPC stuff.
[00:10:26] It was really, really, good but they changed their processors, so they had to have these universal wineries so developers and Apple themselves or write software that would run on the Old Power PC architecture or it would run on the new Intel architecture. How could it do that? Well, that actually kept both binary as both programs in one program. So, the operating system would start to run the program it would launch a program it would look at it and say Oh, okay I’m a PowerPC I am going around the PowerPC code or Intel so I’m going around the Intel code and that makes sense to you. It was actually a great little idea and it worked really well. The problem that has surfaced now is that for the last 11 years since they put this whole thing in place we’ve had a we’ve had a real problem and that problem is that Apple apparently was only checking the very first binary for a signature. Isn’t that a problem. It sounds like a problem to you. So, all a hacker had to do was put in a binary into you know into this little package and that binary just had to contain the one signed piece of code. That’s all it needed was one signed piece of code and off it went to and the rest of the code could actually be nasty, nasty, nasty, so keep an eye out. Don’t install software that is that you don’t you don’t know where exactly where it came from because it could end up biting you and in a very big way the signature check bypasses. These are these are very big deal so watch out for that
[00:12:16] This next one is very controversial frankly. What should you be able to do, if you were the police or the FBI, should you be able to monitor someone’s private communications. Well we know the Constitution lets us be safe right to keep our private papers and other things. And I think that all makes a whole lot of sense. But when we’re talking about the digital world should the government have a back door. Now this debate has raged on for a very, very, long time. I mean crazy, long time. Certainly, my entire career in computers and technology with encryption. So, the police right now have a way to unlock iPhones and not all of the police departments have this. But there’s some technology that they can license, and they can buy a little box, they can ship an iPhone overseas and for as little as 15 hundred bucks they can get the contents of the iPhone. And I can see absolutely see how on in some cases on occasion they could catch criminals that way they could stop something really nasty like a terrorist attack right. And you can probably see the same sorts of things. Well, this is an interesting problem because you have civil libertarians on one side saying no they should not have access to them.
[00:13:46] But, they kind of do, and the way they have access to your iPhone right now is because of a bug, if you will, Right. A loophole, maybe is a better word, and it’s in the iPhone hardware and software that all iPhone’s have. Basically, it’s a USB connector on them, and that connector, when connected up, can be used to start a diagnostic session with the phone. That’s what they use at the Genius Bar, in order to work on your phone to fix it, Right. They use that little port whether it’s the old 30-pin or whether it’s the brand-new connectors or the new ones apparently next year are going to be USB-C based. So, they use that in order to get into your phone and check it out and fix things. Well there is a problem here. There is a company called Grayshift, and you know they’ve been out there. They have a product called Greykey and there is an Israeli firm called Cellebrite. They’ve been using that port on your iPhone in order to break into the iPhone. Now back in the day it was pretty easy to break into nowadays it’s really nowhere near as easy. So, what are they going to do.
[00:15:04] Well, Apple in its iOS beta releases since 11.3 has had a little feature that’s built into it and that feature is that when you connected to a USB accessory the phone has to have been unlocked within the last 60 minutes. So, if you go into the Apple store for instance and they want to run some diagnostics they can’t just take over your phone anymore. You now have to log into your phone and once you’re on your phone then they can plug into that port right now, it doesn’t have to be unlocked at the time you give it to, them but it will have to have been unlocked within the last hour. Now that means that this is probably going to break GrayShift’s products that are being used by police departments, worldwide, in order to hack into your iPhone. You know is that a bad thing or is that a good thing. You know I work on security and I’ve worked with the FBI on hacking and I run the FBI’s webinars to keep the Infragard people up to date. Right. The Infragard webinars. So, how does this impact them while I think it might impact them in a very, very, big way. This might kill those products, entirely, unless the company comes out with products that are literally there in the police car or are there in the FBI vehicle that allows them to grab the phone from the bad guy and hope for the suspect let’s say, and hope that that phone has been unlocked within the last hour and then they’re off and running.
[00:16:51] So, this one-hour timeline a major change from earlier tests where the time limit was a one-week period.
[00:16:59] But it is significant because Grayshift, had been advising its customers to simply make sure they unlock the iPhone soon after obtaining it. And that’s according to some documents that motherboard was reporting on earlier this year. So, it’s easy to do within a one- week time limit harder to do with just an hour. This also means to you, that if your phone gets messed up you’re not going to have as many options when it comes to having the Apple guys or your tech people go ahead and help fix your phone, Right. So, don’t lose that passcode, right. Important safety to remember. As I’ve been talking I’ve had some text messages come in. People are wondering here IOS not IOS users but Mac users OK. They’re wondering about that 11-year history.
[00:17:52] So just to make it clear for those who might have missed a little bit of it and I’m going to delve into it just slightly more. Right now.
[00:18:00] There are the vulnerability is primarily at third party software here that we’re talking about. There are at least eight security tools that are known to have this vulnerability and it does not affect IOS. This is only your macs and one of the tools that does affect is one that I use, every day is called Little Snitch firewall and it’s a great piece of software, but it also gets fooled. So, this universal file is also known as a FAT problem does exist, but it really only exists on the Apple Macintosh computers. And I’m sure it’ll be fixed pretty soon. All of these developers now are aware of the problem and they’re going to be fixing it, frankly. This next one here. This is kind of, I’m kind of this is this isn’t a weird category I guess as a way to put this. We’ve had ambulance chasers probably since the days of lawyers, right. Since the very first lawyer anyone ever had these guys and gals that are out there looking for people who have been injured and then trying to help protect their rights and help them claim some money against whoever might have wronged them. All right, that makes sense I can see that. Well this is a little different because now you have a smartphone with you when you go online. That smartphone is showing new advertisements right. And your smartphone also has built into it a GPS. So, your smartphone knows where it is. How many of you can figure out where I’m going with all of this.
[00:19:47] OK, well many people who are in emergency rooms or chiropractor’s offices or pain clinics in the Philadelphia area or their area excuse me maybe start noticing their phones. The kind of messages that are directed at you because you’re an emergency room or to pain clinic, OK. You’re only getting fed the ad because somebody knows that you are in an emergency room. So, it’s kind of like an attorney putting a digital kiosk inside of an emergency room when you get on the phone you’re going to start seeing ads from Attorneys. So, this is kind of interesting. It’s grabbing what’s known as a phone I.D. from Wi-Fi cell data or an app using GPS. Yes, and the ads can show up for more than a month and on multiple of your devices, as well. Now the Massachusetts Attorney General, Maura Healey, said here’s a quote from her “private medical information should not be exploited in this way especially when it’s gathered secretly without a consumer’s knowledge without consent as well”. OK so, Healey’s office the first one in the country to go after geo-fencing technology that’s being used to catch people while they are seeking care. So, this is going to be really kind of interesting, Mass also reached a deal last year with a Massachusetts based digital advertising firm that was sending advertisements from a Christian pregnancy counseling and adoption agency to people who entered Planned Parenthood clinics. So, when patients go to the clinics they cross a digital fence as these GPS fences you’ve heard of them, I use them all the time myself personally to remind me to pick up stuff when I’m at store and they’ll soon get an advertisement such as you have choices click here for pregnancy help.
[00:21:57] So, interesting now in Mass they’re saying that those ads violate their consumer protection laws. Other states probably don’t have the same thing. OK, we can go for a real quick roundup here now. Couple of things I want to get to before the show ends. We’ve all heard about AI or artificial intelligence and what it’s going to be doing. Well MIT fed data from Reddit which is an online bulletin board into an artificial intelligence and that this is just kind of nuts. You know if you have ever seen EXMachina, It is a great movie but our robot even very, very, interesting they ended up calling this AI Norman. As Norman Bates. Because all he could think of was murder, OK. It’s crazy they fed it those inkblots right. The Raw Shark Texts and it was just, murder, murder, murder. Kind of crazy cryptocurrency trading app, Taylor, says all other funds have been stolen in a cyber attack. If you didn’t need yet another reason not to get involved with these cryptocurrencies. And speaking of that Cayman Island startup has just raised four billion dollars without any product. And what were they raising it with. You guessed it this is they have a blockchain platforms called block 1.
[00:23:32] It doesn’t have a product, Live yet. You should see a picture of this guy. I’ll have to make sure it’s on my website. But, he looks like he’s 10 years old that was running this thing. It’s not a great time to be investing. In fact, most of the blockchain currencies are really losing a lot of their value. BMW car computer systems have been found to contain at least 14 separate flaws. This is according to a cybersecurity lab out of China. They allowed hackers take at least partial control of the affected vehicles, and BMW is saying, that that does not allow them to control any of the driving systems in the car. So, that’s probably good news. And we had a DNA data breach. This is crazy. The DNA testing service, My Heritage revealed that hackers had breached 92 million, of its accounts. Hard to say exactly what they got, But this is bad news because that data is there forever, and it is not like a password that you can change your DNA is your DNA. Have a lot more podcasting make sure you check that out online. You can find it all at Craig Peterson dot com SUBSCRIBE LEAVE A COMMENT Craig Peterson dot com slash iTunes. I’ve been doing pretty much daily podcasts. Well until next week we’ll see you in the online space I’ll make sure I send out any alerts if there are known major problems during the week. Take care and I’ll Talk to you, later, Bye, Bye.