Though the headline on the Recode piece linked below says Apple is facing questions from the US Senate on its new Face ID feature, the reality is that the questions are coming from one Senator: former comedian Al Franken, who’s always taken an interest in tech issues and tends to use them to raise his public profile. A number of the questions he’s posing have already been addressed by Apple (including in its public announcement of the feature) while others suggest Franken thinks Apple is Google or some other company which regularly uses data on its customers to target advertising. All of which suggests he either hasn’t taken time to understand the feature properly, or is simply grandstanding, which frankly feels more likely. Apple’s stance on privacy and security is abundantly clear at this point, as demonstrated by its approach to the Touch ID feature (which Franken previously investigated in a similar way). None of that will stop people freaking out about the feature, and coincidentally or not the Economist magazine’s cover story this week is about the dangers of companies collecting facial data. But Apple is storing this data on the device in ways inaccessible to anyone but the user or for purposes other than those intended by Apple and approved by the user.
Instagram Says Error Allowed Hackers to Obtain Celebrity Email Addresses, Phone Numbers (Aug 30, 2017)
The UK National Health Service and many other corporate and government systems around the world are being attacked by ransomware which is enabled by NSA hacking tools for targeting Windows leaked earlier this year. Though Microsoft issued a patch for the affected vulnerability in March, many organizations haven’t applied those patches, which is not uncommon especially in large distributed organizations with many computers not “owned” by a particular end user or subject to any blanket policy on such updates. Though the motive appears to be financial – the hackers are demanding bitcoin in return for unlocking the affected machines – its immediate impact has been disruption, as operations have been canceled and medical centers closed, among other things. It’s a salutary lesson on the importance for both individuals and business of applying OS upgrades and patches in a timely fashion, but also of the vast reliance on aging machines and software across the corporate world. It’s also the kind of thing that’s dramatically less likely to affect web-based or more locked down systems like ChromeOS, Apple’s iOS or macOS, or even Microsoft’s new Windows 10 S. But given the prevalence of older versions of Windows in enterprises and government departments, that’s not going to help much anytime soon.
HP Laptops with Conexant Secretly Maintain Log of Keystrokes (May 12, 2017)
Microsoft Hires Head of Privacy and Data Security from FTC (Apr 28, 2017)
This is a great move from Microsoft, which has been at the forefront of recent legal cases over data privacy and security, as it reinforces its commitment to these issues at a time when threats to both security and privacy are increasing. Putting a high profile individual explicitly in charge of this area is a great symbolic move, but if done right should also ensure that these issues are examined in every aspect of Microsoft’s business. So far, Apple has been arguably the strongest champion for privacy as a guiding force among the major tech companies, but this move could see Microsoft become a more prominent advocate too. Worth noting: Brill won’t start at Microsoft until the summer.
Apple fans, Android world scramble to patch Broadcom’s nasty drive-by Wi-Fi security hole – The Register (Apr 6, 2017)
There are two interesting things here, both worth discussing briefly. Firstly, Broadcom, which provides chips for many popular smartphones including the iPhone, has a vulnerability in its WiFi element which can be hacked, allowing a way into the device. Apple issued a patch this week to deal with the issue, and Android vendors will be working to close the vulnerability too, though there’s no specific timeframe yet, highlighting yet another challenge with Android’s fragmented ecosystem. The second thing that’s interesting here is that the vulnerability was discovered by Google’s Project Zero team, which is set up to discover and fix vulnerabilities like this, and has been doing great work lately doing just that, including on non-Google devices like the iPhone. Vulnerabilities like this are always worrying, and it’s great to have Google out there with what seems like a strong team detecting these and notifying vulnerable vendors so they can patch the issues.
via The Register
We’re talking here about Tizen, Samsung’s alternative operating system which it uses for smartwatches, TVs, and to a lesser extent phones, and some security researchers are claiming there are widespread security vulnerabilities in that software. Some of the characterizations in this article seem like a bit of a stretch – it would be very odd indeed if Samsung had done as little to provide security in Tizen as the researcher quoted suggests. But these allegations are becoming part of a pattern recently in relation to Samsung, between the Wikileaks smart TV story, the more recent (and more serious) story on smart TV hacking through broadcast signals, and now this. It’s particularly problematic for Samsung because it has worked so hard over the last few years to develop Knox, its enterprise security solution, which is best in class in the Android world. It simply can’t afford to get a reputation for poor security when it’s trying to become the de facto standard for Android devices in the enterprise, and needs to address these vulnerabilities – and the broader claims – quickly and definitively.
via The Verge
This makes tons of sense – there’s never been any meaningful synergy between the core Intel chips business and the McAfee business, and separating it off frees Intel up to focus entirely on its core, where it has plenty of work to do already given the maturity of the PC industry, its struggles to break into mobile and other newer areas, and the new threats in its data center business.
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
This story has been somewhat misreported, although this article does a decent job. It appears a hacking collective is claiming to have lots of username / password sets for iCloud accounts, though it appears that the source of the data is a hack of some other site or sites rather than any of Apple’s own. That breach then seems to have allowed the hackers to take iCloud.com email addresses and the passwords used on other sites and use them to access iCloud services as well. In other words, this isn’t an Apple hack at all, and is only effective because people are reusing passwords on multiple sites. Using two-factor authentication and unique passwords is therefore still the best defense against this kind of thing, although Apple still has to deal with the headache of both false claims and threats from this hacking group.