During a security presentation at Apple’s Worldwide Developers’ Conference, the company revealed the deadline for all apps in its App Store to switch on an important security feature called App Transport Security — January 1, 2017.
“Today, I’m proud to say that at the end of 2016, App Transport Security is becoming a requirement for App Store apps,” Apple’s head of security engineering and architecture, Ivan Krstic, said during a WWDC presentation. “This is going to provide a great deal of real security for our users and the communications that your apps have over the network.”
App Transport Security, or ATS, is a feature that Apple debuted in iOS 9. When ATS is enabled, it forces an app to connect to web services over an HTTPS connection rather than HTTP, which keeps user data secure while in transit by encrypting it.
The “S” in HTTPS helpfully stands for secure and you’ll often see it appear in your browser when logging into your banking or email accounts. But mobile apps often aren’t as transparent with users about the security of their web connections, and it can be hard to tell whether an app is connecting via HTTP or HTTPS.
Enter ATS, which is enabled by default for iOS 9. However, developers can still switch ATS off and allow their apps to send data over an HTTP connection — until the end of this year, that is. (For technical crowd: ATS requires TLS v 1.2, with exceptions for already encrypted bulk data, like media streaming.)
At the end of 2016, Apple will make ATS mandatory for all developers who hope to submit their apps to the App Store. App developers who have been wondering when the hammer would drop on HTTP can rest a little easier now that they have a clear deadline, and users can relax with the knowledge that secure connections will be forced in all of the apps on their iPhones and iPads.
In requiring developers to use HTTPS, Apple is joining a larger movement to secure data as it travels online. While the secure protocol is common on login pages, many websites still use plain old HTTP for most of their connections. That’s slowly changing as many sites make the arduous transition to HTTPS (Wired has been particularly good at documenting the process).
Yahoo admitted today that some of its employees were aware of the theft of 500 million users’ data as early as 2014 — years before Yahoo publicly acknowledged the hack.
The hack, which Yahoo has attributed to an unnamed “state-sponsored actor,” occurred in late 2014, and according to today’s filing with the Securities and Exchange Commission, it seems Yahoo detected it early on.
“In late July 2016, a hacker claimed to have obtained certain Yahoo user data. After investigating this claim with the assistance of an outside forensic expert, the Company could not substantiate the hacker’s claim. Following this investigation, the Company intensified an ongoing broader review of the Company’s network and data security, including a review of prior access to the Company’s network by a state-sponsored actor that the Company had identified in late 2014,” Yahoo said in the filing.
Yahoo also reported that 23 consumer class action lawsuits have been filed in response to the breach, but that it’s too early to estimate monetary damages. It estimates the hack has led to a loss of $1 million so far.
The question of when Yahoo learned of the breach is essential to its planned sale to Verizon. Verizon has reportedly asked for a $1 billion discount in light of the breach, which was not disclosed until after the September sale even though Yahoo CEO Marissa Mayer allegedly learned of the breach in July. (Disclosure: Verizon owns TechCrunch.)
In today’s filing, Yahoo says it has formed an independent committee to review “the scope of knowledge within the Company in 2014 and thereafter regarding this access, the Security Incident, the extent to which certain users’ account information had been accessed.”
Senator Mark Warner has asked the SEC to investigate what Yahoo knew about the breach and when it knew it, citing an earlier Yahoo filing that claimed the company was not aware of any security breaches. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public,” Warner said in a statement.
In the past I’ve tried to emulate Mark Zuckerberg. Become a billionaire, celebrity, philanthropist, wear a sweatshirt or t-shirt everyday, drop out of college and don’t have to go to class anymore, what’s not to like? Sadly, for the most part, it hasn’t worked out so well for me.
For example, after seeing The Social Network I got exceptionally drunk and tried to write a college midterm paper – a la Zuck’s coding of the predecessor to Facebook while toasted. I read my essay the next morning and was genuinely amazed by how few actual words I had used in the six-page paper that I had written. While I was excited that I had created some kind of new language, I also realized that at best I was a J.R.R. Tolkien imitator and, sadly, not a budding Facebook billionaire.
As a result, I realized that maybe emulating Zuck wouldn’t work for me – I decided I probably shouldn’t drop out of college or wear sweats to my next job interview. Luckily there is more than one way to skin a cat. Today we can all be like Mark Zuckerberg and at the same time protect our privacy.
Earlier this year Instagram hit 500 million active users and in commemoration Zuck posted the above photo to his Facebook page. It’s a nice photo and if that was all it was I guess I could write a story about Mark Zuckerberg’s beautiful smile.
Instead, one sharp twitter user – @topherolson – noted that Mark had inadvertently revealed three things:
That his Mac camera is covered with tape.
That his Mac microphone is covered with tape.
That his email client is Thunderbird.
Mark Zuckerburg is clearly worried about his cyber security – he is a high value target who has been hacked before – so instead I’m writing an article about the steps that Mark Zuckerberg takes to protect his privacy and why security experts think we muggles should all do the same.
Why you’re at risk
We live in an age of ever increasing connectivity and reliance on technology. At the same time, and as a direct result, we also live in an age where the NSA has the power to monitor emails and text messages sent by the American people. Not to mention the ability to secretly tap into hundreds of millions of Google and Yahoo accounts worldwide, where nearly one million new malware threats are released every day and where hacking costs the global economy an estimated $575 billion on an annual basis.
So yes, if you have a computer, if you use a phone, if you use email, you are at risk of being hacked.
While it might be easy to conclude that Mark Zuckerberg is your garden variety paranoid, eccentric, billionaire when he tapes over his laptop’s microphone and camera, in reality he is protecting himself against a risk that we all face.
Zuckerberg is protecting against “ratting.” While this might sound like some form of particularly painful medieval torture technique, it is actually slang for a Remote Access Trojan cyberattack (a uniquely modern torture technique). A RAT is a form of malware which, if successful, can give a hacker remote control of your computer – including your webcam and microphone.
Today the risk of this kind of attack is high –
70 percent of malware consists of Trojans and the most easily deployable of these is the RAT whose source code often only costs $10 to $50. Hackers can use this control to do a wide range of bad things to you:
Hijacking control of personal computers.
Watching and logging your keystrokes
Downloading, uploading, or deleting files
Destroying your CPU through overclocking
Installing additional viruses and worms
Editing your Windows registry
Using your computer for a denial of service attack and to otherwise infect friends and family
Stealing passwords, personal identification information, and credit card numbers
Wiping your hard drive
Installing hard to remove boot-sector viruses
And even to spy on victims through remote control of webcams and microphones.
For Zuckerberg this could mean the theft of sensitive Facebook business and personal data which could cause harm to Zuck personally, to employees, to his business, and to customers. However, by taping over his webcam and microphone Zuck has protected himself (and us all) against the worst of cybercrimes – the release of the first Mark Zuckerberg sextape – a true crime against humanity.
Billionaires aren’t the only ones in jeopardy
RAT attacks don’t just happen to those with billions at stake.
Amy Wright, was a 20-year old student at the University of California at Irvine – a far cry from a billionaire executive like Zuckerberg – when she was hit with a RAT attack.
GQ reported that Wright received an IM from mistahxxrightme, asking her for webcam sex. Amy said no. Mistah X IMed her again and said that he knew all about her. He described the color of her dorm room walls, her sheets, the pictures on her wall, her “pink vibrator”, and then finally sent her an image file. It was a picture of her in her room naked and having webcam sex with her boyfriend, James Kelly.
The “sextortion,” as it has been called, didn’t stop there.
Next Mistah X sent an IM to James Kelly’s ex-girlfriend, Carla Gagnon, asking her for webcam sex before sending her a video of her in the nude. Then he contacted Kelly and told him he had control of his computer. Mistah X taunted Kelly.
James tried to talk to Amy, but as soon as he did Mistah X sent him a message – “I know you’re talking to each other right now!” When Amy called the police, and the hacker messaged her, “I know you just called the police.”
It took the involvement of the FBI Cyberdivision to finally catch Mistah X – a 32-year old undocumented immigrant confined to a wheelchair and obsessed with Professor X from The X Men.
In total, he’d sextorted 230 victims and captured 15,000 webcam-videos, 900 audio recordings, and 13,000 screen captures. He was not part of any cybergang, but instead he was just one frustrated and depressed individual with access to a laptop.
Imagine the harm that an organized group of cybercriminals could do – in 2014, a website opened that played live video from thousands of webcams in over 250 countries.
These attacks aren’t going away any time soon
The problem is that RATs are cheap, require relatively little technical skill, and as Scott Aken, a former FBI cyberagent explains, there are too many RATs in existence for law enforcement to bring them all down.
It’s also relatively easy to infect computers with RATs.
Cyberextortionist gang the Cryptolocker managed to gross over $30 million in 2015 alone. Cybercriminals can see the ROI of these kinds of attacks and so they will only increase in number, both on high value targets and on individual consumers – particularly young women.
The Mark Zuckerbergs of the world and mere mortals alike need to protect themselves from these attacks. It is important to take steps to beef up the security of your devices by:
Ensuring your antivirus software is installed and always on.
Regularly changing secure passwords (and especially changing from the factory password)
But in the end security experts – along with Mark Zuckerberg – think that, however secure your device is, it won’t be enough to stop a determined cybercriminal.
Last year NTT tested the top antivirus products and concluded that 50 to 70 percent of malware made it past their virus scanners – new types of malware are being created faster than security companies can detect or protect against them. And when you might be up against the NSA – whose GCHQ program selected random Yahoo webchat users to surveil, the FBI, and increasingly organized (and often state-sponsored) cybercriminal gangs, it’s safe to assume that their attacks could be more powerful than your defense.
As a result, experts think that we should all steal a page from the paranoid billionaire playbook and take the basic security measure of covering our webcam and microphone when they are not in use. Lysa Myers, a security researcher at the Data Security firm ESET said in an email to the NYTimes:
Covering the camera is a very common-sense security measure. If you were to walk around a security conference, you would have an easier time counting devices that don’t have something over the camera.
So let’s all do the smart thing and copy the security experts and the boy genius – FBI director James Comey is doing the same. Comey told NPR that he covers his laptop camera and microphone, “because I saw somebody smarter than I am had a piece of tape over their camera.”
And it’s easy to do. You can cover your camera and microphone with a post-it note, duct tape, painters tape, cute cat stickers, invisible tape, washi tape, or even spring for a sticker expressly designed for laptop camera and microphone security (to the tune of only $10).
While this might make you look paranoid, it’s an easy step to protect your privacy from the growing threat of cyberintrusion.
On the other hand, for those of you who think that you have nothing to hide, you can always follow the example of Matthew Green: “Because I’m an idiot,” replied Matthew Green, an encryption expert at Johns Hopkins University when asked why he doesn’t cover his cameras.
I have no excuse for not taking this seriously… but at the end of the day, I figure that seeing me naked would be punishment enough.
Black Mirror on Netflix– an anthology series that tackles our relationships with technology and how each bright moment today could potentially go awry tomorrow. With them, we’re exploring current and future tech trends; including the possible ramifications on personal relationships. This is the “bright side” of technology.
Hackers used internet-connected home devices, such as CCTV cameras and printers, to attack popular websites on Friday, security analysts say.
Twitter, Spotify, and Reddit were among the sites taken offline on Friday.
Each uses a company called Dyn, which was the target of the attack, to direct users to its website.
Security analysts now believe the attack used the “internet of things” – web-connected home devices – to launch the assault.
Dyn is a DNS service – an internet “phone book” which directs users to the internet address where the website is stored. Such services are a crucial part of web infrastructure.
On Friday, it came under attack – a distributed denial of service (DDoS) – which relies on thousands of machines sending co-ordinated messages to overwhelm the service.
The “global event” involved “tens of millions” of internet addresses.
Security firm Flashpoint said it had confirmed that the attack used “botnets” infected with the “Mirai” malware.
Many of the devices involved come from Chinese manufacturers, with easy-to-guess usernames and passwords that cannot be changed by the user – a vulnerability which the malware exploits.
“Mirai scours the Web for IoT (Internet of Things) devices protected by little more than factory-default usernames and passwords,” explained cybersecurity expert Brian Krebs, “and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
The owner of the device would generally have no way of knowing that it had been compromised to use in an attack, he wrote.
It has emerged that the BBC’s website was also briefly caught up in Friday’s attack. The BBC is not a customer of Dyn itself, but it does use third-party services that rely on the domain name system hosting facilities provided by Dyn.
I understand that these include Amazon Web Services – the retail giant’s cloud computing division – and Fastly – a San Francisco-based firm that helps optimise page download times.
Both companies have acknowledged being disrupted by the DDoS assault. Only some BBC users, in certain locations, would have experienced problems and they did not last long.
It serves as a reminder that despite the internet being a hugely robust communications system, there are still some pinch points that mean a targeted attack can cause widespread damage.
The incidents mark a change in tactics for online attackers.
DDoS attacks are typically aimed at a single website. Friday’s attack on Dyn, which acts as a directory service for huge numbers of firms, affected several of the world’s most popular websites at once.
The use of internet-connected home devices to send the attacking messages is also a relatively new phenomenon, but may become more common.
The Mirai software used in these attacks was released publicly in September – which means anyone with the skill could build their own attacking botnet.
On social media, many researchers and analysts expressed frustration with the security gap being exploited by attackers.
“Today we answered the question ‘what would happen if we connected a vast number of cheap, crummy embedded devices to broadband networks?’” wrote Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute.
Jeff Jarmoc, head of security for global business service Salesforce, pointed out that internet infrastructure is supposed to be more robust.
“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” he tweeted.
