Newsletter
08.24.2021 | 5'' read
Should I worry about iOS zero-click exploits?
* The most clicked link from last week’s issue was Corellium’s Open Security Initiative, a program offering cash grants for hackers to “validate any security and privacy claims” made by Apple or any other mobile software vendor.
Personal notes.
- Security Conversations is looking for paid interns to help with podcast transcripts, audio+video editing, and social media shenanigans. Ping me directly (naraine@gmail.com) with your resume.
- I’ll be interviewing Peloton’s new CISO Adrian Stone to kick off this year’s SecurityWeek CISO Forum. Adrian’s been around the security block and will have some incredible stories to tell.
Monday blues.
Another day, another zero-day. In Apple’s case, another frightening zero-click iOS exploit hitting iPhones without any user-interaction whatsoever. Imagine the helplessness of receiving a blue-colored iMessage and, boom, just like that, your fully patched iPhone is compromised. That’s the news I woke up to this morning (read my story on SecurityWeek) and that’s the impossible challenge Apple faces to keep the iPhone away from apex threat actors.
Apple’s statement to Zack Whittaker at TechCrunch puts things into perspective:
Apple’s head of security engineering and architecture Ivan Krstic said: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Apple added it continues to work on new iMessage security tech slated for release in iOS 15 next month.
My bet is we’ll see an emergency iOS very soon. In the meantime, I agree with The Record’s Catalin Cimpanu that the rest of us should not panic about this in-the-wild exploitation.
“Since FORCEDENTRY is currently a carefully guarded exploit in the arsenal of a surveillance vendor and deployed in very limited and targeted operations, the danger to most iOS users is low until Apple learns more and releases an official fix. However, the danger is high for individuals who have their own government and NSO Group in their threat model.”
In the meantime, here’s your not-so-constant reminder to reboot your iPhones weekly as a useful security measure.
_ryan
On to the newsletter…
People movements.
- Fermin J. Serna is the new Chief Security Officer at Databricks.
- Former Box CISO Lakshmi Hanspal is the new global CSO at Amazon Devices & Services.
- Splunk has tapped Pamela Fusco as its new security chief.
- Ross Hosman has landed the gig as CISO at Drata.
Nation-state APT things.
- Kim Zetter reports on hackers releasing surveillance footage from inside an Iranian prison. This appears to be linked to the MeteorExpress wiper hack I wrote about in July.
- The U.K. government’s NCSC provides a range of free cybersecurity tools and services to eligible organizations as part of the Active Cyber Defense (ACD) program.
- A security researcher has discovered a web attack framework developed by a suspected Chinese government hacking group and used to exploit vulnerabilities in 58 popular websites to collect data on possible Chinese dissidents.
- As is customary, Kaspersky GReAT’s quarterly threat landscape report contains some juicy nuggets.
- From Analyst 1: “For the first reported time, we uncovered connections between two Russian intelligence directorates, the SVR and FSB — in collaboration with a ransomware gang, working together to compromise US government affiliated organizations between October and December 2020.”
Ransomware and cyber-insurance.
- The FBI has issued a flash advisory (.pdf) with IOCs linked to a new ransomware operator called the ‘OnePercent’ Group.
- Cyberscoop’s Tim Starks looks closely at how soaring ransomware infections has radically altered the cyber-insurance landscape.
- TrustedSec’s Stephen Marchewitz asks an important question: Is cyber-insurance becoming worthless?
- American International Group (AIG) is tightening terms of its cyber-insurance, noting that its own premium prices are up nearly 40% globally, with the largest increase in North America.
- Chubb CEO Evan Greenberg says the rising prices of insurance against cyber attacks fail to take account of the potential catastrophic effects of a widespread attack.
Readables.
- Academic researchers propose two plausible victim models and analyze, from an attacker’s perspective, how RansomClave can protect cryptographic keys from each type of victim (pdf). We find that some existing mitigations are likely to be effective during the key generation and encryption phases, but that RansomClave enables new trustless key release schemes that could potentially improve attacker’s profitability and, by extension, make enclaves an attractive target for future attackers.
- Researchers Thijs Alkemade and Daan Keuper publish technical details of the Zoom zero-click remote code execution exploit that netted them a Pwn2Own 2021 victory.
- DEVCORE’s Orange Tsai has a new post up on the ZDI blog describing the three ProxyShell vulnerabilities he chained into a winning Microsoft Exchange exploit at Pwn2Own.
- Speaking of ProxyShell, the live attacks keep piling up.
Tangentially.
- Microsoft’s John Lambert has an infosec graphics game with few equals.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhone, Google/Android, Spotify and Amazon/Audible.