SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 118: Australia Ruins Everything

Posted on December 13, 2018

With the New Year starting to peek over the horizon, The Checklist is heading to Oz in this week’s discussion — not in terms of “The Wizard of,” though, but “Australia!” There’s a story from Australia this week that has us quite cross, though we also have something to be happy about as Apple starts giving Safari users even more options for safety. We’ll follow that with an update on a story we brought you last week that, while not objectively good, still gives us some good feelings — sometimes it’s nice to know who you’re up against, after all. With that said, that means this week we’re checking off the following items:

  • Australia ruins EVERYTHING
  • Security hardware goes on Safari
  • Which government wants to know where you’re sleeping?

So, what’s going on down under that we’re so upset about this week? Let’s dive into the details…

Australia Ruins Everything

The fight between world governments and tech companies over the appropriate role of encryption has been going on for years, and it’s almost a bit like watching a car crash in slow motion. In other words, it often looks like no one is going to come out of the process unscathed. Worse still, bystanders (or average users, in the real scenario) will probably end up caught up in the mess too. That’s because while the idea of fighting the bad guys by letting the good guys get past encryption might sound good, the real effects are far from desirable — it means that everyone’s security is compromised. Not only that, but if the good guys have a backdoor, who’s to say bad actors won’t find their way in through that same back door?

Nonetheless, Australia has pushed forward with its own attempt to fight fire with gasoline. According to Ars Technica, Australia’s Parliament recently passed a new law aimed at tilting the balance in law enforcement’s favor. The new rules — long sought by Australia’s government — mandate that companies develop methods for providing law enforcement with access to encrypted messages upon the presentation of a valid warrant. Companies that don’t comply face fines of up to $10 million AUD, while individuals who refuse can also find themselves stuck with a punitive bill for $50,000 AUD. In other words, Australia wants to put a stake in strong encryption. 

A multi-million dollar fine might not mean much to a company like Apple, which certainly has a legal retainer many times the A$10 million fine amount, but the punitive actions towards individuals are also a cause for concern here. In other words, the law seems to imply that if an individual refuses to give law enforcement access to their encrypted messages, they’ll face not only jail time, but a massive fine on top of that. 

As if all that wasn’t bad enough, Australia’s law asks for the impossible: the law also stipulates that companies may not be compelled by the government to create “systemic weaknesses” or “vulnerabilities” to meet the law’s requirements. Of course, Parliament hasn’t decided what those words mean yet; that’s all still to be hashed out in various amendments to the law. 

Regardless of what they mean, it isn’t possible. At its core, encryption is just math. There is no way to sabotage the security of encryption for the government without introducing a “systemic vulnerability.” This would result in a major weakness in the system. Once a government receives the decryption key, potentially anyone could end up with it; remember how the US’s own NSA had hundreds of gigabytes of data exposed just last year? Simply put, no one can truly be trusted with a way to override encryption at will. Even entrusting companies with the responsibility means putting a giant target on them.

Here’s the thing about all this: the problems extend beyond Australia’s borders, as the new law is meant to place a responsibility on all “Five Eyes” partners. What is “Five Eyes?” It’s an intelligence-sharing arrangement between five major countries, Australia included, which is also home to the US and Great Britain. In other words, this issue could start impacting stateside users someday.

With Apple’s strong focus on user privacy and security, you’d expect them to have something to say about all this — and you’d be right. A trade industry group which Apple belongs to, called Reform Government Surveillance, issued a statement decrying the new legislation and denouncing it as “deeply flawed, overly broad, and lacking in adequate independent oversight.” So, what will be the ultimate outcome of this law? For now, it’s hard to say — but you can bet we’ll probably be hearing about it again someday soon.

Security Hardware Goes on Safari

Speaking of Apple’s commitment to user privacy and security, they’ve got a new security idea — except it’s quite an old security idea. According to Apple Insider, Apple has started testing support for USB security keys in Safari. In the company’s newest Safari Technology Preview, Apple showed off the browser’s new ability to connect to the WebAuthentication API. This API is a communications protocol that lets users securely log in to websites with their credentials by using security tokens in the form of physical USB sticks. 

Now, this idea is nothing new; in fact, we’ve talked about these devices before in a few past episodes of The Checklist. There, we spoke about hardware tokens such as products developed by RSA. Now, Apple’s idea is a little different from the two-factor tokens created by RSA. Instead, these keys would be like a mobile password vault, filled with encryption keys that can’t be reverse-engineered back to your original passwords. After setting up your preferred sites to communicate with this key, you could then securely log in — never even typing a username or password — using your USB stick. It could also be the “key” required to unlock software or a website. 

Overall, it’s not a bad idea — although it may be a little less secure than some other forms of encrypted authentication, such as Google Authenticator or the RSA tokens we just mentioned. That’s solely because the content on this hypothetical USB stick wouldn’t change regularly; however, since this is still a technology demonstration, it’s entirely possible that further improvements will come before any official release. Since this looks like a part of Apple’s on-going push into the enterprise sector, we imagine they’ll do everything they can to make it as appealing as possible to security-minded businesses.

While Apple could hardly be said to have done poorly on security in the past, not everyone casts a positive light on this development. Some, like an article published in Engadget, chided Apple for simply testing a feature that users can find as a built-in standard in many other browsers. Engadget notes that Firefox and Chrome both already have WebAuthn support built-in, and many sites from Twitter to Facebook already support it as well. While it is a fair point that Apple might be a little late to the game here, that’s OK — we think “better late than never” applies well in this situation.

Which Government Wants to Know Where You’re Sleeping?

Capping off today, we’ve got a follow-up on a recent item from The Checklist: good news on the Marriott hack. Well, it’s not good news — actually, it’s quite bad news, globally speaking — but for the average user, it’s probably good news. CNET reports that the intelligence community has assessed that a Chinese intelligence operation was responsible for the massive attack on Marriott that led to the vast data breach we discussed, in which hundreds of millions of records were stolen. Hotels impacted included major chains such as Westin, Sheraton, Aloft, Four Points, and many others — leaving many people wondering and worrying about whether their information was compromised. Now, it seems that the hackers were in the employ of China’s “Ministry of State Security.”

It might seem strange to feel good about this news, and indeed, the geopolitical consequences are probably going to reverberate for a while. Casual travelers probably have much less to worry about, and likely won’t be seeing their information turn up on the dark web any time soon. That said, any time state-sponsored hackers are involved in an operation like this, it’s cause for concern. After all, there is no telling what they wanted with the data. Foreigners traveling to and living in China, for example, may be especially concerned given this effort. It could be information China uses to start a crackdown within their own country based on analysis of the data.

All this comes at a time of high tensions in the world of technology between the US and China. After all, it was only recently that a major Chinese tech executive from the mobile company Huawei was arrested in Canada at the US’s request for violating international sanctions. Is it possible that the hack was just China flexing their proverbial muscles? Maybe — but really, there’s no way to know when our sources are anonymous. Still, the average traveler is probably still safe; that’s good news in our book. 

Wouldn’t it also be something if China somehow turned out to be behind the Dunkin Donuts hack we also covered last week? It would certainly make for an interesting update, at least — for now, though, that’s all we have for you today. There are still tons of new developments coming out in the world of security every day, though, and even as the holidays approach and the year marches towards its end, we’ll be busy chasing down leads for our next episode.

Missed last week’s episode and don’t quite have all the details you need about the Marriott hack? Find that episode, plus every other episode going all the way back to the beginning, right here in the Checklist Archives. Complete show notes let you skim for the info you need, while the original audio also awaits for those who prefer kicking back and listening to the discussion. Those things plus links to bring you to more info about all our stories will keep you “in the know” and aware of what’s going on out there.

Join our mailing list for the latest security news and deals