Best of the Checklist: January 2nd, 2019

The Checklist is taking a little holiday break this week, but we’ll be back on the 9th of January with a new podcast. Until then, we’d like to invite you to check out these classic Checklists you might have missed, especially as they touch on topics that have been in the news of late! 

In what follows, we’ll let you know what’s been going on in the world of cybersecurity for the past week, and then we’ll point you to a Checklist where you can learn more.

This Best of the Checklist covers:

• Ransomware and the Coast Guard
• Restaurants, cybersecurity, and you
• Apple in court

Ransomware targets everyone

The BBC reported this week that a US Coast Guard facility suffered a ransomware attack that knocked critical systems offline for up to 30 hours. So what was the sophisticated delivery vector that managed to compromise a government installation run by the world’s most powerful military? Apparently, a malicious link in an email, clicked on by an unwary employee of the base. 

We’ve talked before about ransomware on the Checklist and on our blog, noting the growing threat to governments as well as healthcare facilities. More and more organizations, both public and private, are experiencing ransomware attacks — and unfortunately, these attacks often succeed due to “human error”: someone within the organization clicking on a malicious link or falling for a social engineering tactic.

That’s why it’s always a good time for a ransomware refresher, which is the topic of segment two of Checklist 163 (starts at 10:08). Remember, ransomware attacks are largely indiscriminate, and affect everyone from home users to the U.S. military! So have a quick listen to make sure you know how ransomware works…and how to deal with an attack.

Data breach at the diner

This week, the Houston-based restaurant company Landry’s disclosed that they’d found evidence of malware on their payment processing networks — malware which was attempting to access customer credit card data. (If this sounds somewhat familiar, it may be because we reported a similar incident in April involving a different restaurant group.) 

Landry’s, to its credit, had already taken steps to protect its point-of-sale card reader devices with end-to-end encryption. Any malware on the network accessing data sent from these protected devices would only be able to capture encrypted (and thus unreadable) customer data. 

So what’s the issue? Enter our old friend “human error”: It seems that restaurant waitstaff had, from time to time, accidentally swiped customer credit cards in the swipe card readers at their own order-entry terminals (an understandable mistake if you’ve ever worked a dinner rush in a busy restaurant). 

Unfortunately, these order-entry swipe card readers were only ever intended to be used with employee ID cards and Landry’s Reward Cards — and thus were not protected with end-to-end encryption as the payment processing card readers were. Any credit card data accidentally sent to the payment processing network from the unprotected order-entry card readers would have been unencrypted, and thus visible to the hackers who installed the malware.

The story is important even if you aren’t a Landry’s patron (and if you are, you should probably keep an eye on your credit card statement and credit history for the next few months). It underscores the difficulty involved in safely handling credit card data, even when companies are being conscientious and trying their best to protect their customers. 

It’s also a great reason to learn a little more about how companies secure (or fail to secure) your credit card data — as well as what options are available to you to protect yourself. That was the subject of Checklist 168’s first segment, so if you missed it, give it a listen (starts at 1:20).

Apple’s lawsuit against Corellium

Last week, the BBC reported that Apple is moving ahead with its lawsuit against Corellium, a company which provides iOS virtualization software — software which Apple claims to be outright copyright infringement.

Virtualization software is a legitimate (and essential) tool used by developers and security researchers to emulate various operating systems on their own machines. But Apple is notoriously secretive about iOS, and until very recently, only company insiders could really see what was going on “under the hood” of an iPhone. 

The one exception to this elite club, however, has always been the jailbreak community: independent developers and researchers who exploit flaws in the iOS codebase to gain unauthorized administrative privileges within the OS, a practice known as “jailbreaking”. Using their new administrative powers, jailbreakers are able to modify the operating system, perform security research, and run unapproved apps on their iPhones.

By providing an iOS virtualization tool, Corellium could be seen as enabling, or even encouraging, jailbreaking. Corellium maintains that their software is a security research tool that benefits both Apple and iOS users, and claims that the lawsuit is part of Cupertino’s “persistent demonization of jailbreaking”. Apple, obviously, disagrees.

The issue of jailbreaking is interesting in its own right, but also in that it provides some insights into how Apple operates as a company — especially vis-à-vis the third-party security research community. To learn more about jailbreaking, check out the second segment of Checklist 151 (starts at 11:08). And to hear about one man’s attempt to create an “alternative App Store” for iPhones which doesn’t require jailbreaking, listen to segment two of Checklist 157 (starts at 12:30).

As always, if you have a security question or would like to suggest a topic for a future Checklist, drop us a line at Checklist@SecureMac.com — we’d love to hear from you!