Checklist 72: 2017 Security Review Part Two

Last week, we brought you Part One of our 2017 Security Year in Review. This week, we’ll wrap that up with Part Two! If you didn’t get a chance to check out Part One yet, the episode and its accompanying show notes are available right here in our archives. In it, you’ll find out about the highlights of the past year in both iOS and macOS security, including all the information you need to know about what the bad guys were up to in 2017. This week, we’re pulling back for a broader look at the “big picture,” a bird’s eye view with a particular focus on Apple. On our discussion list today, we’ve got:

• Apple’s 2017 security “wins,”
• Apple’s security “fails,” and
• The Supersized Security Threats of 2017

When you take a look at all the issues we covered in Apple OS security last week, you could choose to see them as evidence of many failures. On the other hand, it could be that they’re just indications of the complexity inherent to information and data security. These are big systems with lots of moving parts, after all. No matter how you choose to look at it, though, what is clear is that 2017 saw Apple do some things that we can put in the “win” column with confidence. We think the best place to start is with Apple’s response to the major leak of NSA-linked hacking tools and exploits last year.

Apple’s 2017 Security Wins

Arguably one of the biggest security stories of last year were those leaks of NSA tools by a mysterious group calling themselves the Shadow Brokers. While we’ll go deeper into that topic later in today’s episode, we think we can put Apple’s response to this serious set of security incidents down as a “win.” Some of the exploits that made their way into the hands of the bad guys could have targeted users on iOS and macOS, but Apple jumped in right away with word that they had already corrected the known vulnerabilities in previous updates. Of course users still had to do their part and apply those updates promptly, but as our listeners should know, that’s something you should be doing already.

While the impact from the Shadow Brokers leaks would end up affecting millions of machines around the world in one way or another, updated Apple devices remained secure against these particular threats. This was a heartening response to see, in line with the company’s stated dedication to user safety.

Next up on the list of “wins,” we have the long-awaited rollout of Apple’s new file system, APFS. Initially announced several years ago, word came at Apple’s WWDC 2017 event that APFS was finally ready to roll out to end users later that year. It arrived with the release of macOS 10.13 (that’s High Sierra) along with iOS 11. Why is a file system worth getting excited over? For one, it boasts a whole lot of “under the hood” security improvements to make it simpler to keep your files safer.

Performance got a big boost, too, especially for solid-state drives. APFS can keep track of trillions of more pieces of data than its predecessor, the now-ancient HFS. APFS also helps protect your data from corruption if your Mac or iPhone crashes. What about the way it encrypts your files when you want to keep them protected from prying eyes? APFS uses a new system for employing unique keys to lock down your data — and even its metadata, too. That means it’s now even harder for the bad actors out there to go snooping through your data.

Finally, we also saw some big gains in user privacy and security with the deployment of iOS 11 last year. The ways in which apps can access location data finally got locked down, and users received more ways to keep tabs on the way apps use their location. Apple also incorporated changes to the manner in which apps can use the camera and your photos, providing us with more peace of mind. If you’d like to take a deep dive into the subject of what Apple tweaked in iOS 11, we recently hit those subjects in Episodes 66 and 67 of The Checklist. Visit the show notes in our archive for full details.

Apple’s 2017 Security Fails

As we said earlier, this is a complex and complicated environment, so let’s be fair and look at the other side of things for a moment. In Episode 70, we covered a lot of information about Apple’s “No Good Very Bad Quarter of Security” — in some ways a bit scary, in others a bit funny, and we encourage you to take a listen if you haven’t yet. This only touched on some of the events in the last quarter of 2017. So let’s go back over what we covered, what we missed, and the ways that Apple failed in the security sector.

Two of the biggest “fails” we saw last year were the emergence of a severe flaw in the Home app and HomeKit-linked devices and the strange login vulnerability introduced in High Sierra that allowed anyone to log in as root without a password. While both these issues were severe and concerning, we’ve already covered plenty of ground on those topics in Episode 70. You can check out that show right here if you want to jump back now! One of the things we didn’t touch on in that episode, though, was the emergence of the Safari syncing bug — an issue that could have left your Internet history visible through iCloud. That sounds serious, so what happened here?

We know, from the company’s public statements, their development efforts, and their relationship to users that Apple places a high value on personal privacy and user safety. That was why, when news started to spread that there was a flaw in Safari that could expose a user’s browsing history to unauthorized third parties, the Internet lit up with anxious chatter about the issue. As the story unfolded, it became clear that even if a user had deleted their history, copies could still exist if they had used iCloud syncing at any point.

Many of us know that regularly cleaning out your browsing history is a smart move; it lets you exert some control over your privacy on the web while also reducing your digital footprint and eliminating unnecessary clutter on your computer. Naturally, the idea that your history could still exist out there somewhere even after you pressed “delete” caused a lot of concern. So what happened? It seems an issue with the way iCloud handled data storage meant that user histories were made invisible, but not deleted from the cloud. In other words, users who cleared their histories on their devices saw everything work as usual, but a copy still existed on Apple’s servers.

The result: a sufficiently bright individual with knowledge of this flaw could have possibly pulled these records back out of the cloud, tricking iCloud into forking over your private history. The data included the URL, the date you visited the site, and even the page’s title. While it won’t necessarily lead to having your credit card stolen, it’s still a gross breach of privacy.

Why did iCloud retain secret, hidden files like this rather than deleting them? It’s not clear, though it could have been a simple oversight. Either way, Apple made corrections to both lock down the leaking data and to reassure users that their information would not be kept unnecessarily. While it’s good that Apple fixed the problem, we think it’s one that shouldn’t have existed in the first place.

Last year also saw the discovery of a bug in Siri that could potentially allow thieves to hide from Find My iPhone. Smartphone theft is a grave issue that has only grown in prominence and prevalence over the last few years, especially for high-ticket items such as iPhones and iPads. For your device to be of any use to a thief who swipes it, though, they have to wipe the phone first. Whether they want to use it for themselves or they hope to pawn it off to someone else, your data has to go. With the right protections, such as a strong passcode, this is no easy task.

Meanwhile, once you realize your phone has been stolen, the logical step is to activate Find My iPhone, which allows you to lock your device down and even pinpoint its location. Not only does this keep thieves from getting to your personal information on the phone, but it also gives you a much better chance of recovering it. However, a German researcher discovered in 2017 that a bug in Siri on iOS 10.1 to 10.3 could let a thief cut off the phone’s cellular data connection — thus severing its link to Find My iPhone and you, the owner.

How? Well usually, Siri requests that you input the passcode if you ask her to “Turn off Mobile Data.” After doing this, an attacker would begin to request only “Mobile Data” instead. By locking the phone, turning Siri back on, and asking for “Mobile Data” one more time, the thief can trigger the exploit and fool Siri into displaying the toggle screen for the cellular connection. At that point, the bad guys just have to turn it off and then do whatever they wish with your device.

This is the only way around the protections of a phone with a passcode and its User Control Panel disabled — but that doesn’t mean the potential for abuse here doesn’t exist. Though this was eventually corrected and we’ve since moved on to iOS 11, older devices will remain vulnerable.

Unfortunately, Apple also let us down with regards to user privacy in one other way. There’s that old tagline that there’s an app for everything out there, right? In China, that’s not necessarily the case — in fact, it’s definitely not, as Apple removed Virtual Private Network (VPN) apps from the Chinese version of the App Store. While perhaps not surprising (other tech companies, too, have a long history of bowing to pressure from Chinese authorities), it is quite the letdown for users.

What’s the story here? The Chinese government exerts a level of control over the Internet that would shock Western users in its scope. In particular, China employs something commonly referred to as the “Great Firewall,” a country-wide set of Internet monitoring and filtering tools. This system makes it difficult or impossible to access foreign websites and pages containing specific banned content and information. Not only does this mean users take a big hit to privacy, but it can make using the Internet freely almost impossible. VPNs provide an easy way to circumvent the Great Firewall for people living and working in the country, opening the door to the unlimited Internet.

Apple’s decision to remove VPN apps from the Chinese App Store was no random or sudden choice, either. In January 2017, the Chinese government finally chose to crack down on users of these services, decreeing “unauthorized connections” to be illegal. Not long after, multiple developers with published VPN apps on the store received notices that their software “contained illegal content.” From there, their apps were delisted from the Chinese store, rendering them unavailable to users there.

We’ve always advocated for the use of reliable VPN connections on this show as a way to stay safe when connecting to public networks and to protect your browsing traffic from snoopers. Many businesses even require VPNs for employees to make secure remote connections for their servers. In our eyes, Apple’s decision to delist these apps is a big “fail” for user privacy.

The Supersized Security Threats of 2017

While we spend most of our time on The Checklist focusing on Apple products, it’s hard to ignore the fact that 2017 was a year in which deep and major security threats brought us all together, regardless of our platforms. It was also the kind of year that might make you think seriously about pitching all your electronics into the garbage and moving to a cabin the woods — we saw some of the biggest security breaches and attacks ever regarding scope and scale. Let’s run down the “winners” of the enormous security threats from the past year.

First up: The Shadow Brokers and their release of the NSA exploits that we mentioned at the top of today’s show. In April 2017, this group of hackers made it known that they had obtained a large cache of tools and materials stolen during a hack of the US National Security Agency. After trickling documents and some exploit information out to the public slowly over a few months — and after failing to find a bidder to buy the data — the Brokers simply began to dump major exploits and information about them onto the web.

Included in this series of tools were severe exploits that affected Windows-based systems. While some of them had already been patched before the release of the exploits, others were still in play and opened the door to all kinds of new malware. Because users had been slow to update, many of the patched exploits were still open as well. It’s a perfect example why you should keep up with security patching on all of your electronic devices, no matter the platform. This was a notable event not just for the severity of the exploits released, but also because a government agency had known about them and held onto the information for years. Within weeks of these exploits leaking out, we were already encountering the next biggest event of the year.

Next we need to discuss the continued rise of ransomware as major fast-moving attacks crippled systems worldwide more than once. In May 2017, the WannaCry/WannaCrypt ransomware attack ruined many a morning as it stormed the world, attacking vulnerable Windows machines via the ETERNALBLUE exploit released by the Shadow Brokers. In just the first day of action, almost a quarter of a million Windows machines ended up locked down and infected with WannaCry.

Among those affected were hospitals, with NHS locations in the United Kingdom reverting to pen and paper to track medical records and more. Banks, multinational corporations, and even average users were all swept up in this attack. As mentioned, the key infection vector was already patched, but slow adoption and old operating systems allowed the attackers to rake in tons of ransom money and sow widespread chaos. It was certainly one for the history books, and one we won’t soon forget.

The Equifax breach would be hard to ignore, though the company itself has tried its best to act as though not much was out of the ordinary. In September, the company disclosed that they had been the victims of a severe cyber breach. This was no average breach, though — the hackers stole data from Equifax that could cover as many as 145 million American consumers. That data might include everything from credit histories and scores to Social Security numbers and more.

It’s perhaps the biggest trove of sensitive personally identifiable information ever stolen in one attack. Now is a perfect time to remember to keep a close watch on your identity and your credit history. With the Equifax data out there, stealing someone’s identity could become much easier. We’re sure to continue hearing about this breach for quite some time, especially as the ramifications become clearer.

Also on our list for 2017: the discovery of the biggest spambot ever. Have you ever wonder where all that spam that ends up in your junk folder comes from? It might have been originating from this bot, discovered by researchers who found an insecure server that hosted the bot’s treasure trove of personal data. Over 700 million email addresses were on the rolls it used to generate and send spam! Had the spammers not left a proverbial side door open, we likely would never know about this bot, even as large as it is. This discovery highlights the growing difficulty of fighting back against spam, which remains one of the primary ways that malware makes its way onto our computers.

There’s also one more big issue that we could see ramifications from even into 2018 because it came right at the tail end of the year. Researchers probing the dark web for dumps of user information uncovered the biggest repository of stolen user data ever, and much of it appears to be still functional and valid. This database is not only massive, containing more than 1.4 billion sets of account credentials, it is also entirely unencrypted — so anyone who wants to connect to the dark web and access this information can do so.

Where did it all come from? So far, it looks like a mixture of new and previously unreported breaches combined with a large number of credentials dumped from known hacks. Altogether, it combines information from more than 250 separate hacks and breaches and is twice the size of the next largest password dump. This should make you consider that now is a great time to grab a password manager and set up some new, unique, and robust security codes for your accounts!

One thing is for sure when we look back at the past year — there was a lot of bad stuff, but there was a lot of good stuff, too. Did it all balance out?

If you’d like to go back and revisit any of our discussions from 2017 to learn more about some of these topics in depth, you can always find all our previous episodes and show notes right here. Have a question, or know of a topic you’d like to hear us discuss on a future episode? We’re always looking to hear from our listeners, so just send us an email to Checklist@SecureMac.com.