Archive for July 9, 2018

USB Restricted Mode Makes An Appearance In iOS 11.4.1

Posted in Commentary with tags on July 9, 2018 by itnerd

Apple released a number of OS updates today. One of them was iOS 11.4.1 and there was a big surprise when that appeared. I posted the details on Twitter the moment I discovered it:

 

USB Restricted Mode, which first came to light as a line item that didn’t get talked about during the World Wide Developers Conference is here. I spoke about why that matters here, but let me give you the elevator pitch version. It’s meant to disable USB access so that the Celebrite and GrayShifts of the world can’t break into your phone and extract data. That’s sure to annoy both of those companies. Though the latter claims that it is already “defeated.” I guess we’re about to find out as the adoption rate of iOS is insanely high. Thus this update will be in the hands of users quickly, and this feature will get turned on by those who value their security. I value my security so I’ve got it turned on. So should you. If you need more info on this new feature, Apple has a support document here.

Let the games begin.

UPDATE:

I posted a follow up Tweet in regards to this:

Advertisements

Polar Exposed Locations of Spies and Military Personnel…. Oops

Posted in Commentary with tags on July 9, 2018 by itnerd

Polar is a company that makes fitness gear like fitness trackers, heart rate monitors and the like. They also make an app that allows you to compile the data from their gear called Polar Flow. But Polar Flow has one extra feature” that is likely to make a lot of people nervous right now, the location data of people such as spies and military personnel was accidentally exposed to the planet. Here’s the details:

For most users who set their activity tracking records to public, posting their workouts on Polar’s so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user’s fitness activity can reveal where a person lives.

An exposed location of anyone working at a government or military installation can quickly become a national security risk.

Well, that’s an oops moment. This is pretty similar to what happened to Strava not too long ago. And it’s not just GPS info. It’s info that could also allow someone to identify you. Which of course isn’t good. After the company was told about this, the company took the relevant functionality off line. Then they put out this statement…. Which was kind of strange to me when I first read it:

In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it “recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.”

The company denied a leak or a breach of its systems.

“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the statement. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Well, if this isn’t a leak of some sort, I don’t know what qualifies. Thus this is a strange response from the company.

This is the bottom line that you have to keep in mind when you use these sorts of apps. They collect a ton of data on you. Thus you have to be 100% comfortable with the fact that this data could get exposed at some point and someone could learn a lot about you.

Facebook Add On TimeHop Has Been Pwned By Hackers…. But They Are Handling The Pwnage Better Than Most

Posted in Commentary with tags , on July 9, 2018 by itnerd

First the bad news. TimeHop has reported it has had a breach affecting its entire user base of 21 million users worldwide. The “security incident” happened on July 4th when they had a “network intrusion”  which was interrupted by internal security teams. Which is good. But clearly it was not interrupted quick enough which is bad.

Here’s the good news. The statement that they put out regarding this is the best one that I’ve seen. They go into a great amount of detail about what happened, what the company is doing about it, and what’s the go forward plan. On top of that, they also even have a glossary to explain terms that users might not be familiar with. I’m very impressed by this and other companies should use this as a template for how to communicate about a “security incident” like this because this is straight from the top shelf.

So, if you’re a user of this add on, I’d go to the statement that I linked to and see what you have to do to protect yourself. Like I said, it’s very clear and well written and you should have no issue following their directions.