IBM bans USB drives – but will it work?

By Paul Ducklin

A job worth doing is worth doing well.

And when a job is worth doing well, it’s often worth going all-in.

A good example is how to quit smoking: you can try cutting down a bit in the hope of tapering off; you can try smoking milder cigarettes; you can try replacing your addiction to the nicotine in cigarettes with an addiction to the nicotine in something else; you can even carry on smoking but tell everyone, including yourself, that you didn’t inhale.

But quitting doesn’t admit of half measures, and the best and quickest way to do it is simply never to smoke again, from this day forward, for evermore.

Job done. (As in, “Easier said than.”)

By all accounts, IBM has decided to do just that – go cold turkey, that is – in dealing with the problem of lost data on removable storage devices.

Simply put: NO MORE USB DRIVES.

Read more at https://nakedsecurity.sophos.com/2018/05/11/ibm-bans-usb-drives-but-will-it-work/

Firefox support for WebAuthn shows passwords the door

By John E Dunn

Something important happened in the world of passwords this week – Firefox 60 has become the first browser to support a new standard called Web Authentication (WebAuthn).

Developed as a joint effort by the industry FIDO Alliance and the World Wide Web Consortium (WC3) on the back of Universal Authentication Factor (UAF), WebAuthn is an API which deploys public key encryption to let users log into websites without needing a password.

The point of WebAuthn is to turn today’s flawed authentication model on its head.

That model typically has users authenticating themselves with passwords and, in some cases, a second factor such as a one-time code.

Passwords are widely reused, bad ones are easy to guess, strong ones are hard to remember and all passwords can be stolen by phishing attacks. The one-time codes that add so much extra protection are hardly used and can also be phished, although the window of time in which they can be used is very small.

WebAuthn aims to change all of that:

Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today.

For now WebAuthn relies on hardware keys, like YubiKeys, either on their own or alongside passwords. In future it could utilize any number of authentication methods including Windows Hello, face or fingerprint ID, or even a PIN terminal.

Once a user has authenticated at their end, no credentials leave their device – all a website sees is confirmation that authentication was successful – so there is nothing to steal.

Read more at https://nakedsecurity.sophos.com/2018/05/11/firefox-support-for-webauthn-shows-passwords-the-door/

Apple boots out apps that abuse location data collection

By Lisa Vaas

There are only two weeks to go before the European Union’s General Data Protection Regulation (GDPR) officially lands, on 25 May. Surely companies have all their data protection ducks in a row by now, one imagines…?

Or not. Or, at least, over at Apple, there’s still work being done to ensure that customers’ data is on extra strong lock-down, according to 9to5mac.

Namely, Apple is reportedly looking beyond its own data privacy/security toward that of its developers. Specifically, it’s been cracking down on those developers whose apps share location data, kicking them off the App Store until they cut out any code, frameworks or Software Development Kits (SDKs) that are in violation of Apple’s location data policies.

9to5mac has seen several cases of Apple having emailed developers to let them know that, “upon re-evaluation,” their applications are in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines. Those sections pertain to data collection, storage, use and sharing, as well as to letting people know what type of data an app requests (including location data).

9to5mac says that in the instances it’s seen, apps aren’t doing enough to let users know what’s happening with their data. Apple doesn’t want developers to just ask for permission – it’s telling them to explain what the data’s used for and how it’s shared.

Read more at https://nakedsecurity.sophos.com/2018/05/11/apple-boots-out-apps-that-abuse-location-data-collection/

iOS 11.4 to come with 7-day USB shutout

By Lisa Vaas

Mobile forensics researchers recently discovered a major new security feature while poking around in the beta version of Apple’s upcoming iOS 11.4 release, due soon.

It’s called USB Restricted Mode: a feature that popped up in the iOS 11.3 beta but didn’t make it to the final release. The feature snips the USB data connection over the Lightning port if the device hasn’t been unlocked for a week. The device can still be charged over USB, but after 7 days, it won’t give up data without a passcode, meaning that at least some backdoor ways to get at data won’t work anymore.

ElcomSoft researchers found this explanation of how it works in Apple’s documentation:

To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.

If the device is unlocked with a passcode, the data transfer over USB will be re-enabled. But once the Lightning port has been disabled for a week, thieves or investigators won’t be able to get at data by pairing the device to a computer or USB accessory. Without a passcode to unlock the device, they won’t even be able to get into it using an existing iTunes pairing record, used to recognize PCs that are ‘trusted’ by the device, also known as a lockdown record.

As ElcomSoft researcher Oleg Afonin has explained, forensics experts have found pairing records to be “immensely handy” for extracting device data without having to first unlock it with a passcode, a fingerprint press or a trusted face.

Lockdown records aren’t foolproof when it comes to getting into phones without those unlocking techniques, but on the upside for police or thieves, you could use old records – Afonin mentioned using a year-old lockdown record. That is, you could do that up until recently. In iOS 11.3 beta Release Notes, Apple said it was adding an expiration date to lockdown records.

In a post published on Tuesday, Afonin said that it’s not clear yet whether the iPhone unlocking techniques developed by outfits such as Grayshift and Cellebrite will be blocked by the new USB Restricted Mode.

Read more at https://nakedsecurity.sophos.com/2018/05/11/ios-11-4-to-come-with-7-day-usb-shutout/