USB Restricted Mode in iOS 11.4.1 now available to all iPhone users

By Maria Varmazis

The latest version of iOS is now available to all iOS users with eligible devices (iPhone 5s and up). This release not only brings bug fixes, but also includes at least one new feature that might be of interest to security-minded users.

The new feature is called “USB Restricted Mode,” and it lives quietly in the security settings of your iPhone (look for it under “Touch ID & Passcode”). Apple’s description of this new feature toggle:

If you don’t first unlock your password-protected iOS device – or you haven’t unlocked and connected it to a USB accessory within the past hour – your iOS device won’t communicate with the accessory or computer, and in some cases, it might not charge. You might also see an alert asking you to unlock your device to use accessories.

Upon updating to iOS 11.4.1, the default setting for this feature is to not allow USB accessories to work with the iPhone or iPad when locked for more than an hour.

To understand why this feature now exists, let’s review how USB accessories generally work with iPhones and iPads. When you plug a USB accessory into your iPhone or iPad, that item will not work unless the iDevice is unlocked first and the user answers a prompt on their iDevice to recognize the new USB device.

After completing this prompt successfully, that USB device will be able to work with the iDevice without issue in the future even when the phone is locked.

Read more at https://nakedsecurity.sophos.com/2018/07/16/usb-restricted-mode-in-ios-11-4-1-now-available-to-all-iphone-users/

Ex-Apple engineer charged with stealing self-driving car secrets

By Lisa Vaas

A former Apple engineer who worked on driverless car technology was arrested on his way to start a new job in China with autonomous vehicle start-up Xiaopeng Motors – a Guangzhou-based company also known as XMotors – Apple charged in federal court on Monday.

A criminal complaint charged the former employee, Xiaolang Zhang, with stealing trade secrets and accused him of downloading a blueprint related to autonomous cars to a personal laptop before trying to board a last-minute flight.

Zhang was arrested on 7 July after he passed through a security checkpoint at the San Jose airport.

According to the complaint, he was hired at Apple on 7 December 2015 to work on its autonomous car project – R&D that Apple’s kept very hush-hush. His most recent work was on the compute team, designing and testing circuit boards to analyze sensor data.

That role gave him access to all sorts of juicy, and confidential, databases.

According to the complaint, information about the project “is a closely guarded secret that has never been publicly revealed.”

Apple has been cagey about its research, making general comments about its interest in developing self-driving technology but keeping mum about just what, exactly, the company’s working on. According to the complaint, information has even been kept away from most of its employees. Some 5,000 staff, out of more than 135,000, have been “disclosed” on the project, meaning that they’re working on it directly or know something about it. Fewer people, about 2,700 “core employees,” have access to the project’s databases.

From 1 to 28 April 2018, Zhang took paternity leave following the birth of a child. During his leave, he and his family traveled to China. When he got back, he met with his immediate supervisor, as the complaint tells it, and told him that he planned to resign and move back to China in order to be closer to his ailing mother. Zhang allegedly also told his supervisor that he planned to take a job with XMotors: a Chinese start-up in the driverless car space.

Read more at https://nakedsecurity.sophos.com/2018/07/16/ex-apple-engineer-charged-with-stealing-self-driving-car-secrets/

Sextortion scam knows your password, but don’t fall for it

By Danny Bradbury

Someone has been sending sextortion scam emails with a new twist – one aimed at making it more likely you’ll be duped into paying a blackmail fee.

One of the emails arrived at Naked Security yesterday, via a diligent reader, just as Brian Krebs was breaking the story on his site.

It claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly. Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and its been used for years. What makes this scam different is that it’s added something extra: it contains a real password used by the victim.

The email reads:

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct?

actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam.

exactly what should you do?

Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY

(It is cAsE sensitive, so copy and paste it)

Important:

You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the Bitcoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immediately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

The power of a password

Many people, even those who feel as though they could have been seen in a compromising position, would normally be too jaded to fall for a sextortion scam with no evidence. Including a real password makes it seem more convincing, though, which might be enough to fool some people.

Read more at https://nakedsecurity.sophos.com/2018/07/13/sextortion-scam-knows-your-password-but-dont-fall-for-it/

Facebook ordered to let grieving mother in to dead daughter’s account

By Lisa Vaas

Germany’s highest court has ruled that access to social networks can be inherited when people die, overturning a previous court’s decision that kept a grieving mother locked out of her daughter’s account after the girl was hit by a subway train.

A year ago, a German court denied the mother’s request to access her dead daughter’s Facebook account – access she had been seeking for years in an effort to determine whether the girl had purposefully thrown herself in front of a train at a Berlin station in 2012, and if cyberbullying was behind what could have been her child’s suicide.

The girl’s parents already had her Facebook account password: according to the Guardian, their daughter had shared it with them in return for being allowed to open an account when she was 14. She died at the age of 15.

But when they tried to access the account, the girl’s parents found that it had been memorialized.

That means that Facebook completely removed the dead girl’s data, changed the privacy setting so that only confirmed friends could view her profile or search for it, removed her status updates, and locked the account so that nobody in the future could log in. As Facebook describes in its policy, the account was transformed into “a place where people can save and share their memories of those who’ve passed”.

On Thursday, Germany’s Federal Court of Justice said that social media accounts are no different than personal letters and diaries in that they, too, can be inherited. From an English translation of the court’s decision:

From a hereditary perspective, there is no reason to treat digital content differently.

Last year, a lower court had ruled that the girl’s rights to private telecommunications included her electronic communications, which, it decided, were meant to be read only by those with whom the girl had communicated.

Read more at https://nakedsecurity.sophos.com/2018/07/13/facebook-ordered-to-let-grieving-mother-in-to-dead-daughters-account/

“Bitcoins for cash in bags” trader gets 12 months in prison

By Paul Ducklin

Anacoluthon – we love it!

(That’s where a sentence has some sort of grammatical inconsistency or ambiguity that jars you into thoughtfulness, then I went for a walk by the River Thames.)

We find anacoluthon as fascinating as cryptocurrency shenanigans, so we were doubly intrigued by a recent Ars Technica headline – Woman who once bought bitcoins for cash in paper bags sent to prison.

We were dying untangle the ambiguity here – did the bags contain the cash, or did the bags contain the bitcoins?

Were the bags sent to prison, or the woman?

Was she buying cash in paper bags with bitcoins, or bitcoins in paper bags with cash, or were both parts of the transaction in bags?

If the cash was in paper bags, were they brown bags, as they would be in a metaphor, or at lunch, and if not, why not?

Heck, these days, if someone actually buys and sells bitcoins in person for real, hard cash, don’t they deserve some sort of medal?

When you think of how often cryptocurrency buyers and sellers have gone through online exchanges and ended up out of pocket following some sort of cybersecurity catastrophe, real or imaginary, aren’t cash buyers to be applauded?

So many questions, and we hadn’t got past the headline yet!

Read more at https://nakedsecurity.sophos.com/2018/07/12/bitcoins-for-cash-in-bags-trader-gets-12-months-in-prison/