Start Up: Wi-Fi and public key hacks explained, North Korea’s real power, iPhone X ships, and more


Yes, it’s green-on-black typing. You know what that means? Hacking. Photo by Christiaan Colen on Flickr.

A selection of 13 links for you. Use them wisely. I’m @charlesarthur on Twitter. Observations and links welcome.

Apple says ‘KRACK’ Wi-Fi vulnerabilities are already patched in iOS, macOS, watchOS, and tvOS betas • Mac Rumors

Juli Clover:

»

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore’s Rene Ritchie this morning.

The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple’s Macs, iPhones, and iPads.

Using a key reinstallation attack, or “KRACK,” attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

«

Slightly pushing it with the use of “already” there, given that this has been disclosed for months for vendors to get on top of it. But perhaps they couldn’t fix it in time for 11.0.
link to this extract


41% of Android phones are vulnerable to ‘devastating’ Wi-Fi attack • The Verge

Tom Warren:

»

Android 6.0 and above contains a vulnerability that researchers claim “makes it trivial to intercept and manipulate traffic sent by these Linux and Android devices.” 41% of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic. Attackers might be able to inject ransomware or malware into websites thanks to the attack, and Android devices will require security patches to protect against this. Google says the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”

Although most devices appear to be vulnerable to attacks reading Wi-Fi traffic, the exploit doesn’t target access points. The attack exploits vulnerabilities in the 4-way handshake of the WPA2 protocol, a security handshake that ensures client and access points have the same password when joining a Wi-Fi network.

As this is a client-based attack, expect to see a number of patches for devices in the coming weeks. Researchers sent out notifications to specific vendors in July, and a broad notification was distributed in late August. Security researchers note that it’s not worth changing your Wi-Fi password as this won’t help prevent attacks, but that it’s worth updating router firmware and all client devices to the latest security fixes.

«

link to this extract


Wi-Fi (WPA2 security) is broken – here’s the companies that have already fixed it • Charged

Owen Williams:

»

The implications of this new attack are pretty scary sounding, and the news is still developing but a few things are fairly clear:

• Almost every mobile/desktop device on the planet is affected and needs patching
• Your router will need a software update at some point
• Nobody will know how to update their router, or how to check if it’s patched

If you’re affected (and you almost certainly are) it’s important to check if your devices can be patched immediately. Not just your router, but whatever you’re using to get online too. 

To be clear, however, the most important fix to apply is the one for your phones, laptops and other devices. The data transmitted by these devices could now be exposed. 

«

There are quite a few sites which are keeping rolling lists of who has and hasn’t offered an update. The risk, of course, is to people who are using old devices which will never get an update. There’s also some risk to products – hello Internet of Things! – which can’t or won’t be updated.

The crack is nothing like as bad as that affecting WEP (which was flawed even before it was released; it could be cracked by anyone within an hour). But it is significant.

link to this extract


Malta car bomb kills Panama Papers journalist • The Guardian

Juliette Garside:

»

The journalist who led the Panama Papers investigation into corruption in Malta was killed on Monday in a car bomb near her home.

Daphne Caruana Galizia died on Monday afternoon when her car, a Peugeot 108, was destroyed by a powerful explosive device which blew the car into several pieces and threw the debris into a nearby field.

A blogger whose posts often attracted more readers than the combined circulation of the country’s newspapers, Caruana Galizia was recently described by the Politico website as a “one-woman WikiLeaks”. Her blogs were a thorn in the side of both the establishment and underworld figures that hold sway in Europe’s smallest member state.

Her most recent revelations pointed the finger at Malta’s prime minister, Joseph Muscat, and two of his closest aides, connecting offshore companies linked to the three men with the sale of Maltese passports and payments from the government of Azerbaijan.

No group or individual has come forward to claim responsibility for the attack…

…In a statement, Muscat condemned the “barbaric attack”, saying he had asked police to reach out to other countries’ security services for help identifying the perpetrators.

“Everyone knows Ms Caruana Galizia was a harsh critic of mine,” Muscat at a hastily convened press conference, “both politically and personally, but nobody can justify this barbaric act in any way”.

«

link to this extract


The world once laughed at North Korean cyberpower. No more • The New York Times

David Sanger, David Kirkpatrick and Nicole Perlroth:

»

just as Western analysts once scoffed at the potential of the North’s nuclear program, so did experts dismiss its cyberpotential — only to now acknowledge that hacking is an almost perfect weapon for a Pyongyang that is isolated and has little to lose.

The country’s primitive infrastructure is far less vulnerable to cyberretaliation, and North Korean hackers operate outside the country, anyway. Sanctions offer no useful response, since a raft of sanctions are already imposed. And Mr. Kim’s advisers are betting that no one will respond to a cyberattack with a military attack, for fear of a catastrophic escalation between North and South Korea.

“Cyber is a tailor-made instrument of power for them,” said Chris Inglis, a former deputy director of the National Security Agency, who now teaches about security at the United States Naval Academy. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”

Mr. Inglis, speaking at the Cambridge Cyber Summit this month, added: “You could argue that they have one of the most successful cyberprograms on the planet, not because it’s technically sophisticated, but because it has achieved all of their aims at very low cost.”

It is hardly a one-way conflict: By some measures the United States and North Korea have been engaged in an active cyberconflict for years.

«

I’m writing a book about hacking (to be published next year); one of the chapters is about the Sony Pictures hack in late 2014, which was by North Korea. At the time, lots of people dismissed the idea. But they overlooked Kim Jong-un’s understanding when he took over that cyberwarfare has gigantic returns – and huge deniability. It’s almost the opposite of nuclear weapons.
link to this extract


Dead-end UX: the big problem that Facebook, Twitter, and others need to solve • Co.Design

»

I think I broke my Facebook.

That might sound like something your Luddite aunt would say, but I’m being serious. It started about two years ago, when, in a fit of annoyance at all the baby pictures flooding my news feed, I systematically unfollowed every single person and organization in my network except the actual news outlets. That promptly turned my sprawling social network of friends, frenemies, and strangers into a mere news reader plugged into just a half-dozen publications. Problem solved! No more updates about people’s lives.

Two years later, this seems like a grave mistake. I find myself curious about what people are doing. I’m falling behind in real-life conversations about what’s happening with friends. Put another way, it’s literally impossible for me to use Facebook for its original purpose. There’s a follow-on effect that I didn’t realize either: If you unfollow people on Facebook, you drop out of their Facebook feed as well. So now, whenever I have something I really want to share–a new job, or the final draft of the book I’ve been writing for years–I’m met with crickets. I’m stranded on the digital equivalent of a deserted island.

There’s no obvious way to get off this island. I could manually re-follow everyone I unfollowed. But even if I do that, I have no idea if Facebook automatically makes them follow me. For all intents and purposes, my Facebook is ruined. And I suspect that over time, you’re ruining yours without even realizing it.

«

And in time, you’ll find yourself stuck in a form of this situation – he calls it dead-end UX – which makes it no fun to use that network. And then you’ll abandon it. But he has a great idea for fixing it.
link to this extract


Foxconn begins shipping iPhone X, says report • Digitimes

Steve Shen:

»

Foxconn Electronics (Hon Hai) has started shipping iPhone X devices, with the first batch of 46,500 units already being shipped out from Zhengzhou and Shanghai to the Netherlands and United Arab Emirates (UAE), respectively, according to a China-based Xinhuanet.com report.

Apple said previously that it will begin to take pre-sale orders for iPhone X on October 27 and start delivering the devices on November 3.

However, the first-batch shipments of the iPhone X units were much lower than the previous iPhone models, which apparently will make the iPhone X one of the most difficult-to-find smartphone these days, according to a Chinese-language Commercial Times report.

Although Foxconn has ramped up its output of iPhone X to 400,000 units a week recently from the previous 100,000 units, the increased production still cannot meet market demand, said the report, citing data from Rosenblatt.

«

Those are really tiny numbers compared to the demand that’s sure to be out there.
link to this extract


‘Worse than KRACK’ — Google and Microsoft hit by massive five-year-old encryption hole • Forbes

Thomas Fox-Brewster:

»

to former NSA staffer and chief of cybersecurity company RenditionSec, Jake Williams, the ROCA issue is more severe than KRACK. The latter was only executable within Wi-Fi range, while it’s uncertain as to whether patches will be rolled out widely for ROCA, given it’s a more esoteric issue, he added. The vulnerability has also been present in affected devices since at least 2012.

Williams theorized two attacks over ROCA. First, by abusing code signing certificates, used to validate software is coming from a legitimate, trusted source. “Given a code signing certificate’s public key (which an organization has to publish), an attacker could derive the private key allowing them to sign software impersonating the victim,” Williams said. Given the kinds of attacks that have recently relied on fake software updates (remember the NotPetya ransomware and the CCleaner infection), this could be a serious threat.

An attacker could also potentially fool a Trusted Platform Module (TPM) — a specialized chip on a computer or smartphone that stores RSA encryption keys – to run malicious, untrusted code, Williams added. “The TPM is used to ensure the code used to boot the kernel is valid. Bypassing a TPM could allow the attacker to perform an inception style attack where they virtualize the host operating system. There are dozens of other variations of attacks, but these Infineon chips are huge in hardware security modules (HSMs) and TPMs,” he warned.

«

This is the article to read if you want to understand this (very serious) pitch.
link to this extract


Latest Adobe Flash vulnerability allowed hackers to plant malware • Engadget

Mallory Locklear:

»

Kaspersky Labs reports that a new Adobe Flash vulnerability was exploited by a group called BlackOasis, which used it to plant malware on computers across a number of countries. Kaspersky says the group appears to be interested in Middle Eastern politics, United Nations officials, opposition activists and journalists, and BlackOasis victims have so far been located in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.

The attack took place on October 10th and the malware planted by BlackOasis is a commercial product called FinSpy or FinFisher, typically sold to governments and law enforcement agencies. Kaspersky notified Adobe of the vulnerability and it has since released a Flash Player security update for Windows, Macintosh, Linux and Chrome OS. Kaspersky said that it believes BlackOasis, which it has been tracking since last year, was behind a similar exploit in September.

«

There is no longer any rational reason to keep using Flash. Honestly, there isn’t. It’s a mess of vulnerabilities.
link to this extract


US buyers favor iPhone 7 over 8: research • Reuters

Supantha Mukherjee and Tanya Agrawal:

»

“Many respondents indicated that a meaningful portion of customers are buying iPhone 7 in lieu of the new iPhone 8, given the lack of significant enhancements in the new phone,” KeyBanc analyst John Vinh wrote in a client note.

Vinh also said feedback from stores indicated that customers were waiting to purchase the iPhone X or to compare the iPhone X with other models before buying the iPhone 8.

Apple last month introduced the iPhone 8 and iPhone 8 Plus, which resemble the iPhone 7 but have a glass back for wireless charging. While iPhone 8 starts from $699 in the United States, iPhone 7 is retailing from $549 after a price cut.

The iPhone X, a glass and stainless steel device with an edge-to-edge display, will start shipping from Nov. 3. The 10th-anniversary iPhone is priced from $999 – Apple’s most expensive mobile till date.

One investor in Apple’s shares played down any concern around a dip in sales of the iPhone 7 or 8, given the much-anticipated debut of iPhone X.

“Worrying about any small down-tick in margins from the sale of the iPhone 7 or 8 is a wrong-headed way to look at it as iPhone X is really the flagship device where we’re going to see a strong upgrade cycle,” said Jason Ware, chief investment officer of Albion Financial Group.

«

link to this extract


The scale of tech winners • Benedict Evans

On the fact that the big tech companies nowadays are a lot bigger than the past ones (specifically, Microsoft + Intel):

»

Scale means these companies can do a lot more. They can make smart speakers and watches and VR and glasses, they can commission their own microchips, and they can think about upending the $1.2tr car industry. They can pay more than many established players for content – in the past, tech companies always talked about buying premium TV shows but didn’t actually have the cash, but now it’s part of the marketing budget. Some of these things are a lot cheaper to do than in the past (smart speakers, for example, are just commodity smartphone components), but not all of them are, and the ability to do so many large experimental projects, as side-projects, without betting the company, is a consequence of this scale, and headcount.

On the other hand, that the market is big enough for four tech giants, not just one (Wintel) partnership, means we have four companies aggressively competing and cooperating with each other, and driving each other on, and each trying somehow to commoditise the others’ businesses. None of them quite pose a threat to the others’ core – Apple won’t do better search than Google and Amazon won’t do better operating systems than Apple. But the adjacencies and the new endpoints that they create do overlap, even if these companies get to them from different directions, and as consumers we all benefit. If I want a smart speaker, I can choose from two with huge, credible platforms behind them today, and probably four in six months, each making them for different reasons with different philosophies. No-one applied that kind of pressure to Microsoft.

How do the mice do when there are four elephants fighting it out? As we saw with first GoPro and now perhaps Sonos, if you’re riding the smartphone supply chain cornucopia but can’t construct a story further up the stack, around cloud, software, ecosystem or network effects, you’re just another commodity widget maker. And the aggressive competition in advertising products from Google, Facebook and now to some extent Amazon has taken a lot of the oxygen away from anyone else.

«

link to this extract


While Apple is taking away buttons, we found a way to add one • Astro HQ

Savannah Reising on the company’s search for a new UI element for its iPad app:

»

We set out to find an alternative to the Astropad ring. The obvious first option was to make a new gesture, but we realized pretty quickly that there was limited room for this. Every edge of the iPad is already occupied with an existing gesture: swipe up for your dock, left to search, and down for notifications. We really needed something novel to work with.

Our Astro HQ cofounder Giovanni Donelli said that the idea to turn the camera into a button came like lightning, “I had been staring at a white bezel iPad for so long, and I kept wishing there was another home button we could use. My eyes kept falling on the camera, and I really wanted to touch it!” Giovanni built an initial prototype of the Camera Button within an hour.

Turning the camera into a reliably functioning button didn’t come without challenges. In total, we spent four months of continuous engineering efforts to get past these hurdles…

«

Once you see it, it’s completely obvious – like all the great ideas. Though this does remind me of the Camera+ hack, which years ago found a way to make the camera fire by pressing the volume button. Apple then blocked it. Then, uh, stole it: you can now take pictures on iPhones by pressing the volume button. Not sure if Astro is going to go through the same. Hope not.
link to this extract


My Oculus Rift has migrated from my desk, to my closet, to storage • Forbes

Paul Tassi:

»

A few years ago, my wife convinced me that we had to buy a $400 juicer. It’ll make us healthier, the juice will taste great, and it’ll be fun to use, she said. I eventually agreed, and we made some carrot juice and orange juice that did taste pretty good. But after dumping eight pounds of pulp into the trash, we put it in a box and never used it again. Now, every time she wants to buy X or Y questionable, expensive thing, my go-to snarky reply is “remember the juicer?”

Unfortunately, now I have my own juicer.

It’s called the Oculus Rift.

«

This story surely repeated many times around the world.
link to this extract


Errata, corrigenda and ai no corrida: Sophie Warnes’s newsletter is called Fair Warning, not Fiar Warning. You should still sign up, however it’s spelled.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s