10Fold – Security Never Sleeps – 60

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: A team of security researchers has discovered a way to decrypt an iMessage with a photo stored on the iCloud backup system by guessing the underlying 64 digits in the encryption key. Last Thursday the National Highway Traffic Safety Administration warned of the dangers of aftermarket diagnostic port capabilities and how any device connected to that could have vulnerabilities and could leave the automobile vulnerable to hacking attacks. A survey sponsored by SailPoint revealed that one in five employees would be willing to sell work credentials and many would do it for less than $1,000. As the Apple vs. FBI conflict continues many worries that this argument could cripple corporate and government security.  

Crypto vulnerability lets attackers decrypt iMessage photo, article warns – Publication: Ars Technica – Reporter name: Dan Goodin

Apple’s widely used iMessage communications platform contains a currently unpatched flaw that allowed attackers to decrypt a photo stored on the company’s iCloud backup system. The vulnerability was discovered by a team of researchers from Johns Hopkins University. According to the Post, the researchers were able to exploit the bug by mimicking an Apple server and then painstakingly chipping away at the encryption protecting the photo, which was sent as a link over iMessage. They eventually were able to obtain the encryption key used to protect the photo by guessing each of its underlying 64 digits in what’s known as a brute-force attack.


Feds Urge Caution On Aftermarket Devices That Plug Into Vehicle Diagnostic Ports – Publication: Dark Reading- Reporter name: Jai Vijayan

Most of us are unlikely to consider that connecting a cell phone via USB to our cars or sticking an aftermarket remote starter in the diagnostic port under the steering wheel could pose a threat to privacy and safety. The same technologies that are making vehicles increasingly smarter and more connected are also opening them to new threats, the FBI, the Department of Transportation, and the National Highway Traffic Safety Administration said in a somewhat unusual public service announcement Thursday. This means that a malicious hacker no longer needs physical access to the OBD-II port in order to have potential access to the various electronic control units in vehicles, including those controlling acceleration, braking, and steering, the FBI alert warned.


One in Five Employees Would Sell Work Passwords: Survey– Publication: Security Week – Reporter name: Eduard Kovacs

One in five employees is willing to sell their work passwords to an outsider, in many cases for less than $1,000, according to a survey conducted by identity and access management firm SailPoint. Despite the increasing number of incidents involving stolen credentials, poor password hygiene and negligence continue to be a problem. According to SailPoint, 65 percent of respondents admitted using a single password for multiple applications, and roughly one-third of them have shared passwords with their co-workers. In the United States, 40 percent of those who are ready to sell their passwords would do it for less than $1,000. Worryingly, some employees said they were willing to sell corporate access credentials for less than $100.


How FBI vs. Apple could cripple corporate and government security – Publication: NetworkWorld – Reporter name: Rich Mogull

The Department of Justice, in their latest brief, states, “This burden, which is not unreasonable, is the direct result of Apple’s deliberate marketing decision to engineer its products so that the government cannot search them, even with a warrant.” That statement is an outright falsehood disguised as wishful thinking. Improving the encryption of iOS 8 was a security decision, one lauded by IT security departments everywhere, who had long been encrypting laptops to an equal standard. There are existing techniques to enable third-party access to strongly encrypted systems. One widely used method uses an alternate key to decrypt data.