This a good example of a security feature that can sometimes harm security:

Apple introduced the optional recovery key in 2020 to protect users from online hackers. Users who turn on the recovery key, a unique 28-digit code, must provide it when they want to reset their Apple ID password.

iPhone thieves with your passcode can flip on the recovery key and lock you out. And if you already have the recovery key enabled, they can easily generate a new one, which also locks you out.

Apple’s policy gives users virtually no way back into their accounts without that recovery key. For now, a stolen iPhone could mean devastating personal losses.

It’s actually a complicated crime. The criminal first watches their victim type in their passcode and then grabsd their phone out of their hands. In the basic mode of this attack, they have a few hours to use the phone—trying to access bank accounts, etc.—before the owner figures out how to shut the attacker out. With the addition of the recovery key, the attacker can shut the owner out—for a long time.

The goal of the recovery key was to defend against SIM swapping, which is a much more common crime. But this spy-and-grab attack has become more common, and the recovery key makes it much more devastating.

Defenses are few: choose a long, complex passcode. Or set parental controls in a way that further secure the device. The obvious fix is for Apple to redesign their recovery system

There are other, less privacy-compromising methods Apple could still rely on in lieu of a recovery key.

If someone takes over your Google account, Google’s password-reset process lets you provide a recovery email, phone number or account password, and you can use them to regain access later, even if a hijacker changes them
Going through the process on a familiar Wi-Fi network or location can also help demonstrate you’re who you say you are.

Or how about an eight-hour delay before the recovery key can be changed?

This not an easy thing to design for, but we have to get this right if as phones become the single point of control for our lives.

Read More

Were you a US-based Facebook user between May 24 2007 and December 22 2022?

If so, I’ve got some good news for you.

Read more in my article on the Hot for Security blog.

Read More

More collaboration, both with the private sector and international allies, is at the top of the list in the UK’s cyber playbook

Read More

The Belfast (Good Friday) Agreement played an integral role in enabling Northern Ireland’s growth as a global cybersecurity hub, according to UK government chiefs speaking at the CyberUK conference in Belfast. The Good Friday Agreement was signed on Good Friday, April 10, 1998, following three decades of conflict known as the Troubles. In introduced several new power-sharing arrangements designed to install peace, transforming political and economic life in Northern Ireland. Twenty-five years on from the signing of the pivotal peace accord, Northern Ireland’s flourishing cyber ecosystem has one of the highest concentrations of cybersecurity businesses worldwide – estimated to add £437 million in value to the UK’s economy by 2030.

To read this article in full, please click here

Read More

Security professionals attending this year’s RSA Conference expect to learn about new tools, platforms, and services from the 600-plus vendors exhibiting there. That’s a lot of ground to cover, so CSO has sifted through the upcoming announcements and gathered the products and services that caught our eye here.

More announcements will be made throughout the event, and CSO will update this article as their embargoes break. We’ve organized the listings by day of announcement.

RSA Conference announcements, pre-event

Binary Defense Phishing Response service

Managed detection and response (MDR) firm Binary Defense will be showing its new Phishing Response service. Its features include email attack surface hardening, intelligence correlation, threat hunting, and investigation-based detection and remediation recommendations. Users may submit emails and phishing alerts from third-party email protection software for analysis. Findings from that analysis are then correlated with other threat intelligence, and then Binary Defense analysts look for evidence of this attack. Binary Defense is at RSAC booth 5415.

To read this article in full, please click here

Read More

At the end of March, an international VoIP software company called 3CX with over 600,000 business customers suffered a serious software supply-chain compromise that resulted in both its Windows and macOS applications being poisoned with malicious code. New evidence suggests the attackers, believed to be North Korean state-sponsored hackers, gained access to the company’s network and systems as a result of a different software supply-chain attack involving a third-party application for futures trading.

“The identified software supply chain compromise is the first we are aware of which has led to a cascading software supply chain compromise,” incident responders from cybersecurity firm Mandiant, who was contracted to investigate the incident, said in a report Thursday. “It shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions as demonstrated in this investigation.”

To read this article in full, please click here

Read More