Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

// // //
8/21/2017
03:42 PM
Larry Loeb
Larry Loeb
Larry Loeb

Sleepless in Cupertino

A hacker finds the key to Apple's SEP and there's good news in the battle against spear-phishing. Bad news and good to start the week.

Apple gets peeled
Someone named xerub is causing some sleepless nights in Cupertino. What s/he has done is publish the key used for the iPhone’s Secure Enclave Processor’s (SEP) firmware.

SEP is a coprocessor inside the iPhone that is a barrier around some of the security functions like TouchID. These functions are directly controlled by the SEP itself. What has been published is the key to obscuring the SEP’s firmware in iOS, an extra step in the security fabric that was used to slow down attackers.

While this obscurity removal will make it somewhat easier to understand what goes on inside of the SEP, the takeaway here is that the functionality of SEP will not be affected by this key.

Someone may someday use this to make some sort of SEP exploit, but that day has not come. Ignore the pundits saying how this will now make iOS unsafe to use. It still works fine. And who knows, Apple may end up changing that SEP key in some way so that what has been published will become irrelevant.

The really interesting thing here is that this is a direct attack on the cryptology front door of a security solution. Attacks usually go around that front door and try to break a window because its easier to do. How the key was obtained, how that cryptology was compromised is the really important and underlying question. If it can be done on this sort of computationally intensive problem, what else can be done?

It will be more than interesting to see if the answer to that appears as time goes on.

Some good news
Researchers from the University of California, Berkeley, and the Lawrence Berkeley National Laboratory have come up with a way to set up an automated warning system about spearfishing email attacks.

In fact, it was so good that Facebook paid them $100,000 and gave them the 2017 Internet Defense Prize for their work.

Their paper on the system was presented at this week’s USENIX Security Symposium in Vancouver. It combines a new non-parametric anomaly scoring technique for ranking security alerts along with an analysis of what is inside of spear-phishing emails.

They looked at 4 years of an organization’s emails (370 million of them!) in their research and came up with two key parts: domain reputation features and sender reputation features.

The domain reputation feature looks at links in an email to see if it is a risk. They decided that a URL is risky if , for example, it has not been visited by many organization employees, or even if it has never been visited until very recently.


Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

The sender reputation looks at identity spoofing in the “From:” header, any very close matches to a previously known senders and suspicious content that may imply immediate action is needed or reference credentials and the like.

All events are evaluated against each other, and the ones that hit the top are referred out to the security team. The advantage of doing things in this manner was is a low false positive rate.

This kind of research points the way to adding automation to the security arena in a meaningful way. Reducing false positives also reduces alert fatigue which may swamp actionable alerts.

The threats we have come of late to accept as normal due to routine communications may be mitigated by applying this kind of new automation tool.

Related posts:

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...