Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Secure Thinking

By

I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives.  Here’s those tips:

 

  • Patch your systems regularly (patch Tuesday is a great start)
  • Run Anti-Malware, but don’t pay too much for it.
  • Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites).  Likewise with Java in your web browser.
  • Stay off the seedy side of the net
  • Only install software from trusted sources
  • Don’t click links in emails.
  • Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
  • Never, ever use a public computer, for anything. It’s like swimming in a sewer.
  • If you find a USB thumb drive, destroy it – never plug it in.
  • Encrypt your data – FileVault or BitLocker
  • Backup your data to a trusted repository
  • Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
  • Enable two factor authentication when it’s offered
  • Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
  • Only use Google Nexus android devices to ensure you can stay current
  • When asked for secret questions, lie – and record those lies in 1Password.
  • Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
  • If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
  • Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.

 

In the end, it boils down to simply being aware.

 

Think about security!

iPhone repairs – scam or security?

By

Over the past few days, there have been a number of articles as people discover that their iPhones are bricked after undergoing third-party repairs.  Apple has a FAQ about it, and  iFixit has a good article with details, though I don’t necessarily agree with all their conclusions, and they do have a vested interest in third-party repair options.  Not that that’s a bad thing – I’ve been a customer in the past myself, but will full knowledge that I was voiding my warranty by doing so.

So a couple of specific points:

“As long as the device requires a PIN on boot, then the device would be just as secure as it was before the part swap.”

The secure paring between the sensor and the fingerprint reader (from published information), protects the biometric data in the secure enclave from compromise by a malicious sensor.  The PIN is a different subsystem, and may protect the device, but not necessarily the biometric data.

“repair professionals should be able to unlock devices—and that they should have access to the same parts and the same tools that “authorized” repair shops do”

This is a widespread practice:  witness key and lock manufacturers restricting secure blanks to licensed locksmiths, and the entire automotive industry requiring that new ‘smart’ keys be programmed at the dealership.  So the question is, should it be?  I’m annoyed at the hour’s time and $100-200 charge for a spare key to my car.  That “feels” like gouging.  But those keys have made a big impact on car theft, and my lower insurance rates reflect that.  It’s tough to know the difference between security and a scam without a lot of details.

And that’s rub.  Apple isn’t disclosing enough details about the paring process to understand if that’s possible.  What I do know is this – Apple got the security of their fingerprint reader right.  From storing the biometric data securely, to paring the sensor, to enforcing a maximum number of attempts before triggering a PIN.   If someone’s TouchID is compromised because of a malicious sensor, who will be blamed/sued/dragged through the media?  Apple.  I can’t blame them for locking down the secure subsystems to authorized repair agents.

You know,  demands that Apple ‘should be able to allow unauthorized repairs’ sound a lot like demands that Apple ‘should be able to implement a backdoor in their encryption’.    In the latter case, it can’t be done (math is hard after all).  In the former?  We need more details to know for sure.

But, in the end, my recommendation is to only use authorized repair services for secure components – for any product, not just Apple’s.  It’s more money, but it’s worth it.

2/18 Update:  Apple’s stopped bricking the device, but still won’t allow TouchID to be used until an authorized repair is completed.  That seems a lot more reasonable than bricking the device, and still maintains TouchID security.