Apple Passwords, Microsoft Recall, and DJI - May 10th - 16th - This Week In Security
This edition of this week in security is brought to you by Kyle_Fox from the F5 SIRT team. This time we touch on Apple's new password manager, Microsoft's attempt to AI everything in Windows, and ongoing attempts to ban DJI drones from use in the United States. Included at the end is a roundup of other news from last week.
Apple to include password manager in Apple OSes
Apple has announced that they will be including a password management application in their operating systems, this will allow Apple users to store their passwords securely and sync them between all of their Apple devices using iCloud as a backend. This continues Apple's general trend towards identifying use cases being filled by third-party software and creating an inhouse replacement. Hopefully this will push regular users towards more secure passwords and password storage.
Microsoft Says They Will Make Security a Priority
Just a few weeks ago Microsoft announced a new Windows 11 feature called Recall. This feature would allow Windows to record all your actions in the operating system and allow you to search with AI for something that happened in the past. This is essentially Microsoft's various CoPilot products, but for the entire operating system. Expects were quick to note that this could provide an easily to tap supply of surveillance data from a compromised system, allowing attackers to siphon off any data a Windows user is working on.
This comes a year after a major breach of Microsoft infrastructure by the Storm-0558 threat actor, for which Microsoft has received a lot of criticism in its handling. This criticism includes a report from the US DHS Cyber Safety Review Board report detailing failures that lead to that intrusion as well as further whisleblower complaints related to Microsoft's handling of security in recent years.
Microsoft has now backtracked on deploying Recall to all Windows 11 installs, and will be working to make it more secure before release. Microsoft president Brad Smith has further stated to congress that they are working to make all of their systems and products more secure. But only time will tell if the single highest-risk target for threat groups will live up to the promise of having the most secure software and systems.
Congress moves to ban DJI drones amid fears of spying.
Recently, lawmakers have been acting on what has seemed to be a long tail of "what ifs" and passing legislation to ban the import and potentially use of DJI drones in the United States. Some following this legislation are not surprised by its sponsors backing, noting that Rep Stefanik is backed by US based drone maker Skydio and industry association AUVSI. I'll admit, I own a couple DJI drones, so I have an interest in them at least being supported in the future, but this recent flare up seems more like a protectionist move without evidence of any actions on the part of the allegedly guilty player.
This reminds me a lot of the Supermicro allegations from Bloomberg in 2018, in which Bloomberg alleged that Supermicro server motherboards had been embedded with spying devices. After the report Supermicro worked to audit their supply chain and examine those motherboards for any implants, and found that no such implants existed. Bloomberg would continue to insist its reporting was correct, doubling down with a new set of allegations in 2021. To date, no such implants have been identified.
This same long history of allegations exists in the case of DJI, with the Department of Defense reiterating spying concerns back in 2021 amid concerns about government use of DJI drones. Just like the Huewei ban, this concern also exists in Australia, extending to the general public's use of DJI drones there. So its not surprising the concern has morphed from the military use of DJI drones, to government use, and now to the US public using them. None of these concerns cite actual actions of DJI, nor has any malicious code been identified yet.
Roundup
- The YouTube recommendation for this time around is Practical Engineering. If your wanting to jump right in with something related to infrastructure security, try the series on the Electric Grid.
- Toorcamp, literally hacker summer camp, will be happening next week on Orcas Island in Washington.
- Two people have been arrested in the UK for using a home built cellular base station to send SMS phishing messages.
- The Australian border force continues its deep inspection of people visiting and returning to Australia with over 10,000 travelers phones searched in the last two years.
- The French are now entering the Mess With DNS to Block Bad Stuff(TM) game.
- SpaceX to introduce a miniaturised Starlink terminal.