Disquiet for some as DNS-over-HTTPS is readied for prime time; Apple hits back at Google over iPhone hack warning; and a parody music video tackles phishing head-on

Apple this week hit back at recent research by Google about a supposedly “sustained effort” to hack iPhones as part of a sophisticated surveillance operation that’s said to date back at least two years.

Hacked websites were being used to serve exploits to surfers who visited them using their iPhones.

The sophisticated attack had “the capability to target and monitor the private activities of entire populations in real time”, Google’s Project Zero researchers warned.

Exaggeration, according to Apple, which contended Google is spreading FUD over the impact of already patched iPhone bugs.

In downplaying the extent of the admittedly sophisticated attack, Apple confirmed it had targeted China’s Uighur Muslim minority.

Apple said the assault was “narrowly focused, not a broad-based exploit of iPhones ‘en-masse’ as described” and only affected fewer than a dozen websites.

Apple’s counter-offensive – which came days before the company introduced the iPhone 11 in a major revamp of the product line – was discussed by show co-host Graham Cluley in this week’s edition of the ever dynamic and fun Smashing Security podcast.

Play DoH

Your own correspondent had the honour of appearing as a guest on Smashing Security this week, where we also discussed the privacy benefits and previous controversies about DNS-over-HTTPS (DoH), an emerging internet protocol.

The DoH protocol hides DNS queries inside regular HTTPS traffic, making it more difficult for third parties such as governments or ISPs to keep tabs on surfer’s internet browsing.

Mozilla last week announced plans to roll out the technology as a default option, initially to US web users and starting later this month.

In promoting the technology, which has been offered as an option in Firefox since June 2018, Mozilla was at pains to address concerns over parental controls and DNS-over-HTTPS.

The browser-maker said it would disable the protocol if it detects them, a response that drew a cautious welcome from ISPA, as The Daily Swig reported earlier this week.

In the wake of Mozilla’s announcement, Google released a blog post saying it planned to introduce DNS-over-HTTPS in October.

Although the security community in general remains upbeat about the security and privacy benefits of DoH, concerns remain in some quarters about how the technology would work in practice.

DoH means that Firefox will concentrate all DNS traffic on Cloudflare, and they send traffic from all their users to one entity and this could actually work in favour of, rather than contrary to, government surveillance, some argue.

A serious topic, to be sure, but during the podcast we also discussed whether DoH should be pronounced like Homer Simpson’s catchphrase (D’oh) or dough (as in bread making), inspiring a putative meme in the process:

Show me the ‘sploits

Discussions about bug bounties recently made their way to the mainstream press, with a Daily Mail interview with celebrated security researcher Mark Litchfield.

Litchfield, one of a handful of elite hackers who have earned $1m or more through HackerOne’s bug bounty program, said that his main motivation was being rewarded for his skills, rather than making the internet safer.

“I’m in it for the money – it’s my time, my skills and I should be fairly paid,” he told the tabloid. “I don’t care about making the internet safer.”

BlueKeep

Staying with bugs, a community-developed exploit module for the infamous BlueKeep (CVE-2019-0708) vulnerability in Windows was released by the Metasploit Project late last week.

BlueKeep is a recently patched RDP flaw in Windows that Microsoft unusually warned might be wormable in the same way as WannaCry at the time it released a fix.

Infosec search index

In other news, the most Googled people, businesses, scams and breaches in the history of cybersecurity were spotlighted in a study that came out this week.

Among the findings was that the 2017 Equifax breach has become the most searched for data breach ever. The Heartbleed security bug was searched for more than any other security threat, even WannaCry.

More surprising still was that Shark Tank investor and infosec entrepreneur Robert Herjavec emerged from the study as possibly the most famous person in security.

John McAfee appeared in second place in the list ahead of Kevin Mitnick, the self-styled “World’s most famous hacker”, Bruce Schneier, and Troy Hunt.

The study (PDF) – put together by managed threat detection firm Redscan – was based on analysis of Google Trends global search history dating back to 2004.

Searches for cybersecurity jobs, courses, and salaries are growing quickly, indicative of a rising interest in security careers and demand for talent, according to Redscan.

Gone phishing

Finally, a new Host Unknown music video landed this week for a song entitled ‘Lost all the Money’. The music video – a parody of Nelly’s ‘Ride Wit Me’ – serves to shine the spotlight on phishing attacks.

The release represents the eagerly awaited third song from UK-based infosec community stalwarts Thom Langford, Andrew Agnês, and Javvad Malik.

Previous releases by the trio include 2014's seminal ‘I’m a C I Double S P’, follow up by 2016’s ‘Accepted the Risk’.

In an ego-crushing snub, none of the trio’s previous videos earned a Pwnie Award, the infosec world’s equivalent of the Oscars.