Quick heads up to anybody searching for information about this. As of 24th January 2018 there appear to be an influx of emails to businesses around the UK trying to trick the accounts department into paying large sums of money to a new beneficiary.
The body of the email is short and to the point:
I need you to process a “Faster Payment” to a new beneficiary, can you handle this right now?
Payee details attached.
Regards
<Director’s Name>
Sent from my iPhone.
The emails generally appear to come from the name of a company director and the email address may look legitimate but the hidden “reply to” address is different and the contents of the email and attachment are a scam. The reply to email address is subtly changed and instead of .co.uk on the end of the email address it’s .co.uk-k.uk which a lot of people might not notice, especially on a small smart phone screen that truncates text.
DJI Mavic Pro Fly More Combo S/N: 08QCE8H0122TW6 was stolen from a vehicle in Chester, Cheshire on 10th January 2018.
The serial number of this Mavic Pro was S/N: 08QCE8H0122TW6 (or O8QCE8HO122TW6 depending if they are zeros or the letter O.)
UPDATE: More serial numbers extracted from downloaded flight logs
DETAILS.aircraftSnBytes
DETAILS.cameraSn
DETAILS.batterySn
08RDE87001033G
08TCE88SE129LZ
093AE8A0320371
If you see this drone for sale on eBay, Gumtree, Facebook, etc or have been offered it for sale in person please DO NOT BUY IT, it is stolen property and you risk losing the item if the police find it. Please report it to me (@scoopz on twitter), leave an anonymous comment below or call Cheshire Police on 01244 350000 quoting crime reference 212-2018-01-10. Please do not alert the seller that the item may be stolen as it may suddenly disappear before the police can track it down.
If you have already bought this Mavic Pro and are concerned you have bought stolen goods please contact me directly or leave a comment below. I’m willing to buy it back or offer a reward for its return without involving the authorities.
This is not my usual post but I’m hoping somebody looking to buy a cheap Mavic Pro in the North West, Cheshire, UK area might be wise enough to search Google for the serial number 08QCE8H0122TW6 and end up reading this post.
All items shown above stolen including additional 8331 props, DJI sunshade and red joystick cover lock.
STOLEN: DJI Mavic Pro S/N: 08QCE8H0122TW6 Chester, Cheshire UK
How much do we actually know about our mobile devices? The information they collect, store and transmit is largely unknown to the majority of users and closed sources and systems make it difficult to maintain transparency in a progressively security conscious time.
We all make mistakes with security, your author revealed some of these a few years ago where Facebook, Dropbox, 1Password and a smorgasbord of other apps were found to be storing critical data in plain text.
A few years on and again I was digging around in code and spotted something which concerns me.
It may be nothing, but I think it’s in our collective interests to have the following clarified.
The following header file displays the function names contained within the iOS 8.1 Springboard App’s TelephonyManager interface
This post details the step-by-step method required to extract a plist/OAuth token from a standard (non encrypted) iTunes backup of any iOS device (iPod Touch, iPhone and iPad) and then copy this onto another device to automatically log in using those creditials.
NOTE: The process outlined below will not work if you have iTunes set to encrypt your iOS backups. This method was confirmed as working as of 10th April 2012 using the latest iOS xxx and current Facebook (v.4110.0), Dropbox (v1.4.6) and LinkedIn (v35) iOS apps. You do not need to have a jailbroken iPhone or iPad for this to work. I do not condone using the methods below to gain access to anybody’s accounts without their prior permission, I hold no responsibility if using the information in this post lands you in trouble with your ex partner, current partner, your boss, the police, your kids, etc.
Background
In case you weren’t aware a security flaw was found by Gareth Wright earlier this week that allows your Facebook login key to be copied form one iOS device to another and essentially allow a 3rd party access to your account without needing to know your account email address or password. The same vulnerability has also been found in Dropbox, LinkedIn, Tumblr, Vimeo and 1Password. At the time of writing this post, Dropbox have said they are going to address the problem and 1Password have gone one step further and rewritten the way the user details are stored so this exploit cannot be used anymore and have submitted the update to Apple for approval before it’s released. Facebook appear to dismiss the security vulnerability saying it is only really an issue if your device is jailbroken or you use a 3rd party app to access the files on your iOS device. WRONG! If you have ever connected your iOS device to iTunes via USB and iTunes has taken a backup of your device then you are at risk (unless you tick the box to encrypt your backups, in which case rest easy and don’t worry about anything written below). The plist file that is the centre of this whole security flaw is copied to your computer via iTunes backup, no third party app here extracting files as Facebook suggests. Granted you need a third party app to access the file and place it onto another iOS device but crucially, the insecure file is copied to your computer during a normal iTunes backup.
What does this mean to most end users then? Probably not a lot to be honest. If you only ever connect your iPhone or iPad to your own personal computer then there’s nothing to worry about since the insecure file, locked away in the backup of your device, resides on your personal machine and nobody else can get to it easily. But in today’s modern and social society, the likelihood is that you have a computer you share with your wife, girlfriend, housemates, family or you have been at a friends house with a low battery and connected your iPhone to give it a little extra juice. This is where things become a little more vulnerable, if the computer you connected your device to made a backup of your device (remember a backup is always made when you are updating the iOS via iTunes) then the crucial plist file with your OAuth key in for apps such as Facebook, Dropbox, LinkedIn and more now reside on that computer in that backup.
So if you currently share a computer with your partner and want to log into Facebook as them, you can if you follow the steps below. Likewise, if your ex-partner used to connect their iPhone or iPad to your computer but left you several months ago for somebody hotter, then you too can dip into their old backup on your computer and log into Facebook and other apps as them. [Again I re-iterate the moral/legal implications of such actions]
Step by Step Guide
Ok so how can you hack into somebody else’s Facebook using a file from their iOS backup? You’ll need two pieces of sofware:
1 – to read the backup files an extract the plist file
2 – to allow you to drag and drop plist files onto your current iOS device
Let us pretend you want to gain access to your ex-girlfriend’s Facebook account and you know that she used to connect her iPhone or iPad to your computer. The first thing to do is open up iTunes and go to Preferences and select the Devices icon along the top which lists all device names that are backed up on your machine along with date of the backup.
